See our technologies used in different real world use cases.
Docker for Desktopdocker.com
Linux Containers on MacOS and Windows
Docker daemon runs inside a lightweight Linux VM Docker client and runs on the host's OS (MacOS or Win). Containers are connected to the host's native stacks via MirageOS interceptors (VPNKit and osxfs).
- A fully memory-safe network stack embedded in a desktop application (not a unikernel)
- A fully memory safe FUSE driver that performs binary emulation
- POSIX translations (Linux vs. MacOS and Linux vs. Windows)
VPNKit works like a transparent proxy as it rewrites the network traffic so that Linux containers can use network ports on the MacOS host. Also invisible to the user, osxfs shares Apple Filesystem volumes with Linux containers (including filesystem events).
Holds 10 BitCoins designed to help the attacker.
Can be set up to talk to itself, and all incoming and outgoing traffic is visible to the hacker on demand. Since the code is completely open source, it can be searched for flaws.
- An HTTPS unikernel with a fully memory safe SSL/TLS stack
- All the supporting libraries, including HTTP, DNS, & TCP
- Genetic diversity in critical services (no Linux, no OpenSSL)
Many attacks during 3 years. Some found software bugs, but all resulted in clean exceptions and no data loss. Bitcoins were safe.
Qubes OS firewallqubes-os.org
A desktop operating system made up of multiple virtual machines, running under Xen
To protect against buggy network drivers, the physical network hardware is accessed only by a dedicated (and untrusted) “NetVM” that is connected to the rest of the system via a separate (trusted) “FirewallVM.”
- Replaced the default Linux VM with a MirageOS unikernel
- Contains a firewall unikernel with a fully memory safe TCP/IP stack
- Choice between a static or a memory-safe DSL for configuring routes
The resulting VM uses less than a tenth of the default FirewallVM's memory. It boots several times faster, and it is much easier to audit or extend.