See our technologies used in different real world use cases.

Docker logo

Docker for Desktop

docker.com

Linux Containers on MacOS and Windows

Docker daemon runs inside a lightweight Linux VM Docker client and runs on the host's OS (MacOS or Win). Containers are connected to the host's native stacks via MirageOS interceptors (VPNKit and osxfs).

Showcases
  • A fully memory-safe network stack embedded in a desktop application (not a unikernel)
  • A fully memory safe FUSE driver that performs binary emulation
  • POSIX translations (Linux vs. MacOS and Linux vs. Windows)
Results

VPNKit works like a transparent proxy as it rewrites the network traffic so that Linux containers can use network ports on the MacOS host. Also invisible to the user, osxfs shares Apple Filesystem volumes with Linux containers (including filesystem events).

Bitcoin Pinata logo

Bitcoin Piñata

ownme.ipredator.se

Holds 10 BitCoins designed to help the attacker.

Can be set up to talk to itself, and all incoming and outgoing traffic is visible to the hacker on demand. Since the code is completely open source, it can be searched for flaws.

Showcases
  • An HTTPS unikernel with a fully memory safe SSL/TLS stack
  • All the supporting libraries, including HTTP, DNS, & TCP
  • Genetic diversity in critical services (no Linux, no OpenSSL)
Results

Many attacks during 3 years. Some found software bugs, but all resulted in clean exceptions and no data loss. Bitcoins were safe.

Qubes OS logo

Qubes OS firewall

qubes-os.org

A desktop operating system made up of multiple virtual machines, running under Xen

To protect against buggy network drivers, the physical network hardware is accessed only by a dedicated (and untrusted) “NetVM” that is connected to the rest of the system via a separate (trusted) “FirewallVM.”

Showcases
  • Replaced the default Linux VM with a MirageOS unikernel
  • Contains a firewall unikernel with a fully memory safe TCP/IP stack
  • Choice between a static or a memory-safe DSL for configuring routes
Results

The resulting VM uses less than a tenth of the default FirewallVM's memory. It boots several times faster, and it is much easier to audit or extend.