See our technologies used in different real world use cases.
Docker for Desktopdocker.com
Linux Containers on MacOS and Windows.
Docker daemon runs inside a lightweight Linux VM Docker client runs on the host OS (MacOS or Win). Containers are connected to the host native stacks via MirageOS interceptors (VPNKit and osxfs)
- A fully memory safe user-space network stack embedded in a desktop application (not a unikernel).
- A fully memory safe FUSE driver performing binary emulation.
- POSIX translations (Linux vs. MacOS and Linux vs. Windows).
VPNKit transparently rewrites the network traffic so that Linux containers can use network ports on the MacOS host. osxfs transparently shares Apple Filesystem volumes with Linux containers (including filesystem events).
Holds 10 BitCoins, and designed to help the attacker.
Can be set up to talk to itself, all traffic visible to hacker All source code open with precise manifest on GitHub Standard protocol implementation with no obfuscation
- An HTTPS unikernel with a fully memory safe SSL/TLS stack.
- All the supporting libraries from HTTP, DNS,TCP.
- Genetic diversity in critical services (no Linux, no OpenSSL).
Many attacks during 3 years, some found software bugs, but all resulted in clean exceptions and no data loss. Bitcoins were safe.
Qubes OS firewallqubes-os.org
A desktop operating system made up of multiple virtual machines, running under Xen..
To protect against buggy network drivers, the physical network hardware is accessed only by a dedicated (and untrusted) “NetVM”. NetVM is connected to the rest of the system via a separate (trusted) “FirewallVM”.
- We replaced the default Linux VM by a MirageOS unikernel.
- A firewall unikernel with a fully memory safe TCP/IP stack.
- Choice between static or a memory safe DSL for configuring routes.
The resulting VM uses less than a tenth of the memory of the default FirewallVM. It boots several times faster and it is much easier to audit or extend