[steego]

> A unikernel for AppX will have a completely different attack surface from AppY so most generalized attacks just won't work.

If unikernal systems do become popular, it's very likely this would not be true because AppX and AppY would likely share a popular library that they've both been statically linked against. (Ex: An HTTP library with TLS). Granted, the footprint of exploitable features would be considerably smaller

I agree more with the the latter point that a compromised system would probably offer very little for an attacker to leverage.

[Sanddancer]

I imagine that a unikernel management system would have all the modules -- http, tls, the user facing app, etc -- just as object files, so that an update of the TLS library would entail little more than relinking and restarting the new unikernels.