[hacknat]

This is a red herring. Presumably you'll be running unikernels in multi-tenant environments. There will still be scheduling and context switching overhead from the hypervisor. The Hypervisor isn't going to allow a VM full access to the hardware. Also, if you're the only process running, the Linux scheduler shouldn't actually have any overhead.

[willtim]

NodeOS, like most projects, is likely just a duct-taped jenga tower of the usual suspects. The attack surface will be huge. For example, OpenSSL will be in there with all of its gotos and malloc-reinventions. From a security point of view, I don't see a contest. The Mirage guys even clean-room implemented SSL in OCaml. This is no ordinary OSS project.