Hacker News new | ask | show | jobs
by technerder 1461 days ago
Tangential, but are there any easy ways to run server applications on bare metal in a way that removes the need for an underlying OS in order to decreases the overall attack surface an attacker can look for exploits in? (Mainly talking about applications written in Go(TinyGo), Rust, and C++ that can be easily compiled to run on bare metal)
5 comments
qbasic_forever 1461 days ago
Unikernel is what you're interested in, but it's not as easy as taking some Linux-based server software and spitting out a bootable image for baremetal. If you strip the kernel and OS out you lose the network stack and all kinds of system services that most software depends on directly.

I think Google's distroless container images are worth checking out as a quasi-alternative: https://github.com/GoogleContainerTools/distroless You use them as a base for a docker image and copy in your server code. These images are tailor made to strip out _everything_ that's not necessary to run the software--there's no shell for example. So you're still running a Linux kernel, libc, etc. but there's nothing there for an attacker to use other than your app code. You yourself can't even get into a shell to debug or examine what the state of your app is (which can actually be kind of aggravating in development).

link
mroche 1461 days ago
"Distroless" containers are pretty cool for making deployment images. I feel like a better name could have been chosen, because ultimately you are relying on a distribution and how they operate unless you're building an image from scratch and copying in your self-compiled dependencies.

I build my own distroless-like images for personal use using Fedora and RHEL, though I do follow the ubi-micro[0] build steps and include a tiny bit of user space components to enable debugging.

[0] https://catalog.redhat.com/software/containers/ubi9-micro/61...

link
yencabulator 1459 days ago
As an alternative to unikernels, that the other replies are talking about, which require special builds and might not work the same, you can also do something pretty simple:

Just run your program as the only process.

As a Linux host with no other software. No /bin/sh, nothing else in the filesystem.

Simple demo: https://github.com/tv42/alone

link
rvdca 1461 days ago
From what I gather a unikernel is what you are searching for. Many exists - https://github.com/unikraft/unikraft - https://github.com/hermitcore/rusty-hermit are the one that comes to my quick search.
link
magicalhippo 1461 days ago
IncludeOS was one such approach. Sadly the company behind it perished and it seems unmaintained.

https://includeos.org/

link
bogwog 1461 days ago
Another one: https://mirage.io/
link