question unikernel reduce attack surface by design?

[osevan]

Because its sitting directly inside kernel but only needed syscalls are inside, im asking if this true?

Because unikraft kernels are specific kernels without direct kernel access.

My thoughs true ?

Thanks and

Best regards

[rwmjones]

@razaaliraza

[tommy-u]

Perhaps you’re interested in the attack surface between the application and the kernel that runs it. UKL is not trying to protect against this, quite the opposite, the application can directly access the kernel internals.

You might find the Solo5, Nabla Containers, and Mirage projects more interesting in this space.