""µDNS, DNS from scratch as a MirageOS unikernel"
Description: The domain name system (DNS) is the protocol used to translate domain names (which are shared and memorized by humans) into Internet addresses (which computers can route and communicate with). DNS is more than 30 years old, and spans over dozens of specification documents (hundreds of pages), with extensions (dynamic updates, security, signed transactions, ..). It is a widely deployed distributed value store.
A MirageOS unikernel is a virtual machine with only a single service. The attack surface compared to a Unix operating system is reduced by two orders of magnitude. The specialisation is done at compile time, where hundreds of libraries (including a TCP/IP stack, TLS, HTTP, git, ..) can be combined. These libraries are written in OCaml, a functional programming language with an expressive type system (several bug classes are caught by the type checker), which features a rich module system (a unikernel can be compiled down to a normal Unix process and debugged there during development, and as a virtual machine image for Xen, KVM, BHyve, .. for production). By the choice of language, attack vectors are reduced.
I'll demonstrate µDNS, which is a from-scratch developed DNS implementation in OCaml for MirageOS. This includes both resolver (recursive and stub, supporting the privacy proposal query name minimisation) and server side (primary and secondary, including dynamic updates). I'll show an authoritative server, used by a let's encrypt client to get signed certificates, and a DHCP server and DNS resolver tandem which similar to DNSmasq acts as a local caching resolver and collects DHCP client identifiers into a local zone.
Hannes researches in several engineering areas: from programming languages (such as compiler optimisation visualisation, type systems) over full functional correctness proofs of object-oriented code, development environments for dependently typed languages, to network protocols (TCP/IP) and security protocols (TLS, OTR). He feels safe in a garbage collected environment, and appreciates purely functional goodness.
Since beginning of 2018, Hannes works on a non-profit to put MirageOS into production (http://robur.io). He used to be a postdoc at University of Cambridge working with the semantics, systems, and security group.
Track: Securité Informatique