Much cloud infrastructure consists of small microservices that interoperate via standard protocols as HTTPS. Unikernels are a new technique that specialises the deployed service into a tiny, domain-specific kernel that eliminates any unnecessary pieces and runs in a single address space. Some unikernels (such as MirageOS) even offer full memory safety down to the device drivers, and can run on tiny ARM devices as well as cloud hypervisors.

Tooling for unikernels is still nascent, but advancing fast. One of their key advantages is that the innards of the service is no longer a mystery novel. Instead, every single component is exposed as a library, and can be manipulated and monitored easily.

In this talk, I'll deep dive into the adventures we went through to rebuild the TLS protocol using the latest unikernel techniques. This is a clean-slate reimplementation that required first figuring out what the real-world protocol specification actually is, with testing oracles and sacrificial infrastructure to refine it. The result is a satisfying tiny unikernel that is a fully type-safe implementation that interoperates with existing TLS implementations.