Open Source Summit Korea 2026

Unikernels are specialized operating systems designed for efficiency by including only the components needed by an application. By eliminating the traditional user–kernel separation and omitting general-purpose services such as background daemons and unused device drivers, this design reduces system complexity and overhead while providing a fundamentally different execution model from conventional Linux systems.
This study examines the structure of Unikraft-based unikernels from a library operating system perspective. It also presents an empirical comparison with Linux under controlled conditions. Both systems were deployed on the same Xen hypervisor and executed on a hardware platform, running the same application with a common subset of POSIX APIs. Execution latency was measured, and assembly-level analysis was performed to investigate potential reasons for the observed differences.
The results are presented as an example of combining performance measurement and low-level inspection when analyzing specialized operating systems. Similar approaches may be applicable to other specialized OS or unikernel contexts, depending on the application and execution environment.

Global security regulations such as the EU Cyber Resilience Act (CRA) have raised security requirements for embedded products. Open source components, especially the Linux kernel, must now support systematic vulnerability management, fast security patching, and long-term maintenance, making kernel security a key challenge.

This session discusses practical solutions for managing Linux kernel vulnerabilities in embedded products. It begins with an overview of recent kernel CVE trends and their impact on long-lived and customized kernels. The session then introduces a CI-based vulnerability response pipeline designed to minimize the time from CVE disclosure to patch deployment.

A key challenge is backporting security fixes to older or vendor-modified kernels, where patches often do not apply cleanly. To address this, the session presents an AI agent–based approach that assists developers by analyzing CVE data, upstream patches, and kernel context to suggest candidate backports.

By adopting an AI-assisted vulnerability response workflow, teams can reduce response time and prepare for compliance with evolving global security regulations.

For more than 15 years, Qualcomm’s been actively involved in a range of Open Source ecosystems. Until recently, some parts of our development were handled behind closed doors, with contributions coming a bit later and enablement being somewhat limited. We tried various projects and partnerships to push things upstream sooner, but it wasn’t until lately that we truly made a complete shift.

Over the past 18 months, we’ve totally revisited our approach—moving an entire Linux product development ecosystem, with hundreds of contributors, from a private downstream setup to a full-blown Open Development model. This wasn’t just a surface change: it meant overhauling how our engineers work, syncing up our internal systems with open practices, and fundamentally changing the way our developers connect and collaborate.

In this session, we’ll share what made this transition work for us—including how we managed to weave our internal systems into Open Source workflows, encouraged developers to embrace new ways of thinking, and built scalable processes that can handle all sorts of Linux ecosystems and distributions.

Smart home ecosystems are increasingly powered by embedded Linux platforms, yet the security of their underlying firmware, memory management, and wireless communication stacks remains dangerously underexamined. This talk presents a systematic approach to vulnerability discovery in IoT embedded Z-Wave smart home devices using freely available Linux OS tools and developed open source frameworks — bridging the gap between theoretical security research and hands-on embedded testing.

Drawing directly from original research that resulted in 18 CVEs assigned by U.S. CERT and U.S. MITRE, and from a live-demonstration talk presented at TyphoonCon 2025 in Seoul, the speaker will walk attendees through a structured open source testing methodology:

• Fuzzing embedded protocol stacks to uncover memory-corruption vulnerabilities
• Live exploitation: manipulating controller internal memory to delete or modify secured slave device properties
• Triggering Denial-of-Service (DoS) conditions that disable an entire smart home network
• Coordinated disclosure and remediation work with SiLabs and the Z-Wave Alliance

Zephyr initially set out to solve a problem that many embedded teams quietly struggled with: how to build dependable real-time systems without being locked into a single vendor, toolchain, or proprietary stack. The project introduced a new model built around portability, adoption of open source and security best practices, modern tooling, and a shared ecosystem of drivers and middleware.

From the start, there was the commitment from the start apply known best practices to its development. While Zephyr is a different code base, a lot of the lessons learned from developing the Linux Kernel were applied. The project has also focused on incorporating security best practices from the start which now enables it to make compliance easier for manufacturers looking to conform to the emerging Cybersecurity Resilence Act (CRA).

Best practices have also enabled the project to work towards achieving formal safety certification for 61508 and 26262. The project has achieved 61508 concept approval at this point, as is working towards formal certification, using a combination of traditional V-Model analysis, and innovative techniques to keep up with the speed of open source development.

The automotive transition to Software-Defined Vehicles (SDVs) relies on mixed-criticality architectures, consolidating open-source infotainment (Automotive Grade Linux) alongside safety-critical Real-Time Operating Systems (RTOS). This virtualization boundary—often KVM/Xen—is assumed to be a secure airgap. However, guest-to-host communication requires hardware abstraction, primarily via the VirtIO standard.

This 40-minute session conducts a hardcore technical teardown of the virtqueue shared-memory mechanism, exposing how legacy C-based VirtIO backends (vhost-net) introduce critical vulnerabilities into the automotive supply chain.

We will dissect a hypervisor escape utilizing custom fuzzing. By crafting malformed descriptor chains to bypass frontend validation, a compromised guest can force the host's backend into out-of-bounds memory corruption, effectively bridging the airgap into the control plane.

Finally, we will architect the open-source defense: migrating to memory-safe rust-vmm virtualization components to mathematically eliminate buffer overflows, and deploying zero-overhead eBPF probes for kernel-level I/O anomaly detection.

Popular open source operating systems like the Linux Kernel and Zephyr RTOS accept up to 9 commits per hour. Safety standards, like 61508, 26262, and others were developed without this rate of change in mind. Safety standards also expect the requirements to be explicit, which is not part of OS development processes. By using AI tools, we're able to accelerate the analysis of OS code to derive the requirements and traceability to tests. By storing this info in tools that can import and export System Package Data eXchange (SPDX) 3.0+, we're able to capture the requirements in a way that can be leveraged for wider system analysis necessary for safety. Associating integrity methods with the requirements and code snippets, also enables monitoring. Combining requirements traceability with precise build SBOM metadata, gives us a framework to keep a component compliant to a safety profile after a security fix.

This talk will provide a view on the latest experiments occurring with the Linux Kernel in the ELISA project, as well as in the Zephyr Safety Working group, and SPDX Functional Safety working group to extend SPDX to meet the needs of establishing these frameworks.