Open Source Summit Korea 2026

Unikernels are specialized operating systems designed for efficiency by including only the components needed by an application. By eliminating the traditional user–kernel separation and omitting general-purpose services such as background daemons and unused device drivers, this design reduces system complexity and overhead while providing a fundamentally different execution model from conventional Linux systems.
This study examines the structure of Unikraft-based unikernels from a library operating system perspective. It also presents an empirical comparison with Linux under controlled conditions. Both systems were deployed on the same Xen hypervisor and executed on a hardware platform, running the same application with a common subset of POSIX APIs. Execution latency was measured, and assembly-level analysis was performed to investigate potential reasons for the observed differences.
The results are presented as an example of combining performance measurement and low-level inspection when analyzing specialized operating systems. Similar approaches may be applicable to other specialized OS or unikernel contexts, depending on the application and execution environment.

Global security regulations such as the EU Cyber Resilience Act (CRA) have raised security requirements for embedded products. Open source components, especially the Linux kernel, must now support systematic vulnerability management, fast security patching, and long-term maintenance, making kernel security a key challenge.

This session discusses practical solutions for managing Linux kernel vulnerabilities in embedded products. It begins with an overview of recent kernel CVE trends and their impact on long-lived and customized kernels. The session then introduces a CI-based vulnerability response pipeline designed to minimize the time from CVE disclosure to patch deployment.

A key challenge is backporting security fixes to older or vendor-modified kernels, where patches often do not apply cleanly. To address this, the session presents an AI agent–based approach that assists developers by analyzing CVE data, upstream patches, and kernel context to suggest candidate backports.

By adopting an AI-assisted vulnerability response workflow, teams can reduce response time and prepare for compliance with evolving global security regulations.

For more than 15 years, Qualcomm’s been actively involved in a range of Open Source ecosystems. Until recently, some parts of our development were handled behind closed doors, with contributions coming a bit later and enablement being somewhat limited. We tried various projects and partnerships to push things upstream sooner, but it wasn’t until lately that we truly made a complete shift.

Over the past 18 months, we’ve totally revisited our approach—moving an entire Linux product development ecosystem, with hundreds of contributors, from a private downstream setup to a full-blown Open Development model. This wasn’t just a surface change: it meant overhauling how our engineers work, syncing up our internal systems with open practices, and fundamentally changing the way our developers connect and collaborate.

In this session, we’ll share what made this transition work for us—including how we managed to weave our internal systems into Open Source workflows, encouraged developers to embrace new ways of thinking, and built scalable processes that can handle all sorts of Linux ecosystems and distributions.

Smart home ecosystems are increasingly powered by embedded Linux platforms, yet the security of their underlying firmware, memory management, and wireless communication stacks remains dangerously underexamined. This talk presents a systematic approach to vulnerability discovery in IoT embedded Z-Wave smart home devices using freely available Linux OS tools and developed open source frameworks — bridging the gap between theoretical security research and hands-on embedded testing.

Drawing directly from original research that resulted in 18 CVEs assigned by U.S. CERT and U.S. MITRE, and from a live-demonstration talk presented at TyphoonCon 2025 in Seoul, the speaker will walk attendees through a structured open source testing methodology:

• Fuzzing embedded protocol stacks to uncover memory-corruption vulnerabilities
• Live exploitation: manipulating controller internal memory to delete or modify secured slave device properties
• Triggering Denial-of-Service (DoS) conditions that disable an entire smart home network
• Coordinated disclosure and remediation work with SiLabs and the Z-Wave Alliance