Thomas Gazagnaire :: O(x)Caml in SpaceThomas Gazagnaire<br>Building Functional Systems from Cloud to Orbit. thomas@gazagnaire.org
O(x)Caml in Space<br>2026-05-14<br>#unikernels#ocaml#space<br>On 23 April, our pure-OCaml CCSDS protocol<br>stack booted up in low Earth orbit! The project, codename<br>Borealis, is running inside DPhi Space's<br>ClusterGate-2 payload module<br>on the host satellite, with end-to-end-encrypted command and<br>control and post-quantum key rotation, all implemented in safe<br>OCaml.
Why does OCaml matter here? Untrusted code running on a satellite<br>is a huge security risk,<br>and OCaml is an ideal safe language to run in space. In his<br>ICFP 2022 keynote,<br>KC Sivaramakrishnan looked back on the<br>decade-long engineering effort<br>that produced OCaml 5, the release that put safe and performant<br>multi-threading into the OCaml runtime.
KC ended his talk speculating that OCaml 5.0 would go to the<br>moon, due to its language features that would deliver C/Rust-like<br>performance on demand while keeping the mathematical rigour of<br>classic ML. Here at Parsimoni, we took his words a bit too<br>literally :-)
Closing slide of KC Sivaramakrishnan's ICFP 2022 keynote: the arrow from OCaml 5.0 to the moon, and the metaphor that gave this post its title.
Borealis's first boot on DPhi Space's mission-ops dashboard, 23 April 2026. The first time a pure-OCaml CCSDS stack ran in space !
The host satellite circles the Earth every ninety minutes or so. A few<br>months after Virgile Robles and I hacked on<br>this over Christmas, we (virtually) jumped around when we saw<br>this:
2026-04-23 18:48:06 SpaceOS/Borealis (BPv7, BPSec, OTAR) by Parsimoni<br>2026-04-23 18:48:06 ClusterGate-2 proxy [single iteration]<br>2026-04-23 18:48:06 Config: scid=100, tm_vcid=0, tc_vcid=4, tm_spi=1, tc_spi=2, tm_frame_len=1115<br>2026-04-23 18:48:06 Session keys: EK=0x0100 AK=0x0101 active<br>2026-04-23 18:48:09 Telemetry health: { ... "status": "healthy" }
What is actually running
Borealis is a daemon. On both the ground and the satellite it<br>speaks a normal client-server protocol (telemetry queries,<br>commands and responses, OTAR rekey requests), the same shape as<br>any production server. What is unusual is the wire underneath.
The protocol stack is a pure-OCaml implementation of<br>CCSDS, the protocol<br>family that links spacecraft to the ground. It covers every<br>layer from radio framing up through Bundle Protocol and the<br>security extensions on top; the binary formats are described as<br>ocaml-wire codecs.
On ClusterGate-2, only the upper layers of that stack are<br>exercised. The satellite has no network connectivity from<br>outside. The only ground link is filesystem upload and download<br>via DPhi's API: a file written to the uplink directory is<br>forwarded by DPhi on the next pass, and downlink works the same<br>way. Borealis treats that filesystem as a delay-tolerant network.<br>Every command, response, telemetry sample and image chunk is<br>serialised into a<br>BPv7 bundle and<br>written to disk; DPhi forwards the file as opaque bytes.
BPSec wraps each<br>bundle in two extension blocks: one encrypts the payload, the<br>other authenticates it. Sequence numbers<br>reject replays, and the pre-shared keys (rotated by OTAR, below)<br>keep the routing path out of the trust path. The satellite operator sees only opaque bundle bytes; nothing in<br>the routing path can read, modify, forge or substitute the<br>contents.
This matters because we are tenants on someone else's hardware.<br>On a hosted-payload<br>satellite multiple tenants<br>share a single bus, and container isolation alone would not<br>suffice. A shared Linux kernel means kernel-level CVEs regularly<br>break the tenant boundary, and the same primitives keep<br>resurfacing in new forms: Dirty<br>Frag (a universal Linux LPE published<br>this year),<br>Fragnesia<br>(a close cousin in the same family), and<br>"Copy Fail",<br>a Linux kernel privilege escalation disclosed in late April that<br>hit every major distribution at once. Earlier rounds<br>(Dirty Pipe in 2022, the<br>nf_tables use-after-free<br>exploited for container escape in 2024) suggest there will be<br>more. On a ground server you can run<br>the package manager and reboot; in orbit, kernel patching is its<br>own delivery problem with its own delay, and is sometimes not<br>possible at all. The cryptographic<br>envelope around each bundle is the only durable guarantee.
Beyond confidentiality and authenticity, the long-mission threat<br>model needs key rotation. Borealis supports OTAR (Over-The-Air<br>Rekeying) for its post-quantum signing keys<br>(ML-DSA-65). Those keys live for the life of the satellite (ten<br>to fifteen years), which is why NASA's<br>Space System Protection Standard (NASA-STD-1006A)<br>treats post-quantum command authentication as a requirement<br>rather than a future option. OTAR lets us rotate the post-quantum<br>keys without re-flashing the satellite. To our knowledge this will be<br>the first public in-orbit demonstration of post-quantum OTAR ;<br>we plan to exercise the rotation on a later pass.
Borealis runs as a guest on DPhi's hosted-payload module: an Arm<br>SoC (four Cortex-A53...