Hyperlight: Virtual machine-based security for functions at scale
Microsoft has launched Hyperlight, an open-source Rust library that enhances security for executing functions with fast cold start times, suitable for IoT, industrial automation, and cloud services.
Read original article
Microsoft has introduced Hyperlight, an open-source Rust library designed to enhance security for executing small, embedded functions at scale using hypervisor-based protection. Hyperlight allows each function call to operate within its own virtual machine (VM), achieving cold start times of one to two milliseconds, which is significantly faster than traditional VM architectures. This speed enables developers to scale applications to zero, eliminating the need for idle VMs while maintaining a secure environment for untrusted code execution. Hyperlight is particularly beneficial for scenarios such as Internet of Things (IoT) gateways, industrial automation, and high-throughput cloud services. The project will be submitted to the Cloud Native Computing Foundation (CNCF) as a sandbox project, aiming to leverage community support and best practices. Hyperlight is licensed under the Apache 2.0 license, inviting collaboration from developers and IT professionals to further its development.
- Hyperlight is a Rust library that provides VM-based security for executing functions.
- It achieves cold start times of 1-2 milliseconds, allowing for efficient scaling.
- The project will be submitted to the CNCF for community support and governance.
- Hyperlight is suitable for IoT, industrial automation, and cloud services.
- It is open-source under the Apache 2.0 license, encouraging community collaboration.
Related
Deploying Rust in Existing Firmware Codebases
Google's Android team is integrating Rust into firmware to enhance security, focusing on new and high-risk code while addressing compatibility and porting challenges with tools like Bindgen for seamless integration.
Google says replacing C/C++ in firmware with Rust is easy
Google has transitioned firmware for protected virtual machines to Rust, enhancing security by addressing memory safety issues. Despite challenges, the U.S. government supports Rust adoption for improved software security.
A good day to trie-hard: saving compute 1% at a time
Cloudflare launched the open-source Rust crate "trie-hard" to optimize CPU usage in HTTP request processing, reducing header clearing runtime to 0.93µs and achieving a 1.28% CPU utilization reduction.
Why Oxide Chose Illumos
The Oxide Rack will use KVM or bhyve as the VMM, considering Rust for system programming. Key features include live migration, security measures, and strong isolation for enhanced reliability.
OpenHCL: The new, open source paravisor
OpenHCL is an open-source paravisor by Microsoft that enhances virtualization in confidential computing, supporting x86-64 and ARM64 platforms, and facilitating secure VM operation without frequent OS updates.
- Several commenters draw parallels between Hyperlight and other technologies like TinyKVM, unikernels, and Firecracker, discussing their similarities and differences.
- There is a focus on the performance aspects of Hyperlight, particularly its fast cold start times and execution efficiency.
- Questions arise regarding the communication between the micro VMs and the host process, as well as the underlying architecture's ability to ensure app isolation.
- Some commenters express curiosity about the implementation details, such as the use of Rust and potential integrations with existing JavaScript engines.
- Concerns are raised about the terminology used to describe Hyperlight, suggesting it may not fit neatly into traditional definitions of virtual machines.
12 commentsI think this is really cool, and the library was just released on GitHub for anyone to try. I’m happy I got to help them write their announcement post — and I figured this might be interesting for folks here!
See: https://ieeexplore.ieee.org/document/10475832
I also implemented VM resets using page-table rewrites and CoW memory sharing, so that no memory is shared across different requests. This can be implemented as tail-latency in a cache.
I ended up adding support for most languages. All the systems languages, Go, v8, LuaJit etc. Go was by far the most annoying to support as it uses signals.
Sounds like this is closer to a chroot/unikernel than a "micro VM" - a slightly more firewalled chroot without most of the os libs, or a unikernel without the kernel. Pretty sure it's not a "virtual machine" though.
Only pointing this out because these sorts of containers/unikernels/vms exist on a spectrum, and each type carries its own strengths and limitations; calling this by the wrong name associates it with the wrong set of tradeoffs.
Related
Deploying Rust in Existing Firmware Codebases
Google's Android team is integrating Rust into firmware to enhance security, focusing on new and high-risk code while addressing compatibility and porting challenges with tools like Bindgen for seamless integration.
Google says replacing C/C++ in firmware with Rust is easy
Google has transitioned firmware for protected virtual machines to Rust, enhancing security by addressing memory safety issues. Despite challenges, the U.S. government supports Rust adoption for improved software security.
A good day to trie-hard: saving compute 1% at a time
Cloudflare launched the open-source Rust crate "trie-hard" to optimize CPU usage in HTTP request processing, reducing header clearing runtime to 0.93µs and achieving a 1.28% CPU utilization reduction.
Why Oxide Chose Illumos
The Oxide Rack will use KVM or bhyve as the VMM, considering Rust for system programming. Key features include live migration, security measures, and strong isolation for enhanced reliability.
OpenHCL: The new, open source paravisor
OpenHCL is an open-source paravisor by Microsoft that enhances virtualization in confidential computing, supporting x86-64 and ARM64 platforms, and facilitating secure VM operation without frequent OS updates.