Hyperlight: Virtual machine-based security for functions at scale

The Azure Upstream team has been working on a really fast hypervisor library written in Rust for the past three years. It does less than you&#x27;d conventionally do with hypervisors, but in turn it can start VMs around 2 orders of magnitude faster (around 1-2ms&#x2F;VM).<p>I think this is really cool, and the library was just released on GitHub for anyone to try. I’m happy I got to help them write their announcement post — and I figured this might be interesting for folks here!

Looks like my TinyKVM project, except it runs specialized programs instead of regular ELFs? TinyKVM also runs functions, with a fast execution timeout. I proved that without I&#x2F;O you can essentially run KVM programs with native performance, and sometimes more due to automatic hugepages. I measured LLMs to run at 99.7% native speed using eg. Mistral 7B. For example, the STREAM memory benchmark doesn&#x27;t use hugepages by default, and so the terminal version runs slower than the TinyKVM version due to hugepage-tables, but of course runs at the same speed once you modify the benchmark to use the same advantage. However, it does require modifying the program.<p>See: <a href="https:&#x2F;&#x2F;ieeexplore.ieee.org&#x2F;document&#x2F;10475832" rel="nofollow">https:&#x2F;&#x2F;ieeexplore.ieee.org&#x2F;document&#x2F;10475832</a><p>I also implemented VM resets using page-table rewrites and CoW memory sharing, so that no memory is shared across different requests. This can be implemented as tail-latency in a cache.<p>I ended up adding support for most languages. All the systems languages, Go, v8, LuaJit etc. Go was by far the most annoying to support as it uses signals.

&gt; These micro VMs operate without a kernel or operating system, keeping overhead low. Instead, guests are built specifically for Hyperlight using the Hyperlight Guest library, which provides a controlled set of APIs that facilitate interaction between host and guest<p>Sounds like this is closer to a chroot&#x2F;unikernel than a &quot;micro VM&quot; - a slightly more firewalled chroot without most of the os libs, or a unikernel without the kernel. Pretty sure it&#x27;s not a &quot;virtual machine&quot; though.<p>Only pointing this out because these sorts of containers&#x2F;unikernels&#x2F;vms exist on a spectrum, and each type carries its own strengths and limitations; calling this by the wrong name associates it with the wrong set of tradeoffs.

So in essence, this is somewhere between a unikernel+firecracker combo and a WASM module, but using VT.

Don&#x27;t see any mention of firecracker, which is the first thing I think of in this space. Anyone have a TL;DR comparison?

How does the micro VM&#x27;s guest API talk to the host process? Does the communication between the two have to go through the hypervisor?

They mention that most guests are expected to run code in a VM&#x2F;interpreter... I wonder if they have a build of V8 or JSC for their environment?

So in general this is kludge to implement app isolation via &quot;VM&quot;, because existing CPU architectures suck at isolating code?

i wondered how it worked in rust but the guest entrypoint&gt;init&gt;main is wrapped in unsafeblock as is a lot of other low level operations it does. interesting stuff

Cool to see them using just

Use CHERI for this?