Hyperlight, an open source project from Microsoft that integrates into apps that run isolated or untrusted code

hyperlight-logo

Microsoft unveiled recently the launch of a new open source project, which has the name "hyperlight«This is a hypervisor specifically designed to be integrated into applications that require isolated code execution, either for security reasons or to handle untrusted fragments.

Hyperlight positions itself as a shared library, which allows you to run functions inside micro-VMs, minimizing latency and facilitating efficient communication with hosted functions.

About Hyperlight

Compared to traditional virtual machines, Hyperlight It stands out for its low impact on performance, since compared to the startup of a standard virtual machine that requires at least 120 milliseconds, Hyperlight allows you to create micro-VMs in just 1 to 2 milliseconds, enabling isolation at a functional level.

Furthermore, it is mentioned that although frameworks such as Wasmtime for WebAssembly offer even lower times, of 0,03 milliseconds, Hyperlight seeks to offer an ideal balance between isolation and functionality for complex applications.

Unlike traditional configurations, the Micro-VMs in Hyperlight do not use a kernel or a full operating system. Instead, the virtual machine is reduced to an autonomous program which includes the function code, a specialized minimal core, and the necessary runtime, running in a single memory region with one virtual CPU assigned, without partitioning processes or mapping devices.

Hyperlight enables these customizations in a wide range of scenarios: for the integration of Internet of Things (IoT) gateway functions, use in industrial automation, high-performance cloud services, etc.

The development flow with Hyperlight involves linking the main application code with the Hyperlight Host library, responsible for managing micro-VMs. For its part, the isolated code that runs inside these micro-VMs Hyperlight uses the Hyperlight Guest library, which provides the necessary APIs to interact with the outside world and allows code to run completely independently of the host operating system. With this architecture, Hyperlight seeks to redefine isolated function execution, offering an efficient and secure approach for modern applications.

A prominent feature from Hyperlight is its ability to establish a two-way interaction between the host application and the isolated functions, as it not only allows applications to call functions hosted in isolated environments, but also allows these functions to access certain elements of the host. However, this Access is strictly controlled to ensure security By default, isolated functions can only communicate with the host using a minimal API that facilitates the exchange of messages. This limitation ensures a controlled environment and reduces the security risks associated with functional isolation.

For the part of their long term plansMicrosoft He mentions that he is looking to turn Hyperlight into a collaborative project wider under the management of the Cloud Native Computing Foundation (CNCF). This move aims to promote neutral and open development, free from the exclusive influence of specific manufacturers. Operating under the Linux Foundation, CNCF is already responsible for influential projects such as Kubernetes, Containerd, Istio and gRPC, which gives us an idea of ​​the great capacity it has to manage key technological initiatives in the cloud computing ecosystem. This step promises to expand the reach of Hyperlight and consolidate it as an essential tool in the field of cloud-native applications.

As to Current platform support, it is important to mention that it supports multiple environments to ensure its versatility. On Linux, supports KVM and mshv hypervisors (Microsoft Hypervisor on Azure Linux), while on Windows it uses WHP (Windows Hypervisor Platform) and WSL2 with KVM (macOS is left out for now).

Finally, if you are interested in knowing more about it, you should know that the project is developed in Rust, and is dAvailable under the Apache 2.0 license. You can check the details in the following link


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.