GitHub

Hyperlight Project Description

What is the project about?

Hyperlight is a lightweight Virtual Machine Manager (VMM) designed for embedding within applications. It allows the safe execution of untrusted code inside "micro virtual machines".

What problem does it solve?

It solves the problem of securely and efficiently running untrusted code (e.g., from plugins, user-submitted scripts, or third-party libraries) without compromising the host system. It provides strong isolation with very low overhead compared to traditional virtual machines. It's particularly well-suited for scenarios where performance and latency are critical.

What are the features of the project?

  • Micro Virtual Machines: Creates lightweight, isolated execution environments without a full kernel or operating system.
  • Low Overhead: Minimal performance impact due to the absence of a traditional OS and kernel within the guest.
  • Secure Execution: Runs untrusted code safely, preventing it from accessing or harming the host system.
  • Host-Guest Communication: Provides a controlled API for interaction:
    • Hosts can call functions exposed by the guest ("guest functions").
    • Guests can call functions exposed by the host ("host functions").
  • Minimal Default API: Guests have limited access by default, enhancing security. Hosts can selectively expose additional functions.
  • Cross-Platform Support: Works on Windows (using Windows Hypervisor Platform) and Linux (using KVM or Microsoft Hypervisor (mshv)).
  • Rust and C Guest Support: Guests can be written using either Rust or C libraries.
  • Evolvable Sandbox: Sandbox can be evolved from uninitialized to multi-use.

What are the technologies used in the project?

  • Rust: The primary language for the host and guest libraries.
  • C: A C-compatible API is provided for guest development.
  • Windows Hypervisor Platform (WHP): Used for virtualization on Windows.
  • KVM (Kernel-based Virtual Machine): Used for virtualization on Linux.
  • Microsoft Hypervisor (mshv): An alternative hypervisor option on Linux (particularly on Azure Linux).
  • FlatBuffers: Used for efficient serialization and communication between host and guest.
  • Clang/LLVM: Used for building C guests.
  • Justfile: Used for build automation.

What are the benefits of the project?

  • Enhanced Security: Provides a robust isolation layer for running untrusted code.
  • High Performance: Low overhead and minimal latency compared to traditional VMs.
  • Flexibility: Supports both Rust and C for guest development.
  • Embeddable: Designed to be integrated directly into applications.
  • Cross-Platform: Runs on both Windows and Linux.

What are the use cases of the project?

  • Plugin Systems: Safely execute plugins from untrusted sources within applications.
  • Sandboxing User Scripts: Run user-provided code in a controlled environment (e.g., in web applications or scripting engines).
  • Serverless Functions: Provide isolated execution for serverless functions with minimal overhead.
  • Testing and Fuzzing: Create isolated environments for testing potentially unstable or malicious code.
  • Confidential Computing: Execute sensitive workloads in a protected environment.
  • Any application requiring secure execution of untrusted code with high performance.
hyperlight screenshot