Microsoft presented the project Hyperlight, developing a hypervisor designed for isolated execution of code that requires special protection or lacks trust. The hypervisor is structured as a separate library that enables the performance of individual functions in lightweight virtual machines (Micro-VM) and manages data exchange with these functions. The project code, written in Rust, is distributed under the Apache 2.0 license.
Hyperlight offers lower latency and minimal overhead costs compared to traditional virtual machines. The creation of virtual machines in Hyperlight only takes 1-2 milliseconds, allowing for isolation at the function level. In contrast, launching a standard virtual machine typically takes at least 120 milliseconds, while launching an isolated Sandbox for executing WebAssembly code using Wasmtime takes 0.03 milliseconds.
On the Linux platform, Hyperlight supports KVM, MSHV (Microsoft Hypervisor in Azure Linux), and on Windows Hypervisor Platform) and WSL2 (Windows Subsystem for Linux 2). However, MacOS is not currently supported. The virtual machine does not use a separate kernel and operating system. Instead, it consists of a self-sufficient loading program incorporating the code of the executed function, a Runtime binding, and a minimal specialized kernel. The virtual machine is allocated a single linear memory fragment and a virtual CPU without device mapping or process separation.
The development process entails integrating the main application code with the Hyperlight Host library, responsible for launching virtual machines, and the isolated guest functions code with the Hyperlight Guest library, providing an API for interacting with the external application and enabling separate code execution without the operating system environment.
The layer facilitating interaction between the host application and isolated functions allows calling functions from the host application and vice versa. The access to isolated functions from external applications is strictly regulated, with minimal API access by default to transmit messages to the host application.