Hyperlight meets WebAssembly: Microsoft releases Hyperlight Wasm
The experimental project allows the execution of WebAssembly modules within a VM-based sandbox. It focuses on performance and security.
(Image: rvlsoft/Shutterstock.com)
Microsoft has announced that it is working on Hyperlight Wasm. The project can already be found on GitHub, but still has experimental status. It allows WebAssembly (Wasm) modules to be executed within a Hyperlight micro VM (virtual machine), which should deliver both high performance and security.
Hyperlight was developed by Microsoft Azure Core Upstream and introduced in November 2024. It is an open-source Rust library that Microsoft has since handed over to the Cloud Native Computing Foundation (CNCF) as a sandbox project. It is used to create micro virtual machines and specializes in executing untrusted code securely – with low latency and minimal overhead. These micro VMs work without a kernel or operating system, but use guests that are created for Hyperlight using the Hyperlight Guest Library. Guests are programs that combine a specialized kernel with an application runtime into a single program. Further details can be found in the announcement article.
Building on Hyperlight, Microsoft is now working on the development of Hyperlight Wasm, a Rust library crate. Hyperlight Wasm is intended to enable the execution of Wasm component workloads as Hyperlight guest in many programming languages.
Goals of Hyperlight Wasm: compatibility, speed and security
As the development team explains, traditional VMs have the disadvantage that compatibility can be limited in favor of performance. Compatibility problems can affect both the operating system and the system interface layer or the programming language and library.
Videos by heise
This is where the WebAssembly approach comes in. As Microsoft explains, WebAssembly System Interface (WASI) and the WebAssembly Component Model enable lightweight execution environments in which programs written in almost any programming language can run. Hyperlight Wasm takes advantage of this and allows the implementation of a small set of high-level, high-performance abstractions in almost any execution environment while offering broad compatibility.
In addition to performance, security should also benefit from Hyperlight Wasm. Hyperlight Wasm uses the Wasmtime runtime, compiled as a Rust-no_std module to a Hyperlight guest. Wasmtime should stand out due to strict isolation limits for Wasm workloads based on a software-defined runtime sandbox. Potential attackers would therefore have to overcome two security layers: the Wasm sandbox and the virtual machine.
Hyperlight Wasm is available on GitHub. Microsoft provides further background information and future plans for Hyperlight Wasm in its open source blog.
(mai)
