Microsoft’s Hyperlight WebAssembly for VMs Is Open Source
Microsoft’s Azure Core Upstream team says its Hyperlight provides over 100% lower cold-start latency for serverless applications while benefiting from WebAssembly’s (Wasm) sandboxed security. Now open sourced with plans to donate the project to the CNCF, the Hyperlight project relies on small, embedded functions using hypervisor-based protection for each function call at scale. Each function request also has its own hypervisor for protection.
Virtual machines have long been the cornerstone of cloud native infrastructure, widely trusted to securely separate host and guest environments, Rita Zhang, a principal engineer on Microsoft Azure, said during a keynote at KubeCon+CloudNativeCon in November. “However, for event-driven scenarios like serverless computing, traditional VMs are simply too slow to spin up,” Zhang said. “So, how can we reduce this latency while still running our applications securely?”
What Is Hyperlight?
Hyperlight is a Rust library built to allow developers to leverage kernel-based virtual machines or Hyper-V — a Microsoft-native hypervisor — to run untrusted code in a microVM without loading a full operating system. These microVMs can be created in microseconds, Zhang said.
During a demo, Zhang showed how an app makes sequential calls from the VM to the host and then returns values from the host back to the guest. Hyperlight creates a new microVM for each call, averaging just 900 microseconds per request, Zhang showed. “That’s microseconds — less than one millisecond,” Zhang said.
Big Ideas
The idea has been around for a while: the use of Wasm modules to serve as lightweight and sandboxed security. Called different things depending on the cloud vendor, micro VMs will allow for on-premise or cloud sources to distribute massive amounts of data traffic coming from on-premises systems through the cloud. Google Cloud should offer similar offerings as the standard is worked out in 2025.
“We can now process network traffic as it enters the system using these lightweight sandboxes,” said Mark Russinovich, CTO and technical fellow of Microsoft Azure, speaking at the Microsoft Ignite user’s conference. “This opens up incredible possibilities for real-time, efficient network processing.”
Adobe and Google are among the tech leaders developing the WebAssembly standard. Additionally, companies using it to stream video include Netflix, Amazon Prime, Disney and others.
Microsoft is typically not very verbose about much of its previous work in WebAssembly (Microsoft could not comment for a previous article when queried), but it has been confirmed the company has already begun to use WebAssembly to support its operations mostly while continuing to actively contribute to the development of Wasm for the community. In Microsoft’s case, its work with WebAssembly dates back years. Microsoft Flight Simulator, for some years now, has used WebAssembly for mod protection, for example, when it was shown to improve both security and portability for add-ons distributed as WebAssembly modules. Excel Online uses WebAssembly for calculating Lambda functions.
Most of Microsoft’s work now consists of investing in the upcoming component model and WASI. For example, Microsoft is expanding the Azure Kubernetes Service WASI NodePool preview and giving its services additional hypervisor protection per request on top of the Wasm sandbox with the Hyperlight project. Outside of the edge browser, Microsoft is investing mainly in server-based Wasm and the Wasm component ecosystem surrounding the Bytecode Alliance, as well as in infrastructure and language tooling to enable productive use and WASI, of course. Microsoft is also developing the Containerd project Runwasi, which is part of the SpinKube project.
“Hyperlight was the missing piece we needed to truly isolate fine-grained, lightweight pieces of code. You might think, ‘Isn’t that what containers are for?’ But containers actually have a sizable footprint,” Microsoft’s Yosh Wuyts, senior developer advocate, and Ralph Squillace, principal product manager for Microsoft Azure Core Upstream, wrote in a blog post. “For scenarios like user-defined functions inside a storage service or processing network traffic on edge, as it comes into your system, you need something much more lightweight. It also needs to be hostile and multitenant safe, meaning customers can be placed side by side in these environments without compromising security. This led us to create what we call micro sandboxes or micro virtual machines.”
An “aha” moment came when a colleague at Azure “came to me one day and said, ‘Hey, I can use the Hyper-V APIs to create a VM with no code except for a tiny piece I load into it. It can launch in microseconds and shut down just as quickly,” Squillace wrote. “And just like that, we had Hyperlight, a hypervisor-isolated micro VM.”
Microsoft introduced Hyperlight virtual machine-based security and, as mentioned above, has open sourced it. It now works not only with Hyper-V but also with KVM. Additionally, Microsoft is contributing Hyperlight to the CNCF, “aiming to raise all boats and provide micro virtual machine technology to everyone,” Wuyts and Squillace wrote. “Hyperlight is our way of delivering this capability through a secure sandbox.”
