Microsoft’s Hyperlight WebAssembly for VMs Is Open Source - The New Stack

Join our community of software engineering leaders and aspirational developers. Always
stay in-the-know by getting the most important news and exclusive content delivered
fresh to your inbox to learn more about at-scale software development.

RESUBSCRIPTION REQUIRED

It seems that you’ve previously unsubscribed from our newsletter
in the past. Click the button below to open the re-subscribe form
in a new tab. When you’re done, simply close that tab and continue
with this form to complete your subscription.

RE-SUBSCRIBE

The New Stack does not sell your information or share it with
unaffiliated third parties. By continuing, you agree to our
Terms of Use and
Privacy Policy.

Welcome and thank you for joining The New Stack community!

Please answer a few simple questions to help us deliver the news and resources you are interested in.

COUNTRY

REQUIRED

Great to meet you!

Tell us a bit about your job so we can cover the topics you find most relevant.

How many employees are in the organization you work with?

REQUIRED

Welcome!

We’re so glad you’re here. You can expect all the best TNS content to arrive
Monday through Friday to keep you on top of the news and at the top of your game.

What’s next?

Check your inbox for a confirmation email where you can adjust your preferences
and even join additional groups.

Follow TNS on your favorite social media networks.

Become a TNS follower on LinkedIn.

Check out the latest featured and trending stories while you wait for your
first TNS newsletter.

As a JavaScript developer, what non-React tools do you use most often?

✓

Angular

✓

Astro

✓

Svelte

✓

Vue.js

✓

Other

✓

I only use React

✓

I don’t use JavaScript

2025-01-18 08:00:55

Microsoft’s Hyperlight WebAssembly for VMs Is Open Source

Hyperlight is a Rust library built to allow developers to leverage kernel-based virtual machines or Hyper-V — a Microsoft-native hypervisor — to run untrusted code in a micro VM without loading a full operating system.

Jan 18th, 2025 8:00am by

B. Cameron Gain

Featured image by B. Cameron Gain.

Microsoft’s Azure Core Upstream team says its Hyperlight provides over 100% lower cold-start latency for serverless applications while benefiting from WebAssembly’s (Wasm) sandboxed security. Now open sourced with plans to donate the project to the CNCF, the Hyperlight project relies on small, embedded functions using hypervisor-based protection for each function call at scale. Each function request also has its own hypervisor for protection.

Virtual machines have long been the cornerstone of cloud native infrastructure, widely trusted to securely separate host and guest environments, Rita Zhang, a principal engineer on Microsoft Azure, said during a keynote at KubeCon+CloudNativeCon in November. “However, for event-driven scenarios like serverless computing, traditional VMs are simply too slow to spin up,” Zhang said. “So, how can we reduce this latency while still running our applications securely?”

What Is Hyperlight?

During a demo, Zhang showed how an app makes sequential calls from the VM to the host and then returns values from the host back to the guest. Hyperlight creates a new microVM for each call, averaging just 900 microseconds per request, Zhang showed. “That’s microseconds — less than one millisecond,” Zhang said.

Big Ideas

The idea has been around for a while: the use of Wasm modules to serve as lightweight and sandboxed security. Called different things depending on the cloud vendor, micro VMs will allow for on-premise or cloud sources to distribute massive amounts of data traffic coming from on-premises systems through the cloud. Google Cloud should offer similar offerings as the standard is worked out in 2025.

“We can now process network traffic as it enters the system using these lightweight sandboxes,” said Mark Russinovich, CTO and technical fellow of Microsoft Azure, speaking at the Microsoft Ignite user’s conference. “This opens up incredible possibilities for real-time, efficient network processing.”

Adobe and Google are among the tech leaders developing the WebAssembly standard. Additionally, companies using it to stream video include Netflix, Amazon Prime, Disney and others.

Microsoft is typically not very verbose about much of its previous work in WebAssembly (Microsoft could not comment for a previous article when queried), but it has been confirmed the company has already begun to use WebAssembly to support its operations mostly while continuing to actively contribute to the development of Wasm for the community. In Microsoft’s case, its work with WebAssembly dates back years. Microsoft Flight Simulator, for some years now, has used WebAssembly for mod protection, for example, when it was shown to improve both security and portability for add-ons distributed as WebAssembly modules. Excel Online uses WebAssembly for calculating Lambda functions.

Most of Microsoft’s work now consists of investing in the upcoming component model and WASI. For example, Microsoft is expanding the Azure Kubernetes Service WASI NodePool preview and giving its services additional hypervisor protection per request on top of the Wasm sandbox with the Hyperlight project. Outside of the edge browser, Microsoft is investing mainly in server-based Wasm and the Wasm component ecosystem surrounding the Bytecode Alliance, as well as in infrastructure and language tooling to enable productive use and WASI, of course. Microsoft is also developing the Containerd project Runwasi, which is part of the SpinKube project.

“Hyperlight was the missing piece we needed to truly isolate fine-grained, lightweight pieces of code. You might think, ‘Isn’t that what containers are for?’ But containers actually have a sizable footprint,” Microsoft’s Yosh Wuyts, senior developer advocate, and Ralph Squillace, principal product manager for Microsoft Azure Core Upstream, wrote in a blog post. “For scenarios like user-defined functions inside a storage service or processing network traffic on edge, as it comes into your system, you need something much more lightweight. It also needs to be hostile and multitenant safe, meaning customers can be placed side by side in these environments without compromising security. This led us to create what we call micro sandboxes or micro virtual machines.”

An “aha” moment came when a colleague at Azure “came to me one day and said, ‘Hey, I can use the Hyper-V APIs to create a VM with no code except for a tiny piece I load into it. It can launch in microseconds and shut down just as quickly,” Squillace wrote. “And just like that, we had Hyperlight, a hypervisor-isolated micro VM.”

Microsoft introduced Hyperlight virtual machine-based security and, as mentioned above, has open sourced it. It now works not only with Hyper-V but also with KVM. Additionally, Microsoft is contributing Hyperlight to the CNCF, “aiming to raise all boats and provide micro virtual machine technology to everyone,” Wuyts and Squillace wrote. “Hyperlight is our way of delivering this capability through a secure sandbox.”