Hyperlight<\/a> and the Nanvix<\/a> microkernel project have now combined efforts to solve this final constraint. By adding a POSIX compatibility layer, the integration enables Python, JavaScript, C, C++, and Rust applications to run with full hardware isolation and extremely rapid cold starts\u2014much closer to meeting all three requirements.<\/p>\n\n\n\n This post explains the serverless trilemma and walks through how we attempt to break through it.<\/p>\n\n\n\n When building serverless infrastructure, architects have traditionally faced a painful trade-off. You can have any two of the following, but not all three:<\/p>\n\n\n\n With Hyperlight<\/a>, we showed that it’s possible to create micro-VMs in low tens of milliseconds by eliminating the OS and virtual devices. But this speed came at a cost: Hyperlight guests have no system calls available. Instead, they’re statically linked binaries that communicate only through explicit host-guest function calls. That’s secure and fast, but it limits what applications you can run.<\/p>\n\n\n\n Nanvix is a Rust-based microkernel created by the Systems Research Group at Microsoft Research. Unlike traditional OSes, Nanvix was co-designed with Hyperlight from the ground up. It’s not a general-purpose OS\u2014it’s a minimal OS tailored specifically for ephemeral serverless workloads. Here are some highlights of Nanvix:<\/p>\n\n\n\n The result? You can now run real applications\u2014with file systems, system calls, and language runtimes\u2014inside a Hyperlight micro-VM, while maintaining hypervisor-grade isolation and achieving double-digit-millisecond cold starts.<\/p>\n\n\n\n The combination of Hyperlight and Nanvix addresses the trilemma by splitting responsibilities. Hyperlight controls everything the guest VM can do on behalf of the trusted host, providing hardware-enforced isolation. Nanvix’s optimized microkernel runs inside the Hyperlight guest, providing the POSIX system calls and file system int erface that applications expect. Together, they enable hardware-isolated execution of Python, JavaScript, C, C++, and Rust applications with double-digit millisecond-order cold starts.<\/p>\n\n\n\n The magic of Hyperlight-Nanvix lies in its split OS design<\/em>. Rather than running a monolithic OS inside the VM, it splits responsibilities between two groups of components:<\/p>\n\n\n\n This split architecture means we get the best of both worlds. Applications see a familiar POSIX environment, but the actual I\/O operations are handled by the host\u2014enabling high density, fast cold starts, and shared state across invocations when needed.<\/p>\n\n\n\n One of the most powerful features of the Hyperlight-Nanvix integration is system call interposition. When a guest application makes a system call (like openat to open a file), the request flows through Nanvix, across the VM boundary via Hyperlight’s VM exit mechanism, and to the host. At this boundary, the host can:<\/p>\n\n\n\n This gives you fine-grained control over what untrusted code can do, even when that code expects a full OS underneath it. Want to allow file reads but block network access? You can enforce that at the system call level without modifying the guest application.<\/p>\n\n\n\n Hyperlight-Nanvix delivers all three requirements\u2014hardware isolation, fast cold starts, and application compatibility. But different use cases have different security requirements. The integration supports three deployment architectures that let you optimize for your specific threat model.<\/p>\n\n\n\n Across all three modes, the Hyperlight VM remains identical. What changes is how the I\/O subsystem is deployed: whether it runs in the same process as the VMM, in a separate process, or in a separate VM entirely. Each architecture offers different trade-offs between isolation strength, performance, and resource density.<\/p>\n\n\n\n The simplest deployment model runs the I\/O subsystem and the Hyperlight VMM in a single host process. The VMM thread manages the Hyperlight VM, while an I\/O thread handles system call interposition. This provides the same threat model as Hyperlight without Nanvix\u2014fast and simple, ideal for running small, untrusted workloads with hardware isolation.<\/p>\n\n\n For improved isolation, you can separate the VMM and I\/O handling into different host processes. The VMM process manages the Hyperlight VM, while a separate system process handles I\/O operations. This constrains the blast radius if a vulnerability is exploited\u2014an attacker who escapes the VM still can’t access I\/O resources directly. The system I\/O process can also be shared across multiple concurrent instances for the same tenant, improving both density and deployment time.<\/p>\n\n\n The most isolated deployment runs two separate VMs on the host hypervisor (using Hyper-V or KVM). The System VM handles all I\/O system calls and can serve as a shared backend for multiple Hyperlight VMs. The Hyperlight VM forwards I\/O requests across the hypervisor boundary to the System VM, providing defense-in-depth with multiple hypervisor boundaries.<\/p>\n\n\n We’ve tested Hyperlight-Nanvix against other isolation technologies using real-world applications. Our early benchmarks show very promising results:<\/p>\n\n\n\n How far did we get to breaking the trilemma? We’re preparing a detailed benchmark analysis that we’ll share in a follow-up post, including methodology, reproducible test cases, and comparative data across different workloads. This will give you the data and tests you need to decide for yourself.<\/p>\n\n\n\n Because Hyperlight-Nanvix provides a POSIX compatibility layer, you can run applications in virtually any language, among them:<\/p>\n\n\n\n The key insight is that language runtimes themselves are just applications. By providing system calls and a file system, Nanvix enables you to embed interpreters like QuickJS or CPython inside the micro-VM. Your JavaScript or Python code runs normally\u2014it has no idea it’s executing inside a hardware-isolated sandbox.<\/p>\n\n\n\n This approach also explains why Hyperlight-Nanvix achieves better performance than general-purpose operating systems: Nanvix is optimized for workloads you want to spin up, execute, and tear down as quickly as possible\u2014the exact pattern cloud-native serverless functions demand.<\/p>\n\n\n\n One compelling use case for Hyperlight-Nanvix is executing AI-generated code. As large language models become more capable of writing code, we need secure environments to run that code without risking our infrastructure.<\/p>\n\n\n\n AI-generated code should be treated as untrusted and potentially malicious. With Hyperlight-Nanvix, you can:<\/p>\n\n\n\n The hypervisor boundary means that even if the generated code contains an exploit targeting the language runtime, the attacker still faces a hardware-enforced wall. And because cold starts are so fast, you can afford to create a fresh VM for every code execution\u2014no need to reuse potentially compromised sandboxes.<\/p>\n\n\n\n The hyperlight-nanvix wrapper provides out-of-the-box support for running JavaScript, Python, C, and C++ programs inside Nanvix guests.<\/p>\n\n\n For C and C++ programs, you’ll need to compile them first using the Nanvix toolchain (via Docker). See the repository README for compilation instructions.<\/p>\n\n\n\n The repository also includes a Node.js\/NAPI binding, allowing you to create sandboxes directly from JavaScript. Check out Hyperlight is a CNCF Sandbox project, and we’re excited to see the community build on this foundation. The integration with Nanvix represents the next step in our vision: making hardware-isolated serverless execution practical for real-world applications.<\/p>\n\n\n\n The Cloud Native Computing Foundation\u2019s (CNCF) Hyperlight project delivers faster, more secure, and smaller workload execution to the cloud-native ecosystem.<\/p>\n","protected":false},"author":6153,"featured_media":98306,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"msxcm_post_with_no_image":false,"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","footnotes":""},"post_tag":[136],"content-type":[340],"topic":[2240,2247],"programming-languages":[],"coauthors":[2595,2629],"class_list":["post-98299","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-github","content-type-tutorials-and-demos","topic-application-development","topic-programming-languages","review-flag-1593580362-584","review-flag-1593580428-734","review-flag-1593580419-521","review-flag-9-1593580473-997","review-flag-new-1593580248-669","review-flag-vm-1593580807-312"],"yoast_head":"\nThe serverless trilemma: pick two?<\/h2>\n\n\n\n
\n
Nanvix: an OS for cloud-native apps<\/h2>\n\n\n\n
\n
Toward breaking the trilemma: Hyperlight and Nanvix<\/h2>\n\n\n\n
How it works: the split OS design<\/h2>\n\n\n\n
\n
![\"Flow](\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-02-24-115922.webp\")
<\/figure>\n\n\n\nSystem call interposition: security at the system call boundary<\/h2>\n\n\n\n
\n
Deployment modes: flexibility for different threat models<\/h2>\n\n\n\n
Single process architecture<\/h2>\n\n\n\n
![\"Single-process](\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2026\/02\/media_17c3954cb0985b953f947cad7341666beeed16e12.webp\")
<\/figure>\n\n\n\nMulti-process architecture<\/h2>\n\n\n\n
![\"Multi-process](\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2026\/02\/media_14f0d7e19a90080143adeab2484570ddee35dc555.webp\")
<\/figure>\n\n\n\nDisaggregated architecture<\/h2>\n\n\n\n
![\"Disaggregated](\"https:\/\/opensource.microsoft.com\/blog\/wp-content\/uploads\/2026\/01\/media_10b4d2b71e3b94bede3e7d7b398d9465a8bbb48ec.webp\")
<\/figure>\n\n\n\nPerformance: fast cold starts with real applications<\/h2>\n\n\n\n
\n
Language support: from C to Python<\/h2>\n\n\n\n
\n
Use case: running AI-generated code safely<\/h2>\n\n\n\n
\n
Getting started<\/h2>\n\n\n\n
\ngit clone https:\/\/github.com\/hyperlight-dev\/hyperlight-nanvix\ncd hyperlight-nanvix\n\n# Download the Nanvix toolchain and runtime\ncargo run -- --setup-registry\n\n# Run scripts directly\ncargo run -- guest-examples\/hello.js # JavaScript\ncargo run -- guest-examples\/hello.py # Python\n\n<\/pre><\/div>\n\n\n
Example: running workloads from Rust<\/h2>\n\n\n
\nuse hyperlight_nanvix::{Sandbox, RuntimeConfig};\n\n#[tokio::main]\nasync fn main() -> anyhow::Result<()> {\n\u00a0\u00a0\u00a0 let config = RuntimeConfig::new()\n\u00a0\u00a0\u00a0 .with_log_directory(\"\/tmp\/hyperlight-nanvix\")\n\u00a0\u00a0\u00a0 .with_tmp_directory(\"\/tmp\/hyperlight-nanvix\");\n\n\u00a0\u00a0\u00a0 let mut sandbox = Sandbox::new(config)?;\n\n\u00a0\u00a0\u00a0 \/\/ Works with any supported file type\n\u00a0\u00a0\u00a0 sandbox.run(\"guest-examples\/hello.js\").await?;\n\u00a0\u00a0\u00a0 sandbox.run(\"guest-examples\/hello.py\").await?;\n\u00a0\u00a0\u00a0 sandbox.run(\"guest-examples\/hello-c\").await?;\n\n\u00a0\u00a0\u00a0 Ok(())\n}\n\n<\/pre><\/div>\n\n\nExample: system call interposition<\/h2>\n\n\n
\nuse hyperlight_nanvix::{Sandbox, RuntimeConfig, SyscallTable, SyscallAction};\n\nunsafe fn custom_openat(\n\u00a0\u00a0\u00a0 _state: &(),\n\u00a0\u00a0\u00a0 dirfd: i32,\n\u00a0\u00a0\u00a0 pathname: *const i8,\n\u00a0\u00a0\u00a0 flags: i32,\n\u00a0\u00a0\u00a0 mode: u32,\n) -> i32 {\n\u00a0\u00a0\u00a0 println!(\"Intercepted openat call - auditing file access\");\n\u00a0\u00a0\u00a0 \/\/ Forward to actual system call or block based on policy\n\u00a0\u00a0\u00a0 libc::openat(dirfd, pathname, flags, mode)\n}\n#[tokio::main]\nasync fn main() -> anyhow::Result<()> {\n\u00a0\u00a0\u00a0 let mut system_call_table = SyscallTable::new(());\n\u00a0\u00a0\u00a0 system_call_table.openat = SyscallAction::Forward(custom_openat);\n\n\u00a0\u00a0\u00a0 let config = RuntimeConfig::new()\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 .with_system_call_table(Arc::new(system_call_table));\n\n\u00a0\u00a0\u00a0 let mut sandbox = Sandbox::new(config)?;\n\u00a0\u00a0\u00a0 sandbox.run(\"guest-examples\/hello-c\").await?;\n\n Ok(())\n\n}\n\n<\/pre><\/div>\n\n\nexamples\/ai-generated-scripts\/<\/code> for a complete example of safely executing AI-generated code. This example requires additional setup\u2014see the README in that directory.<\/p>\n\n\n\nGet involved with Hyperlight and Nanvix<\/h2>\n\n\n\n
\n
\n