Microsoft has previewed Hyperlight Wasm for Windows and Linux, which combines micro-vms (virtual machines) with a WebAssembly runtime, with startup claimed as a couple of milliseconds and two layers of isolation for security.

Hyperlight Wasm is based on the existing Hyperlight project, a lightweight virtual machine manager (VMM) built in Rust that spins up VMs that have no kernel or operating system but only a minimal Hyperlight Guest Library API. Hyperlight, described as “optimized for securely running untrusted code with minimal impact,” is currently a “nascent project with an evolving API.”

The newly introduced Hyperlight Wasm adds a WebAssembly runtime, the well-known Wasmtime from the Bytecode Alliance, to create a platform for running applications coded in any language that can target Wasmtime, including Rust, C, C++, Python, JavaScript, C#, Go and Ruby.

The advantage of Hyperlight Wasm is that it adds the security of a VM to the sandbox already provided by Wasmtime, providing a means of running applications that start up quickly while also providing a high degree of isolation from the host operating system.

According to Microsoft’s developer advocate Yosh Wuyts along with software engineer and researcher Lucy Menon, spinning up a VM and running a Wasmtime application takes between 1-2 milliseconds, and “work is happening to bring that number to be less than 1 millisecond.” This could nearly eliminate the cold-start problem that often impacts serverless platforms such as Azure Functions. Hyperlight Wasm has the potential to make on-demand application instances that scale to zero possible while still providing users with fast load times.

Despite Hyperlight Wasm being described as “experimental code … not considered production-grade by its developers,” Microsoft itself will be making use of Hyperlight Wasm in an upcoming private preview of Azure Front Door Edge Actions, a service which DevClass is guessing will provide low-latency applications that run close to the user via Azure’s global distributed network.

This sounds similar in some respects to Cloudflare Workers, which use V8 isolates, based on the JavaScript engine used by Google Chrome and Chromium, to provide lightweight application runtimes with fast start-up on a global distribution network. A key difference is that VMs are a harder security boundary than a V8 isolate.

There are some limitations to the Hyperlight Wasm offering. One is that it currently does not run on macOS, only on Windows or Linux. Another issue, said Wuyts and Menon, is that “the VMM host doesn’t provide its own default implementation of WASI interfaces, so you have to implement them yourselves.” This means that writing applications for Hyperlight Wasm is a lot of work. Microsoft is proposing to add default bindings for some WASI (Web Assembly System Interface) APIs soon, which will make it easier to use common features such as an HTTP server or listening on a socket.

The Hyperlight project has been donated to the CNCF (Cloud Native Computing Foundation) where Wuyts and Menon said it will be part of the sandbox program, the most experimental type of CNCF project. Hyperlight Wasm is now part of the overall project, which is open source under the Apache 2.0 license.

Microsoft’s initiative is far from production-ready, but does illustrate the strong appetite for encapsulating applications in a runtime that is lighter weight even than containers, but with the strong security boundaries associated with VMs as well as fast start-up.