Open source hypervisor KSM was built to be tiny and light, with uses ranging from a software sandbox to a complement to containerization
Linux kernel developer Ahmed Samy has released an open source hypervisor project that aims to be “simple and lightweight.” Thus, he presents KSM, an option for Linux and Windows developers to create everything from software sandboxing tools to more full-blown hypervisor applications.
In a brief announcement on the Linux kernel development email list, Samy stated that KSM’s purpose “is not to run other kernels” (typically the case with hypervisors), “but more of researching (or whatever) the running kernel, some ideas would be sandboxing, debugging perhaps.”
The project’s description in the GitHub repository expands on this: “This type of virtualization [being used as an extra layer of protection for the existing running OS] is usually seen in antiviruses, or sandboxers, or even viruses.”
Another key adjective Samy used was “hackable,” meaning that KSM has a simple code base that others can expand on and augment. Samy said he was motivated to create KSM because existing hypervisors didn’t lend themselves to this—their code bases were too big and sprawling, too difficult to understand, or didn’t implement support for newer processor features.
That last item is another KSM feature: the ability to use many of the latest CPU-based virtualization functions—such as VMFUNC, found in Intel Haswell CPUs and up, which allows memory to be shared directly between a VM and the hypervisor and thus speeds up certain tasks like I/O operations. At the very least, KSM needs an Intel CPU that features the VT-x and EPT instructions, but both are available in most recent-generation processors.
Yet another boon with KSM is that it’s cross-platform. It builds and runs on both Linux and Windows, with MacOS support coming “by 2017,” although there’s no explicit timeline yet.
One timely application for KSM would be to use it in conjunction with a container engine to provide selective levels of additional protection to the host. Conventional wisdom has held that hypervisor technology is more or less doomed to be eclipsed by container technology, but the two are better thought of as complements rather than competitors.
There’s already been a lot of work merging hypervisor technology with container runtimes—Intel’s Clear Containers, for instance, or Canonical’s LXD. KSM is a more modest project, which is intended to be used as raw material or a component in a larger project. An enterprising experimenter with containers could, for instance, use it to create a miniature implementation of the above ideas—“just enough” to add hypervisor security to an already small-scale container project.