OSS Virtualization Projects

ITL QubesOS

“… is a security-focused desktop operating system that aims to provide security through isolation. Virtualization is performed by Xen, and user environments are based on Fedora.”

Bromium µ-Xen

micro-virtualization, Type-2 hypervisor, VM fast fork with copy-on-write memory/disk, deprivileged Windows host, display compositing, seamless user experience

Xen Servers

AIS Virtualization

  • Bareflank hypervisor toolkit, USA

    lightweight hypervisor SDK written in C++ with support for Windows, Linux and UEFI … rapidly prototype and create new hypervisors … MIT license

  • Redfield desktop client, USA

    Virtualized multi-domain graphical client based on OpenEmbedded and Xen

QEMU/KVM

  • IBM Solo5 sandbox · unikernel monitors (2016) · unikernels as processes (2018) · fosdem (2019)

    “sandboxed execution environment … re-defines the interface between the process and its host operating system or hypervisor … make it easy to implement new targets, targeting a variety of different sandboxing technologies (e.g. hardware virtualization, Linux seccomp, Intel SGX), host operating systems and hypervisors.”

  • Amazon Firecracker · Nitro SR-IOV, Germany, USA
  • Google CrosVM, USA

  • rust-vmm: fosdem (2019) · article (2019)

    “… Amazon, Google, Intel, and Red Hat employees started talking about the best way of sharing virtualization packages … two VMMs written in Rust under active development and growing interest in building other specialized VMMs … shared-effort, shared-ownership … crosvm, Kata Containers, and Firecracker teams … [Rust] memory management guarantees simplify the task of security hardening, while its roots as a system programming language ensure C-like performance.”

Kata Containers

VM isolation of performant containers, based on Intel Clear Containers and Hyper runV

Intel ACRN

flexible, lightweight reference hypervisor, built with real-time and safety-criticality in mind, optimized to streamline embedded development … BSD license

NEMU is based off QEMU … retain the absolute minimal subset … vfio … live migration, vhost-user … build-time configurable device hotplug support for PCI, memory, NVDIMM and CPU … emulate a small subset of features including PCI host bridge … supports x86-64 and AArch64

L4

“… is a family of second-generation microkernels, generally used to implement Unix-like operating systems, but also used in a variety of other systems … L4 is widely deployed. One variant, OKL4 from Open Kernel Labs, shipped in billions of mobile devices”

Muen

“microkernel that has been formally proven to contain no runtime errors at the source code level … high-assurance systems on the Intel x86/64 platform” … 32/64-bit Linux, 32-bit Windows, VT-d passthrough, Ada/SPARK … GPLv3 license

OSS Virtual Appliances for Xen

Linux

  • Alpine Linux, Europe

    Read-only dom0, boot from USB/SD, router/firewall use cases, musl C library, PaX

  • Rob Landley, Aboriginal Linux, USA

    Shell script that builds the smallest/simplest linux system capable of rebuilding itself from source code. This currently requires seven packages: linux, busybox, uClibc, binutils, gcc, make, and bash.

  • Patrick Schleizer, Whonix, Germany

    ..desktop operating system designed for advanced security and privacy … mitigates the threat of common attack vectors while maintaining usability … anonymity is realized via fail-safe, automatic, and desktop-wide use of the Tor network.

BSD

  • Netgate pfSense network appliance, USA

    “network firewall distribution … same functionality … of common commercial firewalls … includes a web interface for the configuration of all included components” … SPI, NAT, DNS, DHCP, IPsec/OpenVPN, VLAN, IDS/IPS

  • Open vSwitch SDN appliance, USA

    “based on Stanford’s OpenFlow project .. multilayer virtual switch supports flows, VLANs, trunking, port aggregation … network automation through programmatic extension”

  • iXsystems FreeNAS storage appliance, USA

    includes web interface, NFS, iSCSI, SMB, WebDAV, ZFS … “an enterprise-ready open source file system, RAID controller, and volume manager with unprecedented flexibility and an uncompromising commitment to data integrity”

  • OpenBSD OS (5.9+ enables PVHVM), Canada

Unikernels

Single-purpose appliances, build-time specialised into standalone kernels, and sealed against modification after deployment.

Packer

Immutable infrastructure via declarative customization of VM images for QEMU, VirtualBox, Docker, VMware, Hyper-V, CloudStack, AWS, Azure and GCE. Can be extended to other virtualization platforms via plugins.

Vagrant

Is used to “create and configure lightweight, reproducible, and portable development environments”. It can be considered a wrapper around VirtualBox, VMware, Docker, AWS and libvirt.

Hardware

Purism

Intel vPro laptops with coreboot firmware, hardware kill switches for sensors, optimized for Linux, Heads and QubesOS

PC Engines

Low-power x86 devices with coreboot firmware, embedded AMD CPU, IOMMU, DRTM, optional TPM 2.0, multiple Intel NICs, mPCIe expansion and multi-year commercial availability

ODroid

low-cost single-board computer … ARM 64-bit Cortex-A53 quad-core Amlogic CPU with virtualization extensions, Mali GPU, 2GB RAM, gigabit ethernet, HDMI 2.0 and USB 2.0

Open Compute Project

customer-led, open hardware and firmware designs for hyperscale servers, storage, networking and silicon … contributors include Facebook, Google, IBM, Intel and Microsoft

Research Prototypes

KSM

“… fast, hackable and simple x64 VT-x hypervisor for Windows and Linux. Builtin userspace sandbox and introspection engine … supports nesting (VT-x emulation)” … offense/defense

Cappsule

“x86-64 Linux hypervisor … virtualize any software on the fly (e.g. web browser, office suite, media player) into lightweight VMs called cappsules. Attacks are confined inside cappsules and therefore don’t have any impact on the host OS. Applications don’t need to be repackaged, and their usage remain the same for the end user”

OpenXCI

“… is a Xen-based desktop hypervisor. Unlike other desktop hypervisors, it is not targeted at businesses wanting remote provisioning, but rather at individuals who want a high-performance alternative to dual/multi-booting.”

Ethos OS

“… provides stronger security services which are more resistant to attack and abstractions which are less prone to abuse by attackers. As an example of the former, all networking in Ethos is encrypted, authenticated, and authorized. As an example of the latter, Ethos I/O is typed (as in programming languages) ensuring that I/O conforms to declared types and thus preventing many attacks based on ill-formed input.”

Commercial Products

Client

Server

Embedded

Guards

Acquired or Retired

Year Company Acquirer Location Description
2018 Parallels Corel Canada, Russia, USA Type-2 virtualization
2018 Cylance Blackberry Canada, USA Endpoint app ML/AI profiling
2018 Core OS RedHat, IBM USA Enterprise container mgmt
2018 Skyport Systems Cisco USA Hybrid cloud remote attestation
2017 Simplivity HPE USA Hyper-converged infrastructure
2016 Ravello Oracle Israel, USA Nested virt for cloud migration
2016 Annapurna Labs Amazon Israel, USA Datacenter silicon
2015 Moka5 USA Type-2 endpoint mgmt
2014 PrivateCore Facebook USA Memory encryption, SGX
2012 OK Labs General Dynamics Australia, USA Microkernel hypervisor
2012 Virtuata Cisco USA VM introspection
2012 Dynamic Ops VMware UK, USA Self-service VM orchestration
2011 Virtual Computer Citrix USA Type-1 endpoint mgmt
2010 Trusted Computer Solutions Raytheon USA Cross-domain thin clients
2010 Neocleus Intel Israel, USA Endpoint OSS virtualization
2009 Virtual Iron Oracle USA Virtualization management
2008 Innotek Sun, Oracle Germany, USA Type-2 OSS virtualization (VirtualBox)
2007 XenSource Citrix USA Type-1 OSS virtualization (Xen)