Introducing the Hedron Hypervisor

November 13 2020

by Julian Stecklina

At Cyberus Technology we work on a fast, flexible and secure compute environment. Our innovative virtualization stack is an integral part of this strategy. The foundation of this stack is the open-source Hedron Hypervisor. Hedron already drives our malware analysis platform Tycho and will soon be at the heart of a high-security workstation solution.

This blog post introduces the Hedron Hypervisor and philosophy around it.

Reliable Virtualization with Hedron

We believe that quality comes from strong foundations, such as a rigorous engineering process all the way down to the hardware and operating system. At Cyberus Technology, we choose Hedron as the basis for the virtualization products we want to build. Hedron is a hypervisor that applies the microkernel principles to virtualization, a microhypervisor.

The Hedron microhypervisor in a complete example application stack
The Hedron microhypervisor in a complete example application stack

Being a microhypervisor, Hedron runs no emulation code, device drivers or file system implementations in the most privileged processor mode. It lets userspace do the heavy lifting. This is unusual compared to traditional virtualization solutions, such as KVM and Xen, that do quite a lot in the kernel.

Letting userspace do the hard parts directly relates to the properties we aspire to in our products: Software engineers operate in a friendly environment without sharp edges and with safety nets that prevent issues. Userspace code is easier to sandbox, so potential vulnerabilities have little impact.

Hedron has to do some things though. The privileged CPU instructions that are required to operate hardware virtualization features need to execute in the hypervisor. Hedron also handles creating address spaces, threads, scheduling and communication between threads. You can think of Hedron as a thin layer over the isolation and security features of the processor. If you want to get a feeling of how thin this layer is, the hypervisor consists of roughly 12 KLOC. So its complete codebase is roughly the size of this single C source file.

That being said, we are not religious about avoiding lines of code. We find hard-to-decipher code or hard-to-use interfaces as unacceptable as anyone. If including a couple of lines of code improves the whole system design, we are glad to include them in Hedron. In the end, it’s all about modularity and having the hypervisor do one thing, do it well and not cause a cascade of complexity in components that depend on it.

Taking Research to Production

You will be hard pressed to find an exciting new operating system project that does not incorporate microkernel ideas. Take Google’s re-imagining of smartphone operating systems, Fuchsia, Apple relying on L4 in its Secure Enclave, or Genode’s Sculpt OS. So we are certainly not the first ones to apply the microkernel principles to virtualization and we couldn’t have developed Hedron from scratch. It is the result of more than a decade of work.

Hedron has its roots in the NOVA project, initially developed by Udo Steinberg at the TU Dresden Operating Systems Group, Intel Labs, and FireEye. The last common commit between NOVA and Hedron code dates from 2015. Hedron has since seen steady improvements to move it from research project to production-ready.

We believe that kernel code should be held to the same engineering standards as any other code. So we worked hard on making the code easier to maintain and understand by documenting, simplifying, and increasing test coverage of kernel subsystems. We have invested in new features, security improvements, and have also included several useful improvements from the NOVA patchset of Genode Labs.

Hedron, as it stands today, is a microhypervisor for 64-bit Intel CPUs that supports state-of-the-art hardware virtualization features on modern UEFI systems.

We Ship Hedron

Hedron already ships in our Tycho Malware Analysis solution. We use Hedron in Tycho to create lightweight passthrough virtual machines with virtual machine introspection (VMI) capabilities. More details about Tycho’s VMI capabilities can be found in previous blog posts where use Tycho to find advanced malware, analyze TCP connections, defeat malware packers, and more.

We are currently in the final phases of putting together our next product using Hedron and we are excited to share details here soon.

Share this article: