ZeroVM

ZeroVM is an open source light-weight virtualization and sandboxing technology. It virtualizes a single process using the Google Native Client platform. Since only a single process is virtualized (instead of a full operating system), the startup overhead is in the order of 5 ms.

Sandboxing

ZeroVM creates a sandbox around a single process, using technology based on Google Native Client (NaCl). The sandbox ensures that the application executed cannot access data in the host operating system, so it is safe to execute untrusted code. The programs executed in ZeroVM must first be cross-compiled to the NaCl platform. ZeroVM can only execute NaCl code compiled for the x86-64 platform, not the portable Native Client (PNaCl) format.

Code executed in ZeroVM cannot call normal system calls and initially cannot interact with the host environment. All communication with the outside world takes place over channels, which must be declared before the program starts. Outside the sandbox, a channel can be connected to a local file, to a pipe, or to another ZeroVM instance. Inside the sandbox, the program sees the channel as a file descriptor. The sandboxed program can read/write data from/to the channel, but does not know where the channel is connected in the host.