At a conceptual level, hardware assisted virtualization works in the following way:
- The CPU must support hardware virtualization
- There is a kernel based virtual machine
- There are components in the user spaces: a virtual machine monitor such as QEMU or Firecracker
- Guest kernels (Linux, Windows)
- Guest processes run on the guest kernel
With this approach, the processes that runs on the host kernel (Process 1 and 2) are isolated from the Guest Process, although there have been security holes such as the Meltdown Attack or Row hammer that shows that in practice this might not happen
Kernel-Based Virtual Machine
It is a Linux-native virtualization solution for x86 hardware that supports virtualization extensions such as AMD-V or Intel VT. The kernel modules are organized in two parts:
kvm.kois the core module- CPU architectures specific modules are separate (
kvm-intel.koandkvm-amd.ko)
With KVM, the Linux Kernel acts as the hypervisor and there are drivers such as Virtio that allow for IO virtualization
TUN and TAP Devices
TUN/TAP devices are virtual network interfaces used in Linux to enable network traffic between a virtualized environment (like a VM or container) and the host system. They’re widely used in virtual networking setups because they make it easy to route and manipulate traffic in and out of virtual environments:
- TUN (Network Tunneling) devices are point-to-point virtual network interfaces that operate at the IP layer (Layer 3). They simulate network devices that transmit packets, so they work with IP addresses directly. TUN devices are commonly used to create VPNs because they allow applications to send and receive IP packets as if they were on a real network.
- TAP (Network Bridging): devices work at the Ethernet layer (Layer 2) and simulate a network bridge. They transmit and receive Ethernet frames, which makes them suitable for scenarios that need direct LAN connectivity or involve protocols other than IP (e.g., ARP or DHCP). TAP devices are commonly used for bridging VMs or containers into the host network, making them appear as if they’re connected to the same physical LAN as the host.
Firecracker
Firecracker is a purpose-built virtual machine monitor (VMM) developed by AWS to manage microVMs for serverless and containerized environments, like AWS Lambda and AWS Fargate. Designed for high-density, multitenant workloads, Firecracker is optimized for minimal memory footprint and rapid startup times (around 125 ms), making it ideal for environments where low latency and resource efficiency are essential.
Firecracker combines KVM-based isolation, seccomp filters, and cgroups to maintain a secure multitenant environment. Seccomp filters restrict system calls, minimizing the attack surface, while KVM ensures hardware-based isolation between guest and host. Firecracker also offers jail mode to restrict microVMs’ access to host files and devices, enhancing isolation even further.
It exposes an HTTP API that supports the automated launching, querying, configuring, and stopping of microVMs. This API-driven management is especially suited to dynamic environments like CI/CD pipelines and edge computing, where microVMs need to be deployed, monitored, and terminated at scale. It emulates network interfaces by using TUN/TAP devices on the host, and block devices are backed by files on the host, supporting Virtio devices. Metrics and logs can be gathered via named pipes