last updated: 2026-05-19 00:47:28 -0700 commit: 0d53240 finished virtines paper
Virtines
Nathaniel Chappelle
2026-05-18
Virtines
A programming abstraction for isolating individual functions using
hardware virtualization. Developed by Wanninger et al. (2022)
Three components:
Toolchain-generated binary (the isolated function + minimal
runtime)
Wasp: embeddable micro-hypervisor that mediates all host access
Virtine client: host program that specifies isolation policies and
drives Wasp
Key properties:
Synchronous from caller’s perspective
Looks like a normal function call
Default-deny: no host access unless explicitly permitted via
hypercall policy
No shared address space with host or other virtines (EPT enforces
this at hardware level)
Arguments and return values are marshalled automatically (compiler
extensions) or manually (raw Wasp API)
Execution environment:
Kernel-mode only, minimal
No scheduler, no virtual memory, no filesystem by default
Two prebuilt options: bare (Wasp API) or POSIX-like libc (C
extensions)
Typically ~16KB image size
Can run in real, protected, or long mode
Real mode cheapest if feasible
Optimizations:
Shell caching: reuse pre-allocated VM contexts, avoids
KVM_CREATE_VM overhead
Snapshotting: save post-init state, skip boot on subsequent
calls
Tradeoffs:
Overhead amortizes at ~100μs of work; snapshotting pushes this ~10×
lower
Image load is memory-bandwidth-bound past ~2MB
Call graph cut is currently manual
References
Wanninger, Nicholas C., Joshua J. Bowden, Kirtankumar Shetty, Ayush
Garg, and Kyle C. Hale. 2022. “Isolating Functions at the Hardware
Limit with Virtines.”Proceedings of the Seventeenth European
Conference on Computer Systems, EuroSys ’22, March 2022, 644–62. https://doi.org/10.1145/3492321.3519553.