Originally published in Minoan Security’s Blog

SideKernel now has a working CLI that boots a microVM on top of a stripped-down Kata Containers Linux kernel. So I'm now continuing development inside it; which also helps me hit obstacles and fix them as I go.

More excitingly, Porter (minoansecurity/porter) is now integrated into SideKernel. It detects newly opened ports inside the sandbox and automatically forwards them to the host, so they just show up on localhost!

Porter is a dependency-free Rust crate that detects open ports on macOS and Linux machines. SideKernel needed a crate for port detection inside the microVM sandbox, so that ports get automatically exposed to the host and the experience stays as transparent as possible for the end user. It had to be embeddable in Rust applications and dependency-free for a reduced attack surface.

The VMM orchestration is all written in Swift, but all other system components are being written in Rust.

For example, a Rust PID-1 agent in the initramfs is the VM’s first process: it mounts the root filesystem, then runs a vsock server that the host drives to exec commands, allocate PTYs, and stream stdio. It’s also what detects and forwards new ports.

Finally, a virtioFS mount maps the host’s working directory into the sandbox, so changes flow bidirectionally between host and VM, which makes file-sharing easy.

I’m aspiring to keep the whole software zero or low dependency, to keep the attack surface low and the supply chain minimal.

Way more exciting feature updates coming in the next weeks, and I think they are features that no other sandbox on the market has implemented, and users need.