AWS Boosts Serverless Security With Firecracker MicroVMs

Amazon Web Services open-sources its new Firecracker lightweight hypervisor technology based on KVM, in an effort to help improve serverless security and performance.

AWS Firecracker

Amazon Web Services is looking to further accelerate the adoption of serverless computing with the announcement on Nov. 26 at its re:Invent conference of its new open-source Firecracker lightweight virtualization technology.

There has long been a debate about whether or not it is necessary to run containers within an additional layer of isolation, provided nominally by some form of hypervisor. When it comes to serverless technology, which is essentially an event-driven function running inside of a container, AWS had been isolating its Lambda serverless service within dedicated EC2 virtual instances. The new Firecracker technology provides a different approach, with a lightweight micro-hypervisor that isolates microservices and serverless functions with less performance overhead and improved security.

"Firecracker is an open source virtualization technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services that provide serverless operational models," the GitHub project page for Firecracker states. "Firecracker runs workloads in lightweight virtual machines, called microVMs, which combine the security and isolation properties provided by hardware virtualization technology with the speed and flexibility of containers."

AWS Lambda itself was launched at the re:Invent 2014 conference and was the catalyst that has ignited the whole serverless movement. In 2017, AWS launched the AWS Fargate service, providing a new model for deploying application containers in a serverless manner.

A normal Docker container benefits from several types of isolation provided by the underlying operating system, which is typically Linux. The challenge has been that in large multitenant environments like the cloud, the core isolation that containers provide is not sufficient, which is why AWS and other large users of containers have embraced different models of hypervisor technology to provide an additional layer of isolation. 


A full hypervisor, like KVM or Xen, includes an operating system and can have an impact both on performance and storage requirements. In contrast, AWS claims that Firecracker uses only 5MB of memory per Micro-Virtual Machine (MicroVM). While Firecracker itself is not a full virtual machine, Firecracker does make use of the open-source KVM hypervisor to create and manage microVMs. Firecracker is also a high-performance technology written in the open-source Rust programming language that provides memory and type-safety features for improving security. 

The challenge with running containers on a host operating system is that an attacker could potentially get unauthorized access to system resources. With Firecracker, AWS Chief Evangelist Jeff Barr blogged, comes a simple guest model that reduces the attack surface.

"Firecracker guests are presented with a very simple virtualized device model in order to minimize the attack surface: a network device, a block I/O device, a Programmable Interval Timer, the KVM clock, a serial console, and a partial keyboard (just enough to allow the VM to be reset)," Barr wrote.

While AWS only publicly announced Firecracker on Nov. 26, the technology is already being used to secure AWS Lambda and Fargate services.


Firecracker is not the first open-source effort to bring a lightweight hypervisor model to improve container isolation. Ubuntu Linux announced the LXD project back in November 2014 as a lightweight hypervisor to improve container security and deployment density.

In December 2017, the OpenStack Foundation announced the Kata Containers project, which has its roots in Intel's Clear Containers effort. In May 2018, Google announced its gVisor sandboxed container isolation effort, which also provides similar capabilities for improved virtualization security.

Currently, Firecracker only supports Intel CPUs, though the public roadmap has support for both AMD and ARM CPUs listed as future deliverables.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.