From Bauman National Library
This page was last modified on 22 December 2016, at 23:46.

Authors Camuel Gilyadov, Constantine Peresypkin & Dmitri Bortok
Licence Apache License 2.0
Web site
Status Active

ZeroVM is an opensource light-weight virtualization and sandboxing technology. It virtualizes a single process using the Google Native Client platform. Since only a single process is virtualized (instead of a full operating system), the startup overhead is in the order of 5 ms.[1]


ZeroVM creates a sandbox around a single process, [2] using technology based on Google Native Client (NaCl). The sandbox ensures that the application executed cannot access data in the host operating system, so it is safe to execute untrusted code. The programs executed in ZeroVM must first be cross-compiled to the NaCl platform. ZeroVM can only execute NaCl code compiled for the x86-64 platform, not the portable Native Client (PNaCl) format.

Code executed in ZeroVM cannot call normal system calls and initially cannot interact with the host environment. All communication with the outside world takes place over channels, which must be declared before the program starts. Outside the sandbox, a channel can be connected to a local file, to a pipe, or to another ZeroVM instance. [3] Inside the sandbox, the program sees the channel as a file descriptor. The sandboxed program can read/write data from/to the channel, but does not know where the channel is connected in the host.

Programs compiled for ZeroVM can optionally use the ZeroVM Runtime library called ZRT. This library aims to provide the program with a POSIX environment.[4] It does this by replacing parts of the C standard library. In particular, ZRT replaces C file input/output functions such as fopen and opendir with versions that operate on an in-memory filesystem. The root filesystem is provided as a tarball. This allows a program to "see" a normal Unix environment.

The ZRT also replaces C date and time functions such as time to give programs a fixed and deterministic environment. With fixed inputs, every execution is guaranteed to give the same result. Even non-functional programs become deterministic in this restricted environment.[5] This makes programs easier to debug since their behavior is fixed.

Integration with Swift

ZeroVM has been integrated with Swift, the distributed object storage component of OpenStack.[6] When the ZeroCloud middleware is installed into Swift, a client can make a request to Swift containing a ZeroVM program. The program is then executed directly on the storage nodes. This means that the program has direct access to the data.

Isolation and Security

ZeroVM has two key security components: static binary validation and a limited system call API.

Static binary validation works by ensuring that untrusted code does not execute any unsafe instructions. All jumps must target “the start of 32-byte-aligned blocks, and instructions are not allowed to straddle these blocks”. (See and The big advantage of this is that validation can be performed just once before executing the untrusted program, and no further validation or interpretation is required. All of this is provided by Native Client and is not unique to ZeroVM.

The second security component–a limited syscall API–is a major differentiator between plain NaCl and ZeroVM. In ZeroVM, only six system calls are available:

  • pread
  • pwrite
  • jail
  • unjail
  • fork
  • exit

This minimizes potential attack surfaces and facilitates security audits of the core isolation mechanisms. Compare this to the standard NaCl system calls, of which there are more than 50.

Channels and I/O

All I/O in ZeroVM is modeled through an abstraction called “channels”. Channels act as the communication medium between the host operating system and a ZeroVM instance. On the host side, the channel can be pretty much anything: a file, a pipe, a character device, or a TCP socket. Inside a ZeroVM instance, the all channels look like files.

Channels Restrictions

The most important thing to know about channels is that they must be declared prior to starting a ZeroVM instance. This is no accident, and it bears important security implications. For example: It would be impossible for user code (which is considered to be “untrusted”) to open and write to a socket, unless the socket is declared beforehand. The same goes for files stored on the host; there is no way to read from or write to host files unless the file channels are declared in advance. Channels also have several attributes to further control I/O behavior. Each channel defintion must declare:

  1. number of read operations
  2. number of write operations
  3. total bytes limit for reads
  4. total bytes limit for writes

If channel limits are exceeded at runtime, the ZeroVM trusted code will raise an EDQUOT (Quota exceeded) error.

Channels Definitions

In addition to read/write limits, channel definitions consist of several other attributes. Here is a complete list of channel attributes, including I/O limits:

  1. uri: Definition of a device on the host operating system. This can be a normal file, a TCP socket, a pipe, or a character device.
    For files, pipes, and character devices, the value of the uri is simply a file system path, e.g., /home/me/foo.txt.
    TCP socket definitions have the following format: tcp:<host>:<port>, where <host> is an IP address or hostname and <port> is the TCP port.
  2. alias: A file alias inside ZeroVM which maps to the device specified on the host by uri. Regardless of the host type of the device, everything looks like a file inside a ZeroVM instance. That is, even a socket will appear as a file in the virtual in-memory file system, e.g,/dev/mysocket. Aliases can arbitary definitions.
  3. type: Choose from the following enumeration:
    • 0 (sequential read / sequential write)
    • 1 (random read / sequential write)
    • 2 (sequential read / random write)
    • 3 (random read / random write)
  4. etag: Typically disabled (). When enabled (), record and report a checksum of all of the data which passed through the channel (both read and written).
  5. gets: Limit on the number of read operations for this channel.
  6. get_size: Limit on the total number of bytes which can be read from this channel.
  7. puts: Limit on the number of write operations for this channel.
  8. put_size: Limit on the total number of bytes which can be read from this channel.

Channels limits must be an integer value from 1 to 4294967296 (). If a ZeroVM manifest file (a plain-text file), channels are defined using the following format:

Channel = <uri>,<alias>,<type>,<etag>,<gets>,<get_size>,<puts>,<put_size>

Here are some examples:

Channel = /home/me/python.tar,/dev/1.python.tar,3,0,4096,4096,4096,4096

Channel = /dev/stdout,/dev/stdout,0,0,0,0,1024,1024

Channel = /dev/stdin,/dev/stdin,0,0,1024,1024,0,0

Channel = tcp:,/dev/myserver,3,0,65536,65536,65536,65536

ZeroVM Manifest

A manifest file is the most primitive piece of input which must be provided to ZeroVM. Here is an example manifest:

Version = 20130611
Timeout = 50
Memory = 4294967296,0
Program = /home/me/myapp.nexe
Channel = /dev/stdin,/dev/stdin,0,0,8192,8192,0,0
Channel = /dev/stdout,/dev/stdout,0,0,0,0,8192,8192
Channel = /dev/stderr,/dev/stderr,0,0,0,0,8192,8192
Channel = /home/me/python.tar,/dev/1.python.tar,3,0,8192,8192,8192,8192
Channel = /home/me/nvram.1,/dev/nvram,3,0,8192,8192,8192,8192

The file consists of basic ZeroVM runtime configurations and one or more channels. Required attributes:

  • Version: The manifest format version.
  • Timeout: Maximum life time for a ZeroVM instance (in seconds). If a user program (untrusted code) exceeds the time limit, the ZeroVM executable will return an error.
  • Memory: Contains two 32-bit integer values, separated by a comma. The first value specifies the amount of memory (in bytes) available for the user program, with a maximum of 4294967296 bytes (4 GiB). The second value (0 for disable, 1 for enable) sets memory entity tagging. FIXME: This etag feature is undocumented.
  • Program: Path to the untrusted executable (cross-compiled to NaCl) on the host file system.

Channel Definition Limit

A manifest can define a maximum of 10915 channels.


ZeroVM was developed by LiteStack, an Israeli startup. The first commit in the zerovm Git repository was added in November 2011.[7] LiteStack was bought by Rackspace in October 2013. [1] [8][9] ZeroVM participated in Techstars Cloud 2013 incubator program and got $500,000 in seed funding. [10][11] The first ZeroVM Design Summit was held in January 2014 at the University of Texas at San Antonio. [12]

Процесс установки

Like said here ZeroVM on GitHub you should add ppa repository with "latest" mark on OS Ubuntu 12.04

sudo apt-get install python-software-properties
sudo add-apt-repository ppa:zerovm-ci/zerovm-latest
sudo apt-get update

Installing zerovm-zmq package:

sudo apt-get install zerovm-zmq

Next steps are installing environment for later program's compilation in Eclipse IDE for C/C++ Developers. Following these todos. Install required packages:

sudo apt-get install libc6-dev-i386 libglib2.0-dev pkg-config git \  build-essential automake autoconf libtool g++-multilib texinfo \ flex bison groff gperf texinfo subversion \  zerovm-zmq-dev

Setup Environment Variables:

export ZVM_PREFIX=$HOME/zvm-root
export ZRT_ROOT=$HOME/zrt
export LD_LIBRARY_PATH=/usr/lib64
export CPATH=/usr/x86_64-nacl/include

Clone Things from GitHub:

git clone $ZRT_ROOT
git clone $HOME/zvm-toolchain
cd $HOME/zvm-toolchain/SRC
git clone
git clone
git clone
git clone
git clone

Build Toolchain

cd $HOME/zvm-toolchain
make -j8 ZEROVM=`which zerovm`  # e.g., '/usr/bin/zerovm'

If something goes wrong you will need to delete everything (apart from zerovm and validator) in the $ZVM_PREFIX directory and only then do make clean and make (this is how the gcc toolchain works, sadly).

Example of cleanup procedures:

cd $HOME/zvm-toolchain
make clean
rm -rf *
make install PREFIX=$ZVM_PREFIX

Install Debugger

Debugger prerequisites:

sudo apt-get install flex bison groff libncurses5-dev libexpat1-dev
cd $HOME/zvm-toolchain/SRC
git clone
cd gdb
mkdir BUILD
../configure --program-prefix=x86_64-nacl- --prefix=$ZVM_PREFIX
make -j4
make install

Eclipse CDT installation

  • If your system doesn't have JRE, install a recent JRE.
  • Download Eclipse CDT from the Eclipse download site. No installation necessary, just unpack and run executable.
  • Download and install EGit plugin for Eclipse
  • Point EGit to git:// and pull the most recent ZeroVM sources.
  • Select 'create C/C++ project from makefile" to create a new Eclipse project.
  • Run the makefile to build the project and run unit tests.

If everything is ok you will see output of the unit tests. Now if you've got RUN OK PASSED messages, you have successfully compiled ZeroVM for your platform! You'll find the zerovm executable in the project root directory.

$ cd ~/zerovm
$ ./zerovm

ZeroVM tag1 lightweight VM manager, build 2013-10-08

Usage: <manifest> [-l#] [-v#] [-T#] [-stFPQ]

 -l <gigabytes> file size limit (default 4Gb)

 -s skip validation

 -t <0..2> report to stdout/log/fast (default 0)

 -v <0..3> log verbosity (default 0)

 -F quit right before starting user session

 -P disable channels space preallocation

 -Q disable platform qualification

 -T enable time/call tracing

Installation recorded on video:

External links


Cite error: Invalid <references> tag; parameter "group" is allowed only.

Use <references />, or <references group="..." />
  1. 1.0 1.1