Locking down container security once and for all with Rust-based Edera

This new open-source project built on the Xen hypervisor will bring a new level of security to containers.
Written by Steven Vaughan-Nichols, Senior Contributing Editor
Paul Taylor/Getty Images

One of the ultimate cloud security nightmares is when someone breaks through your container runtime into its underlying operating system. With attacks such as Leaky Vessels, a hacker can wreak havoc on your programs, smash other containerized applications, and grant the attacker root user-level privileges. In short, it's all over for your security. To prevent such attacks, Edera is taking an old program into a new language to provide a memory-safe container runtime. 

Written in Rust, Edera is built on the foundation of the classic open-source type-1, bare-metal Virtual Machine hypervisor, Xen. This hypervisor was selected, as Edera Chief Innovation Officer and Alpine Linux maintainer Ariadne Conill, explained, because, unlike KVM, which runs inside the Linux kernel, it's a dedicated type-1 hypervisor. These are inherently more secure than the popular type-2 hypervisors. 

Also: The best VPN services: Expert tested and reviewed

If you're a techie, you may think that's true, but aren't hypervisors of both types all about virtual machines (VM), not containers? That's correct, but the Edera team has taken the hypervisor design and shifted it over to containers. As Emily Long, Edera's CEO, said, "Hypervisors haven't been reimagined for nearly two decades and just don't work in the cloud-native world." The Edera developers are building a true 21st-century hypervisor. 

The foundation of the new program is Krata. This is a Xen-based, single-host hypervisor built for Open Container Initiative (OCI)-compliant containers. It isolates containers with a fully memory-safe Rust control plane to bring Xen tooling into a new, secure era. In addition, Edera uses Lukko, an open-source memory safety runtime library. This library detects memory safety violations at runtime and cleanly terminates programs before they can be exploited.

Edera is secure by design. It's the only independent solution that offers isolation at the container level, making container escapes impossible, no matter where you run your infrastructure: a hyper cloud, a local cloud, or your own servers. 

Edera's key features


  • Type 1 hypervisor runs on bare metal with no shared kernel state between containers.

  • Hardened security guarantees with no container escapes.

  • Trusted and untrusted workloads run in the same cluster with zero risk.

Memory Safety

  • Coded in Rust, ensuring complete memory safety.

  • The principle of least authority limits the attack surface.

Secure Memory Encryption

  • Unilateral data transfer between confidential containers.

  • Memory encryption between guests creating highly secure enclaves.

Additionally, the finished Edera Protect will include a suite of advanced features, such as an enterprise control plane, multi-cluster management, and guided memory safety violation remediation. These features will be complemented by out-of-the-box Kubernetes compatibility and premium support services.

Eventually, Edera will also enable customers to deploy a mix of workload types in their clusters instead of having different clusters for legacy virtualization and containers. It will also support distributing traditional VM images in the same way containers are distributed, providing a more consistent developer experience when working with both containers and traditional VMs. 

Edera's founding team, composed of Conill, Long, and Alex Zenla, CTO, is an all-women team. This is a departure from the usual tech bro technology development leadership norm. Their combined expertise spans engineering leadership, software security, product innovation, and executive management. They have a shared vision of building a more inclusive, empowering, and secure technological future.

The time is right for Edera. With companies needing more secure containers thanks to the increasing complexity of container orchestration and Kubernetes security vulnerabilities, Edera presents a secure-by-design approach that addresses these challenges. Indeed, the company's unique approach, leveraging Rust's memory safety capabilities and modern hypervisor technology, may render many existing security tools obsolete by providing robust isolation at the container level.

Also: Google survey: 63% of IT and security pros believe AI will improve corporate cybersecurity

Anyone can contribute to Krata today, and Lukko is set for an initial release on May 1, 2024. The founders will shortly be starting their first fundraising round and are excited to start that process.  

I'm excited to see what they do going forward. This really is a new, innovative approach to container security, and it could well be a game changer for cloud-native computing.

Editorial standards