IncludeOS is a unikernel operating system that bundles application code with only the necessary kernel drivers into a single bootable image. It functions as a resource-efficient cloud service virtual machine and a lightweight serverless runtime environment designed to minimize memory footprints and boot times. The project provides a Linux compatibility layer via a C library, allowing applications written for Linux to be compiled and executed within the unikernel environment. It also serves as a network appliance framework for building high-performance firewalls and load balancers using config
Asterinas is a memory-safe operating system kernel designed to prevent data races and memory corruption. It functions as a Linux-ABI compatible kernel, enabling the execution of existing Linux binaries and container workloads while providing a declarative operating system distribution model. The project distinguishes itself by acting as a virtual machine container host and a confidential computing guest OS, allowing it to run within hardware-isolated Trusted Execution Environments such as Intel TDX. It implements a minimal trusted computing base by isolating unsafe low-level operations and se
ToaruOS is an independent operating system built from the ground up without external dependencies. It features a custom x86-64 kernel that supports symmetric multiprocessing and paging, paired with a graphical windowing system and a dedicated bytecode interpreter for application logic. The system distinguishes itself by integrating an embedded Python environment for system-level development and a custom graphical interface that handles its own window composition and text rendering. It includes a compatibility layer for third-party application support and a system package manager for handling
Firecracker is a virtual machine monitor that leverages hardware-assisted virtualization to create and manage isolated execution environments. It functions as a lightweight runtime designed to launch virtual machines with minimal memory overhead and near-instantaneous startup times, providing the security of traditional hardware virtualization with the efficiency of containerized workloads. The project distinguishes itself through a security-focused architecture that enforces strict process boundaries using system-level barriers and restricted user privileges. It minimizes the attack surface