Products
Use cases
Blog
en
fr
Request a demo
Products
Blog
Use cases
en
fr
Book a call
Secure virtualization

True VM Isolation. Hardware Security without performance Loss

YS::Desktop is built from the ground up with security as the foundation, not an afterthought. Here's how we solve the fundamental challenges of secure virtualization.
Core Features

Built for Security-First Organizations

Every feature designed to eliminate attack vectors while maintaining the performance modern workloads demand.

Static Resource Preallocation

CPU and memory assigned statically before runtime, eliminating dynamic resource shifts that attackers exploit.

Dedicated CPU Cores

Hypervisor and VM workloads run on physically separate CPU cores with isolated cache hierarchies.

Hardware-Level Encryption

Data encrypted the moment it leaves the CPU, using the hypervisor as control hub for consistent protection.

Zero Performance Penalty

Achieve 2-5% speed gains through optimized contiguous resource allocation and reduced fragmentation.

Side-Channel Protection

Eliminate timing, cache, and power side-channel attack vectors through architectural security.

Intelligent Data Routing

Automatic selection between direct hardware exposure and encrypted exchange buffers based on data path.
Static Resource Preallocation

Assigning CPU and Memory Resources to ensure full isolation of VMs

The problem

Dynamic Resource Allocation Creates Attack Vectors

Most virtualization platforms dynamically allocate CPU and memory based on real-time demand. While efficient, this creates subtle signals attackers exploit in side-channel attacks to breach VM isolation.

Traditional: Dynamic Allocation

Analyse
VM1
VM2
VM3
VM4
Free slot
Resources shift dynamically → Attack surface
How Kerys does it

Fixed Assignments, Zero Fluctuation

YS::Desktop assigns CPU and memory statically to each VM before runtime. These fixed assignments remain unchanged, preventing any dynamic resource shifts that can be exploited.

YS::Desktop:  Preallocation

Analysis not possible
VM1
VM2
VM3
VM4
Fixed boundaries → No side-channel signals

Security Benefits

Strong VM isolation by removing resource fluctuation opportunities
Eliminates timing, cache, and power side channels used by attackers
Predictable resource behavior eliminates covert channels

Performance Benefits

2–5% speed gain through large, contiguous resource blocks
Reduced fragmentation and overhead
Optimized memory controller efficiency with stable throughput
Dedicated CPU Cores

Separate Processing for Hypervisor and VMs
to prevent Side-Channel Exploits

The problem

Shared CPU Cores Risk Data Leakage

Conventional virtualization runs hypervisor and VM processes on shared CPU cores, risking data leakage via residual cache and branch predictor information. Side-channel attacks targeting shared resources threaten hypervisor security.
How Kerys does it

Physically Separate CPU Cores

YS::Desktop allocates specific CPU cores to virtual machines. These cores can run multiple VMs in sequence, with strict temporal separation and a full purge between switch. Eliminating any risk of data leakage or resource drift.
The remaining cores are reserved for the hypervisor, ensuring stable and isolated system management.

CPU Core Distribution

Security Benefits

Hardware-level isolation with isolated cache hierarchies
Clean context switching with full flush of CPU registers and caches
Controlled VM-to-hypervisor communication prevents accidental leaks

Performance Benefits

Reduced thrashing and scheduling overhead
Lower latency as hypervisor cores remain continuously ready
Minimal throughput impact compared to security gains
Hardware-Level Encryption

Encrypt Data at the Hardware Layer
for Complete Protection of your Data
YS::Desktop encrypts data the moment it leaves the CPU toward RAM or storage, using the hypervisor as the control hub rather than relying on each virtual machine individually. This ensures sensitive information stays fully opaque to the host operating system and other workloads, while preserving native-level performance for developers and power users.

Why Hardware-Level Encryption Matters

Hardware-level encryption isolates cryptographic processing away from the guest OS, reducing exposure to attacks and malware.
Encrypting data at the hypervisor layer protects all VMs consistently without degrading the user experience.
This approach maintains system speed, avoiding the common performance penalties seen in software-only encryption solutions.
Intelligent Data Routing

Dynamically Handle Data Based on its Path
to Maximize Security

Direct Hardware Exposure

For devices like GPUs and local USBs, where data remains on the machine and raw throughput is essential, the virtualization layer maps device memory directly into the VM's address space. This eliminates unnecessary processing and maintains peak performance.
GPU
Direct Memory Map
VM

Exchange Buffer Mode

For storage devices (SSDs) and network communications, where data can leave the secure desktop environment, YS::Desktop inserts RAM-based exchange buffers. These buffers apply strong encryption and additional security operations before data reaches the physical device.
SSD
Encrypted
VM
This selective routing empowers security teams to enforce encryption where it counts, without impacting graphics, peripheral devices, or developer productivity inside the secure desktop.

Ready for
Uncompromised Security?

YS::Desktop combines static resource allocation, dedicated CPU cores, and hardware-encrypted isolation. When strong protection and speed are non-negotiable, this is the virtualization you need.
Book a callContact Sales
No commitment required • Enterprise-ready deployment
Kerys Software
42 Cours Pierre Vasseur91120 Palaiseau
Safer, Greener, Faster converged IT
contact@kerys.software
Company
BlogCareerPressPersonal data protectionLegal mentions
Socials