Ressource Preallocation

YS::Desktop: Eliminating
side-channel attack vectors.

The problem with current solutions: Side-channel vulnerability

Most leading virtualization platforms dynamically allocate CPU and memory resources to VMs based on real-time demand. This is marketed as efficiency. But dynamic shifting creates overhead on every reallocation, degrades performance predictability, and introduces timing signals that attackers exploit in side-channel attacks to breach VM isolation. The tradeoff is real, and it cuts both ways.

Traditionnal: Dynamic Allocation

Analyse

VM1

VM2

VM3

VM4

Free slot

Ressources shift dynamically

Attack surface

YS::Desktop :
no dynamic shifts, no exploitable signals

Kerys YS::Desktop assigns CPU cores and memory to each VM before runtime. These fixed assignments remain unchanged, preventing any dynamic resource shifts that can be exploited. This architectural choice delivers both enhanced security and measurable performance benefits thanks to simplified resource management and contiguous allocation.

YS::Desktop: Preallocation

Analysis not possible

VM1

VM2

VM3

VM4

VM1

VM2

VM3

VM4

Free slot

No exploitable resource fluctuation

Fixed assignments remove the timing and cache signals that side-channel attacks rely on. No dynamic shift means no exploitable signal.

Consistent response times across all VMs

Less overhead on memory management means more resources available for your workloads. No matter what runs on other VMs, your performance stays stable.

Dedicated CPU Cores

YS::Desktop ends
‍VM-to-hypervisor attack vectors

The problem with current solutions: Side-channel vulnerability

Conventional virtualization architectures typically run hypervisor and VM processes on shared CPU cores, risking data leakage via residual cache and branch predictor information. This creates the conditions for VM escape (cross-VM and VM-to-hypervisor attacks).

Shared
‍Core Architecture

Shared VM architecture – traditional VDI shared resource model

YS::Desktop :
no dynamic shifts, no exploitable signals

The platform assigns hypervisor tasks and VM workloads to physically separate CPU cores, ensuring dedicated hardware isolation. CPU cores dedicated exclusively to a single process do not require frequent purging, which conserves processing time. Additionally, the hypervisor can concurrently process hypercall requests as they are emitted by VMs, significantly improving system latency and responsiveness.

Dedicated
Core Architecture

Hardware-level isolation

CPU cores with isolated cache hierarchies dedicated solely to hypervisor or VM processes. No cross-contamination.

Hardware-level isolation

CPU cores with isolated cache hierarchies dedicated solely to hypervisor or VM processes. No cross-contamination.

Lower latency

Hypervisor cores remain continuously ready to process tasks, improving system responsiveness significantly.

Reduced scheduling overhead

Dedicated cores eliminate the need for frequent CPU rescheduling between hypervisor and VM tasks. Less context switching means lower overhead and more predictable throughput.

Additionnal Benefits

Protection data in transit: encryption and smart routing

Beyond the two core architectural differentiators, YS::Desktop brings additional capabilities that reinforce isolation and optimize data security without impacting performance.

Hypervisor Encryption Layer

Securing your data. No performance compromise.

YS::Desktop encrypts datathe moment it leaves the CPU toward RAM or storage, usingthe hypervisor as the controlhub rather than relying on each virtual machine individually.

This ensures sensitive information stays fully opaque to the host operating system and other workloads, while preserving native-level performance for developers and power users.

VM container with hypervisor encryption layer

Hypervisor-layer isolation

Isolates cryptographic processing away from the guest OS, reducing exposure to attacks and malware. Encrypting data at the hypervisor layer protects all VMs consistently without degrading the user experience.

92% native performance maintained

This approach maintains system speed, avoiding the common performance penalties seen in software-only encryption solutions. Verified at 92% native performance with full encryption active across all VMs.

Smart Data Routing

Security where it counts. Performance where it matters.

Direct memory access – no shared resources between VMs

Direct hardware exposure. GPUs and local USB devices.

The virtualization layer maps device memory directly into the VM's address space. No intermediate processing. Peak performance maintained.

Secure data exchange – no cross-VM transfer icon

Exchange buffer mode
SSDs & network communications

RAM-based exchange buffers intercept data before it reaches the physical device. Strong encryption and additional security operations applied before data leaves the secure environment.