I got brave this morning and made the first public release of instar, version 0.2. Here’s a snippet from what I sent to the openstack-discuss mailing list about this:
Instar is a from scratch rethink of how to handle untrusted image data as well as an opportunity for me to become more familiar with code generation LLMs. All data processing happens in a custom KVM guest which does not run an operating system or have any access to system resources apart from those provided to it by the custom VMM which orchestrates it. The best way to think of this guest is as an embedded system running on a virtual CPU. This is similar in approach to how AWS Nitro Enclaves work in terms of prior art, whilst also being the opposite in intent: Nitro protects sensitive data from the cloud; instar protects the cloud from malicious data. To be clear, `instar info` doesn’t detect or block malicious images — it processes them safely and reports what it finds. The security comes from containment, not detection. It is then up to the caller to decide how to handle what is reported.
You can read more about instar on shakenfist.com, or the full openstack-discuss post.