Skip to content
VyomaOS

VyomaOS

A capability-secure operating system where every app is a sandboxed WebAssembly module. 18 MB. Boots in under 5 seconds. 200+ apps.
Get Started Slide Deck GitHub

Why VyomaOS?

Section titled “Why VyomaOS?”

Modern operating systems carry 40 years of legacy attack surface — C runtimes, shared libraries, POSIX quirks, shell injection surfaces. Every app inherits all of it.

VyomaOS starts over with one rule: the runtime IS the OS boundary.

WASM Sandboxed

Every app is a wasm32-wasip2 binary running inside Wasmtime. No native userland, no shell, no C runtime exposed to apps.

Capability-Secure

Apps declare capabilities in a manifest. Undeclared capabilities aren’t filtered — they’re never wired up. No access surface exists.

18 MB Total

Linux kernel (2.3 MB) + Rust supervisor (697 KB) + Wasmtime + 200+ WASM apps. Boots in QEMU in under 5 seconds.

Deterministic Binaries

WASM bytecode is byte-identical across builds and hosts. No architecture-specific binaries. Reproducible deployments by default.

System Stack

Section titled “System Stack”
Linux 5.10 kernel (allnoconfig, 2.3 MB)
  └── Rust supervisor (PID 1, 697 KB static musl)
        ├── Manifest parser (TOML capabilities)
        ├── Concurrent scheduler (one thread per app)
        ├── IPC broker (@<app>: message routing)
        ├── Framebuffer driver (DRM/virtio-gpu)
        ├── TTY input router (per-keypress dispatch)
        └── Process manager (ps, kill, restart, log)
              └── Wasmtime runtime (WASI Preview 2)
                    └── 200+ WASM apps (1–10 KB each)

By the Numbers

Section titled “By the Numbers”

< 5s

Boot time in QEMU with 10 concurrent apps

2.3 MB

Linux kernel (allnoconfig + virtio + DRM)

697 KB

Supervisor binary (static musl, stripped)

200+

WASM apps — productivity, games, dev tools, system utilities