EC2’s formally verified “isolation engine” provides mathematical assurance of virtual-machine isolation

2026-06-10 · Source: Amazon Science homepage · Field: Technology & Digital — Cloud Computing & IT Infrastructure, Cybersecurity & Data Privacy, Software Development & Engineering · Depth: Advanced, medium

Summary

Amazon Web Services (AWS) announced the general availability of its new M9g and M9gd EC2 instances on June 10, 2026, powered by the Graviton5 CPU. These instances are the first to utilize the Nitro Isolation Engine, a formally verified component of the Nitro Hypervisor. This engine is the first formally verified hypervisor deployed in a commercial cloud environment, providing mathematical assurance of virtual machine isolation. Its verification involved 330,000 lines of machine-checked mathematics using the Isabelle/HOL proof assistant, comparable in scale to the seL4 project. The Nitro Isolation Engine, written in a core subset of Rust (μRust), focuses solely on enforcing isolation by separating this critical logic from the broader Nitro Hypervisor's business logic. It verifies properties including confidentiality, integrity, functional correctness, absence of runtime errors, and memory safety, and is an always-on feature for Graviton5 users.

Key takeaway

For Cloud Architects evaluating infrastructure security, the Nitro Isolation Engine's formal verification on Graviton5 instances fundamentally changes the assurance model for virtual machine isolation. You should prioritize M9g and M9gd instances for workloads demanding the highest levels of confidentiality and integrity, as this provides a mathematically proven defense against VM escape vulnerabilities. This advancement offers unprecedented visibility into isolation enforcement, strengthening your security posture.

Key insights

Formal verification can deliver mathematical assurance for critical cloud infrastructure components in commercial deployments.

Principles

• Separation kernels simplify verification by enforcing isolation only.
• Restricting language features aids formal reasoning.
• Indistinguishability preservation defines confidentiality.

Method

Formal verification employs Isabelle/HOL, μRust, Separation Logic for specifications, and weakest-precondition calculus for proofs, via AutoCorrode.

In practice

• Apply formal verification to security-critical cloud components.
• Design systems with separation kernels for auditability.
• Consider Rust subsets for provably correct codebases.

Topics

• Formal Verification
• Hypervisor Security
• Virtual Machine Isolation
• AWS EC2
• Nitro System
• Rust Language
• Isabelle/HOL

Code references

• awslabs/AutoCorrode

Best for: CTO, VP of Engineering/Data, Executive, Security Engineer, Software Engineer, Research Scientist

Related on AIssential

• Isabelle/HOL: The proof assistant behind the Nitro Isolation Engine — Isabelle/HOL's balance of expressiveness and automation enabled the formal verification of AWS's Nitro Isolation Engine.
• Graviton5’s improved design increases speed and energy efficiency — beyond Moore’s law — Graviton5's chiplet architecture and advanced components deliver significant performance and efficiency gains for diverse cloud workloads.
• FlowGuard: Flow Matching for Identity-Independent Detection of Data-Free Model Stealing Attacks on Energy System Intrusion Detection Systems — FlowGuard detects data-free model stealing in energy IDS by identifying synthetic queries as out-of-distribution via flow matching.
• Beyond Indistinguishability: Measuring Extraction Risk in LLM APIs — Indistinguishability metrics are insufficient for measuring data extraction risk in LLM APIs.
• Building a Zero-Trust Architecture for Confidential AI Factories — Confidential computing with TEEs and CoCo enables secure, zero-trust AI factories by encrypting data and models during execution.
• From Attack Simulation to SIEM Rule: Deterministic Detection-as-Code Synthesis with Probe-Level Traceability — Deterministic synthesis automates SIEM rule generation from attack simulation findings, ensuring reproducibility and traceability.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Amazon Science homepage.