Home › Entities › YukonSilver VM

YukonSilver VM

Description

YukonSilver VM is a virtualization-based isolation layer for Claude Desktop that runs claude-code inside a Linux virtual machine on macOS using Apple's Virtualization Framework. The system provides defense-in-depth by separating the agent's execution environment from the host operating system, ensuring that even if bash-security or the permission-pipeline are bypassed, the agent's actions are confined to the VM sandbox. It is part of the broader anti-distillation-defenses and security hardening for the desktop product.

Apple Virtualization Framework

YukonSilver leverages Apple's native Virtualization Framework (Virtualization.framework), introduced in macOS 11, which provides lightweight Linux VMs with near-native performance. Unlike traditional hypervisors (VirtualBox, VMware), Apple's framework is designed for programmatic VM management and integrates directly with macOS's security model, including:

Six-Layer Defense-in-Depth

YukonSilver implements a six-layer security model:

Layer Protection Purpose
1. VM boundary Hardware-enforced process/memory isolation Prevents agent from accessing host processes or memory
2. Filesystem mount policy Read-only mounts for host directories by default Agent can read project files but cannot write to host filesystem without explicit pass-through
3. Network policy Allowlist-based outbound network access Limits which hosts the agent can contact (Anthropic API, configured registries)
4. Resource limits CPU, memory, and disk quotas Prevents resource exhaustion attacks (fork bombs, disk fills)
5. Syscall filtering seccomp-BPF profiles inside the VM Blocks dangerous syscalls even within the VM's Linux environment
6. Audit logging All VM-boundary crossings are logged Provides forensic trail of what the agent accessed on the host

Shared Filesystem Model

The project directory is shared with the VM through a VirtIO filesystem mount. By default, this mount is read-only -- the agent can read source files but cannot modify them directly. Write operations go through a controlled pass-through mechanism: the agent's file writes inside the VM are captured, validated against the permission-pipeline, and then applied to the host filesystem by a host-side daemon. This means the host's three-layer-verification system validates every file modification even though the agent believes it is writing directly.

Performance Characteristics

Apple's Virtualization Framework provides near-native performance for most workloads. The primary overhead is filesystem I/O through the VirtIO mount, which adds latency compared to direct disk access. The speculation-engine's file prefetching helps mitigate this by loading files into the VM's memory before they are needed. Network operations (API calls to Anthropic) are unaffected because they are routed through the VM's virtual network interface.

When YukonSilver Is Used

YukonSilver is specific to Claude Desktop on macOS. The terminal CLI does not use VM isolation -- it runs directly on the host. The decision to add VM isolation for the Desktop product reflects the different threat model: Desktop users may grant broader permissions (auto-mode) and leave sessions running unattended, making stronger isolation more important than in interactive terminal use.

Integration

YukonSilver wraps the same claude-code CLI that runs in the terminal, with the bridge-system connecting the Desktop UI to the CLI running inside the VM. The hooks-system operates inside the VM, while the host-side daemon provides an additional hook layer for VM-boundary events. session-persistence state is stored inside the VM and backed up to the host periodically.

Key claims

Relations

Sources

src-20260409-d1e7c75e3c59