top of page


To argue about trustworthiness is to control your dependencies, to isolate, and to simplify.


The capability-based architecture of Gapfruit allows governing the trust relationship of each sub-system down to the hardware. Combined with strong isolation and attestation, this technology forms the basis of genuinely trustworthy computing.


Microservices introduced new flexibility to cloud computing. Mobile operating systems such as iOS and Android brought access control to prevent third-party applications from accessing resources such as your contacts list. Two trends we all have gotten used to.


Imagine this kind of flexibility combined with security-by-design techniques for all parts of the computing base. Drivers, network-stacks, filesystems, applications - each component only receives access to the resources and services it really needs.


Today's operating systems were designed over half a century ago. The digital landscape back then was not as hostile as it is now. Security was considered after the main architectural structures were set in stone. New features were added to one giant monolith: The kernel.


The kernel is the most critical part of the operating system. Mainstream kernels such as Linux contain over 30 million lines of code. Where each line is critical, this complexity cannot be made secure. The attack vector is way too big.

Looking forward, there is no way around the core principles of this technology. We absolutely need to govern the rising complexity.

Sid Hussmann / CTO & Co-Founder


Gapfruit OS is a microkernel operating system with capability-based security, developed using the Genode Framework. The capability-based architecture of Gapfruit allows governing the trust relationship of each sub-system down to the hardware. This allows forming rational arguments as to why the system is considered trustworthy.


There are two core concepts of Gapfruit: Strong isolation and absolute control over all software stacks. Absolute control over all software stacks means that each component's dependency graph is concisely defined and verified during build, deployment, and run time.



People are usually familiar with the terms sandboxes and enclaves. The building blocks on a Gapfruit system are called SLICEs.

A SLICE is a Secure and Light Instance of Contained Enclave, which has strong isolation guarantees. The isolation goes both ways, so it combines the properties from sandboxes and enclaves.



On Gapfruit, three types of dependencies represent the Trusted Computing Base (TCB): Resource distribution, service topology, and software dependencies. Gapfruit TEP attests the TCB of every SLICE down to the hardware root of trust.


●  Secure boot

●  Full Stack Integrity Protection

●  Disk Encryption

●  Self-healing resiliency even for drivers

●  Transactional upgrades

●  Attestation

●  Multiple migration paths

●  Multi CPU: ARM, x86, RISC-V

●  Multi kernel: seL4, nova, base-hw, Linux

●  HW virtualization


Gapfruit's modern architecture eliminates typical attack vectors and minimizes the impact of software flaws. It provides several low-risk migration paths enabling any unmodified application to run securely isolated. The architecture is future-proof and allows reliable and rapid rollout of upgrades and new services.


Gapfruit is suited for many different use-cases such as transportation, edge computing, secure endpoints, IoT gateways, medical devices, automotive, aerospace, industrial, and building automation systems.

bottom of page