zlacker

[return to "The Linux Security Circus: On GUI isolation"]
1. trotsk+37[view] [source] 2011-04-24 02:01:57
>>wglb+(OP)
Qubes seems to be YASTVOS (Yet Another Security Through Virtualization OS). While I'm not going to disagree that Xen vms represent a smaller attack surface than most current installations, that doesn't mean there won't be bugs. If you shift everyone to a solution like this, guaranteed people will be breaking out of it. VMware has had a number of vm escapes.

The other problem is these OS's often don't seem to get very far. Seems like Qubes is launching beta 1. It's the kind of thing that one would expect needing a significant time to shake out.

Which isn't to say I wouldn't like to run a nicely implemented example of the concept. It certainly has the possibility of raising the bar significantly. Of course, it seems like no matter how far windows raises the bar people still keep on jumping it easily.

◧◩
2. gaius+ve[view] [source] 2011-04-24 09:29:37
>>trotsk+37
The state-of-the-art on attack surfaces and VMs right now is JRockit Virtual Edition, which runs the JVM directly on the hypervisor, no OS in the middle. Which makes all kinds of sense really - what's the point of running a VM inside a VM?
◧◩◪
3. jamii+uf[view] [source] 2011-04-24 10:41:25
>>gaius+ve
Similarly, but much less mature, Mirage runs the ocaml RTS directly on top of Xen: http://openmirage.org/
[go to top]