Almost 20 years ago, Theo de Raadt (founder of OpenBSD) said: “you think that a worldwide collection of software engineers who can’t write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.” I would like to think that we’ve figured out the security holes since then, but… you know..
Comment on Safely exposing services to the Internet
hirihit640@sh.itjust.works 2 days agocopy fail allows VMs to infect the host system? I thought it was a kernel vulnerability, not a hypervisor vulnerability. Containers and LXCs share the kernel with the host, full VMs do not.
Hypervisor exploits and VM escapes are VERY rare.
Using SSH for clustering is optional. You can just use normal VMs. You don’t have to install SSH into the VM, you can view it through proxmox. The only difference between a VM and a physical machine is the hypervisor, so the only security difference is the security of the hypervisor. And as I mentioned, hypervisor exploits are very rare.
pmk@piefed.ca 1 day ago
hirihit640@sh.itjust.works 1 day ago
Nobody believes virtualization is perfect, it’s just the best we got because:
- smaller attack surface
- security is the priority over adding new features (the opposite of most other development cycles)
- in practice we have seen how secure it is relative to other systems like the kernel
And anyways, even a separate physical computer can be hacked. If it has networking, there could be a vulnerability in the networking stack. Just making an outbound tcp connection can be enough to be pwned.
I think the closest thing we have to an “invincible” system is seL4, but I rarely hear about amybody using them
dislabled@lemmy.ml 1 day ago
Good post. And i would like to add for anyone to be able to use hypervisor escape, you also need a vulnerability in the software presented to the internet. And even then, the chance that anyone would waste a zero day on a homelab is pretty slim…