tptacek
6 hours ago
One of his dumber takes. Virtualization replaces an ultra-functional general-purpose kernel evolved over decades to support every conceivable application with a drastically smaller "kernel" (KVM and the userland hypervisor). It's a drastic attack surface reduction, and the empirical data bears that out: kernel LPEs aren't even newsworthy (there's whole repos full of unnamed, unremarked-upon LPEs), and KVM escapes are very rare.
Veserv
3 hours ago
Virtualization is responsible for effectively none of those security benefits.
It is the reduction to a smaller “kernel” that is responsible. If you applied the same design and operational model to running regular old processes instead of virtual machines you would also get a system with less security holes than the grossly insecure rat’s nest that is Linux, Windows, or whatever other commercial IT OS you have in mind.
Virtualization is almost entirely orthogonal, if not harmful, to security of the platform and operations. It is not magic pixie dust that makes your operational model more robust. You need a robust operational model, then you can have a robust operational model with virtual machines.
There is a reason why the most secure systems in the world are separation kernel architectures instead of hypervisors even though most of those systems do support virtualization as a feature, just not as the basis of their security propertys.
10000truths
2 minutes ago
While this is true, the unspoken factor here is compatibility. Fixing the design and operational model of Linux (or any Unix derivative) to a sensible default-nothing architecture requires completely changing the semantics of the OS, which would break so much existing software to the point that one might as well write a new kernel+userspace from scratch. It's a lot easier for a sysadmin to just plop their existing rat's nest in a hardware-accelerated parallel universe and say "job done".
tptacek
2 hours ago
You can falsify these claims simply by looking at the records of platform vulnerabilities. I don't think this is a live argument.
Veserv
2 hours ago
Great, then falsify it. Point at a system with the same operational model as KVM-based multi-tenant systems with large numbers of platform vulnerabilitys.
Let us review a standard operational model:
Virtual machines are usually pre-allocated their total RAM. Virtual machines are usually pre-allocated a number of cores and pinned to them. Virtual machines are usually only allocated a small number of devices such as a virtual block storage device and virtual network device upon which they implement a in-VM filesystem and network stack. Virtual machines usually have no access to shared services provided by the hypervisor.
So we have a operational model where you have to pre-allocate RAM to a process. You have to pre-allocate a whole core and pin the process to it. The process has no access to a global filesystem, network stack, or devices. The process has access to exactly one file, which is logically similar to a virtual block storage device, and a single raw network socket, which is logically similar to a virtual network device. The process has no ability to form a socket to another process, form a new file, or even have any way of interacting with other processes at all. The process has no access to shared services of any kind.
The chasm between that operational model and any commercial IT operating system is immense, being basically the polar opposite in every dimension in the direction of security. Default-deny instead of default-allow. Shared-nothing instead of shared-everything. What you have there is a system even more static and simple than what runs on most microkernels. That is the comparable class of platforms with a similar operational model.
To demonstrate that virtualization is the key factor, you need to demonstrate that actually comparable systems with similar operational models like microkernels have more platform vulnerabilitys than comparable KVM-based, or even just hypervisor-based, systems. Which, again, flies against the face of evidence as the systems that are actually used in high security applications designed to protect against state actors are separation kernels instead of hypervisors.
tptacek
2 hours ago
These are a lot of words that I think are trying to work around the fact that LPEs are commonplace and KVM escapes are very rare.
Veserv
an hour ago
Cool, show me a LPE in a seL4 deployment. Do you believe that is easier or harder than finding a KVM escape?
Since you are varying the security basis, implementation, and operational model simultaneously when you are comparing KVM to Linux to argue that the security basis is the important factor, I get to as well. Except mine is actually more fair because the design of a seL4-based system is actually much more similar to the design of a multi-tenant KVM-based system than the design of the KVM-based system is to the design of a Linux user environment.
tptacek
an hour ago
Amusingly, this is the 2nd time you've tried to argue with me about this Theo post. Last time, you yourself brought it up as a model of a good security argument.
https://news.ycombinator.com/item?id=41071954
Rather than replicating my response then, I'll just incorporate that link into my point.
I ported L4 to my ARM NUC a couple weeks ago. L4 is great. Of course, L4 is also principally a platform for virtualization, so it's a pretty odd bit of evidence to try to bring up. Where have you personally been using L4?
Veserv
33 minutes ago
Yes, you do enjoy evading the argument. You continuously point at implementation and operational model differences as proof that virtualization is the key factor. Theo's argument is literally that virtualization versus non-virtualization is irrelevant compared to implementation and operational model deficiencys. If you make garbage implementations and operational models, then you get garbage virtualization. If you have a good implementation and operational model then you do not need virtualization for "security".
As independent evidence for this point, virtualization is not the basis of security/isolation in seL4. You have isolation without any virtual machines. Virtual machines are just a feature on top that can leverage the existing isolation functionality to also provide isolated virtual machines. Of course, a secure deployment then requires you to leverage this foundation with a good operational model and system design since you can always make a insecure system even atop a good foundation. This demonstrates that virtualization is not necessary for a secure base, nor sufficient to achieve highly secure systems.
Just to hammer in the point that you are heavily misinterpreting Theo's response, this is the full sentence at the start of the post that Theo was responding to:
"Virtualization seems to have a lot of security benefits. Rootkits can lie to DomU but not Dom0, and of course snapshotting, migration etc is really nice."
Wow, amazing, rootkits can never be in Dom0 because Xen has "virtualization" magic pixie dust. Theo is pointing out how this is nonsense and virtualization will only provide security if you can create implementations without glaring security holes. Furthermore, you should not just listen to the people who brought you insecure system 1 when they tell you that this time for sure they are going to give you secure system 2; maybe have just a little bit of cynicism and ask for some evidence first.
boricj
6 hours ago
Doesn't that message date back to a time that either predates or is almost concurrent with the introduction of x86 hardware-assisted virtualization? I wasn't around playing with VMs back then, but I'm not sure that the track record of x86 virtualization 20 years ago was that great.
tptacek
6 hours ago
It does, but that's an argument about implementations, and his comment is an argument about design. Just read it again and see if you think it's reasonable. Pay attention to the tone and (especially) the conclusory certainty he deploys.
SoftTalker
6 hours ago
And since then, OpenBSD has developed its own VM subsystem vmm(4), vmd(8), vmctl(8).
tptacek
6 hours ago
Sure, I mean, he was wrong, and I assume he knows he's wrong, and wouldn't say the same thing today. He's not dumb. Just this take is.
otterley
5 hours ago
I’ll take someone who’s dumb over someone who is smart but rudely and confidently incorrect any day. Modesty, thoughtfulness, and kindness are too-undervalued virtues in our business.
dredmorbius
3 hours ago
The email in question actually addresses one of the first, if not the first, x86 hypervisor product, Xen, relying on both my memory of the time (I did some work with Xen in the mid aughts) and Wikipedia: <https://en.wikipedia.org/wiki/Timeline_of_virtualization_tec...>.
The Xen hypervisor itself was pretty minimal, as I understand mostly serving to time-slice CPU cycles among guest domains and partition memory access. As a contrast to VMWare, device access and drivers were handled by the guests themselves.
As such, the attack surface of the Xen hypervisor itself is fairly minimal. Most security issues seem to be denial of service vulnerabilities, though there are some privilege escalation, access, information leak, and overflow issues listed:
<https://xenbits.xen.org/xsa/>
I generally respect de Raadt's expertise and instincts, though he may have been over his skis here.
justsomehnguy
4 hours ago
The letter is dated 2007-10.
AMD released (ie commercially available) Pacifica on May 23, 2006 while Intel did released their Vanderpool a half of year earlier November 14, 2005. [0]
Windows Server 2008 was RTM'ed on February 2008 which provided Hyper-V as a first class component. [1]
Virtual Server 2005 R2 SP1 added support for both Intel VT (IVT) and AMD Virtualization (AMD-V) and was released 11 June 2007. [2]
https://en.wikipedia.org/wiki/X86_virtualization#AMD_virtual...
https://en.wikipedia.org/wiki/Windows_Server_2008
https://en.wikipedia.org/wiki/Microsoft_Virtual_Server#Versi...
xattt
5 hours ago
> replaces an ultra-functional general-purpose kernel evolved over decades to support every conceivable application with a drastically smaller "kernel"
Is a Proxmox kernel that much smaller than a typical Linux kernel?
naturalmovement
6 hours ago
If someone purposely dug up emails you wrote 19 years ago, I'm sure they'd find some of your "dumber takes" as well.
I'm not sure what the purpose of revisiting this is beyond provoking a flamewar on a slow Sunday.
tptacek
6 hours ago
I mean, I agree there. We all have dumb takes! I hear roughly once a month about my old "I don't think Dual EC is a backdoor, it's too dumb and obvious for anyone to actually use it" take.
bawolff
5 hours ago
Probably people are responding less to the dumbness of the take and more the arrogance of the tone combined with the dumbness of the take. Everyone has dumb takes, not everyone is an asshole while giving their dumb takes.
Regardless i do agree with you though, not sure what the point of digging up ancient skeletons is.
throw0101a
5 hours ago
> If someone purposely dug up emails you wrote 19 years ago, I'm sure they'd find some of your "dumber takes" as well.
"Give me six lines written by the hand of the most honest man, I will find something in them which will hang him."
* https://en.wikipedia.org/wiki/Give_me_the_man_and_I_will_giv...
ummonk
6 hours ago
How big is the OpenBSD kernel and userland actually compared to a virtualization layer?
TZubiri
6 hours ago
I'm anti virtualization, but mostly due to the internal complexities of the guest applications being swept under the rug, it's undeniable that the host is protected and thus neighbouring guests (of course it is with almost 20 years of hindsight I can say this.)
That the hypervisor is effectively an operating system/kernel I have always held, and that it is a smaller and thus less vulnerable kernel is an appropriate explication I think. It's very hard to secure an all purpose kernel like Linux without actually building it yourself (and even then..)