undefined | Better HN

0 pointswalterbell9y ago0 comments

Don't know implementation details, but Quarkslab has been credited with finding several Xen hypervisor vulnerabilities. Their FAQ states, https://cappsule.github.io/faq/

"Traditional virtualization solutions (e.g.: VMware, Xen, KVM) virtualize whole operating systems (such as Windows or Linux), whereas Cappsule virtualizes a running system. VMs launched by Cappsule don’t go through the boot step; they start directly on a running kernel. This particular feature allows an instantaneous launch of VMs. One can think of VMs as forks of the host operating system. In fact, the VMs’ kernel is a copy of the running host kernel. Another particularity is that no VM disk image is required. There’s no need to setup, configure, install, manage and keep new VMs up-to-date. The host filesystem is accessible as Copy-on-Write (with respect to a whitelist of files and folders accessible in read-only or read-write mode).

Every software has security bugs, and Cappsule is no exception. But it is developed from scratch, with the main goal of being secure. With less than 15K lines of code, the attack surface is extremely narrowed in comparison to mainstream hypervisors. Moreover, anything that isn’t vital for the VMs isn’t implemented and certain classes of attacks simply don’t exist. For example, there’s no way to access hardware (through I/O memory, I/O ports, or DMA). Also, there’s no need of instruction emulation: vulnerabilities such as XSA-105 are thus impossible.

0 comments

3 comments · 1 top-level

qznc9y ago· 2 in thread

So its similar Docker, except they don't use some base image from the cloud, but use the host instead.

The known security weakness of Docker (and containers in general) is that the host kernel is exposed. Capsule somehow "copies" the host kernel in flight?

walterbellOP9y ago

One difference from Docker is that Cappsule uses hardware virtualization, so the isolation is that of a VM rather than kernel namespace. The VM gets a private, copy-on-write instance of the host kernel. From their FAQ:

"Docker isn’t meant for security. While a lot of improvements have been made recently in this area, it also relies on Linux namespaces and SECCOMP to ensure container isolation. A single kernel vulnerability allows an attacker to compromise the host. On this topic, the chapter 7 (Understanding Container Threats) of NCC Group Whitepaper Understanding and Hardening Linux Containers is a must-read," https://www.nccgroup.trust/us/our-research/understanding-and...

IChrisI9y ago

Thinstall did something similar; I've used it in the past and it worked pretty well. It captures system calls and writes changes to its own storage, and when a program reads a directory or file or registry key, it presents a combined view of the host OS + that program's changes, so programs think they are fully, normally installed.

https://en.wikipedia.org/wiki/VMware_ThinApp

j / k navigate · click thread line to collapse