undefined | Better HN

0 pointsgmueckl6y ago0 comments

Would be cool to see a source for that one. Theo de Raadt is a hardliner whom I don't always agree with, but I'd like to know how visionary he actually was in this case (quite a bit by the looks of it).

0 comments

jancsika6y ago

I'm not a security person but I wanna practice trying to sum up his points:

1. There's no way in hell that a bunch of VMs running on one physical server is more secure than a bunch of different physical servers each running an OS. If there were architectural hooks for those VMs to provide additional security beyond what the host OS provides, then an OS like OpenBSD would already be making use of it.

2. Running a bunch of VMs on a single physical machine is certainly cheaper.

3. People who are in favor of the cost-cutting are claiming that there's a security benefit to sell more stuff.

Am I right?

If so, how does that stance jibe with the research that Qubes is based on?

fwip6y ago

I think the argument VM-sellers make is that it's more secure than running a bunch of colocated code on the same machine without VMs, not that it's more secure than distinct physical systems.

bluGill6y ago

That is their claim. Theo is pointing out that the security is an illusion. Either the OS is secure and so you may as well just run everything in the OS without the VM in the way (ignoring issues of different operating system), or the OS is not secure and now you have to hope the VM is secure because otherwise you just exploit your VM to get out of it and then exploit the OS. The second level attack is more difficult, but that is all.

effie6y ago

Almost right, except one thing: I think Theo de Raadt wrongly did not acknowledge the valid point of his opponent: in practice, separating applications into virtual machines does have some security benefits, when compared to running them on single OS.

I think security guarranties are better if you follow practices of a little selfcentered project such as OpenBSD (run only trusted code) than if you follow practices of QubesOS (running whatever untrusted code you desire in Xen domains and relying on VM separation).

t1amat6y ago

I believe this is the source: https://marc.info/?l=openbsd-misc&m=119318909016582

j / k navigate · click thread line to collapse