undefined | Better HN

0 pointsJoshTriplett12y ago0 comments

Many (though not all) local kernel exploits that allow you to escalate to root will also allow you to run arbitrary code in kernel-space, and there's only one kernel, not one kernel per container.

VMs will always be more secure than containers, simply through defense in depth; the only question is whether you want to trade away some performance and flexibility to increase security.

0 comments

3 comments · 1 top-level

jpetazzo12y ago· 2 in thread

I disagree with this assertion that "VMs will always be more secure". Of course, they bring an extra layer (or rather, a layer of different nature).

But check the number of Xen vulnerabilities (I kept up with those for a while because I still run a Xen cluster): they are very real. And keep in mind that Xen (at least in my case!) doesn't bring an extra layer of security: if you are (e.g.) an IAAS provider using Xen to sell VMs, your customers can run anything they like in their VMs, and Xen will be the only layer. Your hypervisor will be "on the front line" if you see what I mean.

I would actually argue quite the contrary. I.E.: exploits affecting containers are likely to be exploits affecting all Linux systems, meaning that they will draw much more attention and scrutiny than exploits affecting hypervisors, and they are likely to be fixed faster.

JoshTriplettOP12y ago

To clarify: VMs will always be more secure for sandboxing a non-root service. In that case, untrusted code would have to get root first, then use that to either replace or exploit the kernel, and then exploit the VM.

In the case where you run untrusted root or kernel code, that code only needs to exploit the VM, true. (On the other hand, many VMs have smaller attack surfaces than the Linux kernel.)

mje__12y ago

I would disagree with your assertion in the case of PV guests in Xen - they have an extremely small attack surface. The hypervisor may be "on the front line", but is a far simpler beast than the kernel.

Certainly Xen has its fair share of vulnerabilities, but vastly fewer than the kernel.

j / k navigate · click thread line to collapse