[nickpsecurity]

How many bugs have OpenBSD team found vs found in Xen? That would be a relevant comparison. From there, an assessment of exploitability of each given OpenBSD's attention to mitigation.

What you said, on other hand, was meaningless given that OpenBSD has had bugs that could lead to a crash. Real question is, "Do Xen or security-focused virtualization schemes (a) reduce number of vulnerabilities with impact of kernel-mode 0-days, and/or (b) prevent, contain, or facilitate easy recovery from OS- and app-level 0-days?" Prior experience in security-focused efforts show yes to both questions. Xen isn't one of them as the existence of the Xenon project shows. However, it's small size and improvements over time make it substantially less risky than an arbitrary OS + software combination esp if above layer is also addressed (eg MirageOS). Even Galois Inc.'s conservative teams are using it in some work.

[tedunangst]

Well, the point is my security would not have been improved, in any way, by running on top of Xen and sharing my server with some rando.

[nickpsecurity]

I agree with that. It's why I still recommend BareMetal hosting and physical separation where possible. ;)

[yellowapple]

Why would you be sharing your server with some rando? You don't have to share your Xen deployments with other people if you don't want to, you know :)