[viraptor]

I believe what zlynx meant was that if you want to escalate from the VM to the host, you usually do that via the virtualised devices. On a normal system, your path (for a web service on Linux) would be:

App exploit (-> LSM breakout?) -> local to root escalation -> VM to host escalation via device.

For a unikernel deployment that's just:

App exploit -> VM to host via device.

[ihsw2]

Maybe I'm mistaken but it seems to me that the parent's argument was that running your app in a unikernal prevents another app from crapping all over it, ie: root escalation happened in an adjacent app and now your app is at risk.

It does move the hypervisor up a few levels of abstraction, which could be dangerous, but (more to the point) the benefit is isolation from other misbehaving apps.