[mato]

> "Of the top 100 vulnerabilities reported for QEMU:

> - 65 were not guest exploitable

> [...]

Which leaves about 30 that presumably were guest exploitable.

Don't get me wrong -- QEMU is useful. As a "kitchen sink" solution that runs anything, anywhere, with any useful combination of emulated {devices,processors,systems}.

However, this is also its biggest weakness. Which is why Google and Amazon all run their own custom VMMs for their IaaS services.

The microvm machine type as described here is a great step to improve this situation. The next step in my book would be to reconfigure QEMU's build system to allow building a binary that only supports the devices provided by microvm, and nothing else.