[no-dr-onboard]

You might have it backwards. Most people typically do untrusted actions inside the VM and keep their host “clean”. You’re correct though that VM escapes are pretty difficult, especially with modern, patched microcode processors.

[a1xndr]

> VM escapes are pretty difficult, especially with modern, patched microcode processors

Most VM escapes happen through buggy virtual-devices written in C/C++/.. code. Virtual-device bugs that are exploitable by attackers with root access in the VM are found frequently.

[fsflover]

It's not frequent at all with Qubes hardware virtualization: https://www.qubes-os.org/security/xsa/.

[danuker]

> modern, patched microcode processors

This makes me wonder how many security holes CPUs have which have been buried into secrecy by the manufacturers.