[worthless-trash]

I think they mean in regards to cross kernel attacks. vms didn't protect across speculative execution attacks.

I believe there are even more course grained timing attacks with dma and memory that are waiting to be abused.

[tptacek]

No, that's true, VMs don't protect against microarchitectural attacks. But neither does shared-kernel isolation; in fact, shared-kernel is even worse at it. So if that's the concern, it doesn't make much sense in the threat model.

[burnt-resistor]

Isolation guarantees: Separate metal > type 1 hypervisors > type 2 hypervisors > containers > processes > OS threads > cooperative threads ;)

[worthless-trash]

Accurate and agree.