[redleader55]

Agentic workloads create and then run code. You don't want to just run that code in a "normal" environment like a container, or even a very well protected VM. There are other options, ofc - eg. gvisor, crossvm, firecracker, etc, but this one is uncommon enough to have a small number of attackers trying to hack it.

[srdjanr]

What's wrong with a well protected VM? Especially compared to something where the security selling point is "no one uses it" (according to your argument; I don't know how secure this actually is)

[g947o]

Nothing, but "there are already working options" does not necessarily mean we shouldn't try new (and sometimes weird) things

[TacticalCoder]

Yeah but GP was answering to a comment saying "you don't want to run code in a well protected VM". Which is of course complete non sense to say and GP was right to question it.

[cloudfudge]

GP says "You don't want to just run that code in ... even a very well protected VM." Why?

[redleader55]

Because unless you can fund several teams - kernel, firmware(bios,etc), GPU drivers, qemu, KVM, extra hardening(eg. qemu runs under something like bpfilter) + a red team, security through obscurity is cheaper. The attack surface area is just too large.

[cloudfudge]

What is this "security through obscurity" you're talking about? We're talking about running linux in a VM running in a browser. That has just as much attack surface (and in some ways, more) as running linux in a hypervisor.