Hacker News new | ask | show | jobs
by fsflover 1 day ago
I'm not sure I understand your question. VMs run full operating systems on top of Xen hypervisor relying on hardware-assisted virtualization (VT-d or similar). You can run untrusted software in a dedicated VM and keep your sensitive data in another offline VM.

The dom0 has no network and doesn't manage, e.g., USB devices.
1 comments
ethbr1 1 day ago
You can't have full general purpose computing on a system and perfect isolation for free.

By definition, the latter implies limits on the former.

Either you have complete freedom to run whatever you want, however you want, or you enforce limits to guarantee system behavior and enforce isolation.

And if you do the latter... then you don't have the former.

link
fsflover 1 day ago
Can you elaborate? I'm not a computer scientists. In my understanding, full VMs are practically equivalent to general purpose computers. What are their limitations? Malware escapes?

Last VM escape in VT-d was discovered in 2006 by the Qubes founder, so I really feel safe on Qubes, https://en.wikipedia.org/wiki/Blue_Pill_(software)

link
ethbr1 8 hours ago
We're talking about apples and oranges.

I thought your original point above was that VMs freed you from having to come up with policy-based isolation rules (which have always been a UX weakness of policy-based isolation systems).

The point I was making is that VMs don't provide any security guarantees unless you also use the trusted hypervisor layer to enforce something.

At lightest touch, this might be time-slicing resources and ensuring they're evenly split between VMs, regardless of what individual VMs try to do.

But to provide policy-alike granular security control on VMs, you fundamentally have to generate similar rules. E.g. network can only be used by this VM in this way, etc.

Which gets you right back to having to define policies.

From an architecture security perspective, sure, having a trusted hypervisor enforcing the rules is nice. But it doesn't fundamentally fix the problem of getting policies right... if you're trying to guarantee the same level of control.

link