logoalt Hacker News

tptacektoday at 6:04 PM5 repliesview on HN

One of his dumber takes. Virtualization replaces an ultra-functional general-purpose kernel evolved over decades to support every conceivable application with a drastically smaller "kernel" (KVM and the userland hypervisor). It's a drastic attack surface reduction, and the empirical data bears that out: kernel LPEs aren't even newsworthy (there's whole repos full of unnamed, unremarked-upon LPEs), and KVM escapes are very rare.


Replies

boricjtoday at 6:21 PM

Doesn't that message date back to a time that either predates or is almost concurrent with the introduction of x86 hardware-assisted virtualization? I wasn't around playing with VMs back then, but I'm not sure that the track record of x86 virtualization 20 years ago was that great.

show 3 replies
xattttoday at 7:18 PM

> replaces an ultra-functional general-purpose kernel evolved over decades to support every conceivable application with a drastically smaller "kernel"

Is a Proxmox kernel that much smaller than a typical Linux kernel?

show 2 replies
naturalmovementtoday at 6:54 PM

If someone purposely dug up emails you wrote 19 years ago, I'm sure they'd find some of your "dumber takes" as well.

I'm not sure what the purpose of revisiting this is beyond provoking a flamewar on a slow Sunday.

show 3 replies
ummonktoday at 6:16 PM

How big is the OpenBSD kernel and userland actually compared to a virtualization layer?

TZubiritoday at 6:21 PM

I'm anti virtualization, but mostly due to the internal complexities of the guest applications being swept under the rug, it's undeniable that the host is protected and thus neighbouring guests (of course it is with almost 20 years of hindsight I can say this.)

That the hypervisor is effectively an operating system/kernel I have always held, and that it is a smaller and thus less vulnerable kernel is an appropriate explication I think. It's very hard to secure an all purpose kernel like Linux without actually building it yourself (and even then..)