The first stable OpenVZ release
Posted Dec 15, 2005 23:17 UTC (Thu) by riel
In reply to: The first stable OpenVZ release
Parent article: The first stable OpenVZ release
Note that with Xen you could implement some security measures that can not be as easily exploited on a physical computer or with a single-kernel model.
It is possible for the hypervisor to enforce that certain memory in the virtual machine is read-only, and only that memory can be mapped at certain virtual addresses. Using this protection, you can restrict the memory that kernel exploits can mess with, protecting things like kernel text, the system call table, kernel page tables, etc...
This security can not be easily circumvented if there is a kernel bug, since it is enforced by the hypervisor.
to post comments)