| |||||||||||||
The embedded long-term support initiativeThe embedded long-term support initiativePosted Oct 31, 2011 10:43 UTC (Mon) by paulj (subscriber, #341)In reply to: The embedded long-term support initiative by raven667 Parent article: The embedded long-term support initiative
Except the virtualisation systems, common ones at least like Xen and Qemu/KVM, don't seem to take any different approach to secure programming than the kernel does. They offer no more assurance of security than the kernel. While they might have fewer interfaces to their host than the kernel does to regular users, those interfaces can be very very complex (because performance is so important) and even arcane (e.g. for compatibility with x86 distributions - applies even with Xen sometimes). Xen and KVM regularly have issues that compromise host security.
Virtualisation does not seem a solution to me. Any systematic solution to security of hypervisors seems like it'd apply equally well to traditional kernels, surely?
(Log in to post comments)
The embedded long-term support initiative Posted Oct 31, 2011 18:04 UTC (Mon) by raven667 (subscriber, #5198) [Link]
Sure, what you say is true but the important point is that the interface between the OS kernel and the Hypervisor is much smaller and more rigidly defined than the interface between a user process and an OS kernel. The Hypervisor has orders of magnitude fewer features and attack surface area and is therefore more practical to usefully validate.
|
|||||||||||||