User: Password:
Subscribe / Log in / New account

Qubes: security by virtualization

Qubes: security by virtualization

Posted May 6, 2010 23:28 UTC (Thu) by spotter (subscriber, #12199)
In reply to: Qubes: security by virtualization by PaXTeam
Parent article: Qubes: security by virtualization

I don't disagree, if I were to attack my system, I'd go after kernel bugs. but that's an attack against many systems, including much more complicated systems like SELinux. in my system there are ways to mitigate that problem (leverage a combination of OS containers and VMs, perhaps use VMs for persistent containers, and have a set of VMs to store a larger set of ephemeral containers), but won't perfectly solve it and will also increase overhead (and as we note at least in the final draft, ease of use and good security are always in tension)

It's actually not in that old tech report, nor in the final version being submitted to USENIX due to space constraints, but was in intermediate versions and has always been in the talks I've given on it, where I basically stated up front that we were concerned about exploits like the run of PDF exploits, but if you are concerned about the kernel being exploited as well that would need a different container approach being container's don't provide isolated kernels.

so I'll agree with

(Log in to post comments)

Qubes: security by virtualization

Posted May 6, 2010 23:29 UTC (Thu) by spotter (subscriber, #12199) [Link]

"so I'll agree with" you on that point

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds