Comment by tptacek - Hacker Neue

They don't work as reliable security boundaries; they're developer/ops tools.

Thomas, what are your thoughts on micro-vms such as kata containers? You can use them as a backend for docker in place of runc.

I'm sure you're well aware, but for the readers, they are isolated with a CPU's VT instructions which are built to isolate VMS. I still think "containers don't contain" in a very Dan Walsh boston accent, but this seems like a respectable start.

https://katacontainers.io

tptacek OP 1 day ago

I have no strong opinion other than that untrusting cotenants shouldn't directly share a kernel.

burnt-resistor 1 day ago

They're slow and so unsuitable for dev work. They might be somewhat better for prod, but it depends on a wide selection of unproven hypervisors.

tptacek OP 1 day ago

Which "unproven" hypervisors are those? Kata works with Firecracker.

worthless-trash 7 hours ago

I think they mean in regards to cross kernel attacks. vms didn't protect across speculative execution attacks.

I believe there are even more course grained timing attacks with dma and memory that are waiting to be abused.

tptacek OP 6 hours ago

No, that's true, VMs don't protect against microarchitectural attacks. But neither does shared-kernel isolation; in fact, shared-kernel is even worse at it. So if that's the concern, it doesn't make much sense in the threat model.

This item has no comments currently.