Comment by burnt-resistor

burnt-resistor 1 day ago parent

They're slow and so unsuitable for dev work. They might be somewhat better for prod, but it depends on a wide selection of unproven hypervisors.

tptacek 1 day ago

Which "unproven" hypervisors are those? Kata works with Firecracker.

worthless-trash 7 hours ago

I think they mean in regards to cross kernel attacks. vms didn't protect across speculative execution attacks.

I believe there are even more course grained timing attacks with dma and memory that are waiting to be abused.

tptacek 6 hours ago

No, that's true, VMs don't protect against microarchitectural attacks. But neither does shared-kernel isolation; in fact, shared-kernel is even worse at it. So if that's the concern, it doesn't make much sense in the threat model.

This item has no comments currently.