Comment by tptacek - Hacker Neue

Which "unproven" hypervisors are those? Kata works with Firecracker.

burnt-resistor 5 hours ago

QEMU is more well-known and tested than Firecracker; i.e., a hacked version is used in Xen used everywhere in the past decade while Firecracker is primarily an Amazon-only thing. Cloud Hypervisor, Dragonball, and StratoVirt aren't well-known or battle-tested IMO. The problem is none of these possess true manageability and isolation features of any solid type 1 hypervisor which makes Kata equivalent to a user-space application rather than a reliable platform with harder resource isolation guarantees.

https://github.com/kata-containers/kata-containers/blob/main...

tptacek OP 3 minutes ago

Firecracker is probably the 2nd or 3rd most widely deployed hypervisor in production deployments. I think "Amazon-only" isn't doing the rhetorical lifting you mean it to do. The idea that it's "equivalent to a user-space application" makes very little sense.

worthless-trash 13 hours ago

I think they mean in regards to cross kernel attacks. vms didn't protect across speculative execution attacks.

I believe there are even more course grained timing attacks with dma and memory that are waiting to be abused.

tptacek OP 12 hours ago

No, that's true, VMs don't protect against microarchitectural attacks. But neither does shared-kernel isolation; in fact, shared-kernel is even worse at it. So if that's the concern, it doesn't make much sense in the threat model.

burnt-resistor 5 hours ago

Isolation guarantees: Separate metal > type 1 hypervisors > type 2 hypervisors > containers > processes > OS threads > cooperative threads ;)

This item has no comments currently.