Godfather of Xen On Why Virtualization Means Everything

coondoggie writes "While conventional wisdom says virtualized environments and public clouds create massive security headaches, the godfather of Xen, Simon Crosb, says virtualization actually holds a key to better security. Isolation — the ability to restrict what computing goes on in a given context — is a fundamental characteristic of virtualization that can be exploited to improve trustworthiness of processes on a physical system even if other processes have been compromised, he says."

OS design fail

[Animats]

If OSs hadn't failed so bad on isolation, we wouldn't need so much virtualization. "Virtual machine monitors" are just operating systems with a rather simple application API. Microkernels, if you will.

Re:OS design fail

[White+Flame]

OSes haven't failed as a whole. The current desktop/server ones just haven't caught up to and rediscovered the proper design principles of the old mainframes.

Re:OS design fail

The higher security certifications start to have WEIRD consequences for a general purpose system, we went over these a bit in computer science.

          For instance, under the (apparently now obsolete) orange book ratings, C2 is pretty normal, NT4 (not on a network) was certified to this level, and a certified version of HP-UX, Irix, VMS, etc. were sold back in the day at level C1.

          To get a B1 rating? Well, for one example, "covert communications" channels are banned -- so, no pipes, no sysv shared memory .. but ALSO no conventional UNIX signals, a B1 OS cannot even tell you a load average, CPU usage, or other types of info "top" shows, because a process could modulate it's CPU usage or renice/unrenice itself to pass information covertly.

ad infinitum

[More+Trouble]

And if the current level of virtualization isn't secure enough, adding another virtual layer will certainly improve security even more.