xenbits.xen.org
Yet another critical Xen VM escape bug with a working exploit.
Feeling safe on qubes?
Yet another critical Xen VM escape bug with a working exploit
Aaron Flores
Other urls found in this thread:
qubes-os.org
marc.info
qubes-os.org
twitter.com
Samuel Torres
Why does qubes give all its guests password-less sudo? Nearly all hypervisor escapes require root privileges in the guest to begin with.
Qubes gives away the privilege escalation for free.
Carter Cox
This is Joanna's reasoning
Ayden Flores
Yes, I'm glad these bugs are being found and fixed. Xen has a relatively small code base, so less places for bugs to hide. And qubes mostly uses PV guests, so it doesn't have to deal with the monstrosity of QEMU emulated devices.
Luke Myers
I don't want to remember a password for each of my guests
Luke Rodriguez
Switch to Docker / Linux Containers if you want security.
William Flores
somebody post the theo rant on security through virtualization, i'm too lazy to search for it in my pasta archive
kek'd
Ayden Adams
Does Vincent Canfield use Xen for his VPS cock boxes?
Jordan Walker
Got you covered fampai.
Levi Brown
btw how is openbsd's new native hypervisor?
Bentley Martinez
Like everything on OBSD, either it was already there since the beginning or it doesn't exist.
Isaac Morris
It will never be relevant. Wasn't it just enabled a few months ago?
Josiah Kelly
Theo started changing his mind about virtualization around 2012/2013. Work began on the hypervisor around 2015. It's waay to late.
Tyler Gomez
I've always wondered, why is Xen able to run on any CPU but KVM requires a CPU with virtualization technology?
Easton Gray
...
Grayson Rodriguez
Thanks google
Hunter Sanders
Because xen is shit
Justin Rogers
vmm is not being recommended for security.
That was about x86 virtualization, x86 hardware virtualization support has changed alot since that mail in 2007.
Robert Mitchell
Qubes is still a work in progress, it's important for these bugs to be worked out now while the project is relatively young.
Alexander Cruz
Xen is 15 years old.
Bentley Cox
Thoughts on Firejail? How secure is it?
Dominic Roberts
It still can't drive or consent, pretty young imo.
Jose Campbell
Not in my cunt.
Evan Gonzalez
What's the goal of projects like oss-fuzz and Project Zero? Google has been finding and fixing serious bugs in competitors like iOS for free.
Landon Hall
qubes-os.org
This is another bug resulting from the overly-complex memory
virtualization required for PV in Xen. As we announced last year [5],
the upcoming Qubes OS 4.0 will no longer use PV. Instead, we will be
switching to HVM-based virtualization
At the same time, we would like to point out that the security of Qubes
OS has so far been affected by less than 10% of publicly disclosed Xen
bugs, as tracked by the recently created Xen Security Advisory (XSA)
Tracker.
Yes.
Angel Perez
Paravirtualization. The virtualized OS isn't actually virtualized, it knows it's virtualized and sends requests to the host no the hardware. You can still use KVM with xen if you want, and it should perform better.