
Unikernels will create more security problems than it solves - mitchpron
http://thenewstack.io/unikernels-will-create-security-problems-solve/
======
mitchpron
I'm not totally sold on Bias' viewpoint. He wrote another interesting article
declaring the death of hypervisors and the eventual takeover of containers:
[http://cloudscaling.com/blog/cloud-computing/will-
containers...](http://cloudscaling.com/blog/cloud-computing/will-containers-
replace-hypervisors-almost-certainly/) When I talked to a guy who had worked
on the Xen hypervisor for years, he kept going back to Randy's key requirement
for all this to be true: "if configured properly" So this other guy's response
was "SELINUX is an armed camp if configured properly, yet we have everyone
from major banks to the Pentagon being hacked. Truth is that few people have
adequate time to configure security properly in the real world. Something that
is "probably" as good as the status quo is a very scary statement for those of
us living in the real world."

------
wmf
I disagree with this argument. What ring the code runs in doesn't really
matter; it's true that a buffer overflow in a (properly built) unikernel will
get the attacker into ring 0, but the attacker will find that _there is almost
nothing there_. No globally shared filesystem, no hundreds of system calls, no
processes, nothing. A ring 3 Unix process is actually a much richer
environment to exploit.

I think unikernels are a bad idea compared to containers, but not for this
reason.

