The old Theo quote... You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.
There's three ways of looking at this, one in which he's wrong, and two in which he's saying something much less interesting than it sounds like he's saying.
As this P0 post says repeatedly: KVM has a relatively small attack surface. It's audited pretty carefully relative to the rest of the kernel. The idea behind KVM-based workload isolation is that it trades a very large attack surface (the entire kernel) for one that is by definition much smaller (a subsystem of the kernel that handles virtualization). The rest of the kernel runs behind that subsystem, as far as isolated applications are concerned. This is a very good trade in practice. The Linux kernel (really, all Unix kernels) are much less trustworthy than kernel VMM drivers.
So if de Raadt means to be saying that virtualization is by design less secure than shared-kernel isolation, he's wrong, just sort of plainly.
On the other hand, there are at least two valid points he can be making with this line.
First: virtualization systems consist of more than just the kernel virtualization driver. If you include QEMU in the mix, for instance, it's debatable whether you've gained much over a single exposed Linux kernel. Especially at the time de Raadt wrote this, it would be totally fair game to say that virtualization was a security shitshow compared to jailing processes or whatever. Of course, the future belongs to memory-safe VMMs that use an smaller and smaller subset of memory-unsafe kernel code.
Second, it's just hard to write anything without security holes, so if "it's not bug free" is the dunk here, well, let him cast the first stone, &c.
Option #4, Theo was responding to virtualization advocates who claimed VMs offered as good or better security isolation than physically separate boxen.
At the time and in some cases still today, plenty of advocates still make that claim. Many others just assume the truth of it, if only because to question it would cause cognitive dissonance with the prevalence of cloud hosting. (Notwithstanding that some savvier companies use EC2 much like they would a traditional server leasing provider, using instance types that take up the entire machine. Security and convenience is sometimes a trade-off, but some bargains are better than others if you don't succumb to simplistic, categorical claims. Which is what Theo was railing against.)
EDIT: For context, here's the original post https://marc.info/?l=openbsd-misc&m=119318909016582. It's from 2007, when hardware virtualization extensions were new and all VMMs had to emulate network interface cards and similar hardware. These days virtio devices are common place, which helps to substantially reduce footprint. OpenBSD even has its own native VMM, which of course only supports virtio devices.
Sure. I 100% think there's a reasonable reading of de Raadt's virtualization take; you don't even have to be charitable to find it. It's just not the take that people who try to dunk with it on message boards are reading.
Surname convention trivia: The lower case "de" is only used when preceded by another part of the name, like first name, initials, or another part of the last name. When used on its own, or prefixed by a title like Mr., then "De Raadt" is correct. Here's a description of this: https://www.dutchgenealogy.nl/how-to-capitalize-dutch-names-...
So e.g. you would write Vincent van Gogh, V. van Gogh, Mr. Van Gogh, or Van Gogh.
Taking that quote at face value, it is shallow and needlessly binary. It’s shallow because it is a truism (paraphrasing, you cannot write bug free software). It is needlessly binary because there is such a thing as the size of your trusted computing base.
The context, and forum, are what makes it important.
Given your response logic; we can take any quote by any person and apply the same. Arguably; your response deserves the same.
To remain constructive, I suggest you research further. As my ongoing engagement (employment), and general interest, in Information Technology continue - i cannot help but further relate to Theo’s attitude.. lol
