15Şub
Does emulation/software virtualization provide more isolation/security vs hardware virtualization?
From my understanding:
- I can emulate many different architectures and systems with qemu as a user(mode) process.
- There is separate user address space per process.
- If a malicious process were to escape emulation it could compromise the user of the process and then get root from there.
- Due to the high privileges needed for hardware virtualization, if a malicious process were to escape hardware virtualization the process would usually be able to directly get root.
- For hardware virtualization if there was a flaw in the hardware (implementation of Intel VT/AMD-V) a malicious process in a guest would have an easier time to exploit the hardware flaw than if it were in an emulated environment.
- Paravirtualization/direct hardware access to other resources increases risks, but not relevant to the general question here.
Is this right? Does this make emulation/software virtualization more secure/isolated than hardware virtualization?
