Unikernels are not that new. CMS running on VM has existed since the 1960s, with...

PhantomGremlin · on July 10, 2017

Something which multiplexes hardware, but provides no APIs, such that VM guests think they're running alone on bare hardware.

There is what amounts to an "API". The virtualized software thinks it's talking directly to hardware, so the API is just an emulation of that hardware. Since controlling hardware is almost invariably messier than doing system calls, the API is actually more complex.

Therefore, we can evaluate these claims by asking what we know about security breaches on VM/CMS systems.

Here's an HN post I wrote a few years ago, about VM exploits: https://news.ycombinator.com/item?id=9241807

Plenty of exploits to be found, many of which were related to emulation of "I/O channel programs", which are, essentially, System/370 I/O "hardware".

msla · on July 10, 2017

> There is what amounts to an "API". The virtualized software thinks it's talking directly to hardware, so the API is just an emulation of that hardware. Since controlling hardware is almost invariably messier than doing system calls, the API is actually more complex.

Nobody said a hypervisor was completely trivial, but just to be clear, a pure hypervisor wouldn't "emulate" any hardware except what was physically present on the system. The line between "virtual machine" and "hypervisor" and "emulator" are blurry enough as it is, and I'd like to be clear about what the subject of this little thread is.

> Here's an HN post I wrote a few years ago, about VM exploits: https://news.ycombinator.com/item?id=9241807

> Plenty of exploits to be found, many of which were related to emulation of "I/O channel programs", which are, essentially, System/370 I/O "hardware".

Very interesting. Thank you.

hderms · on July 10, 2017

In addition one would have to address hardware virtualization features that would increase security, no?