[HN Gopher] VMScape and why Xen dodged it
___________________________________________________________________
VMScape and why Xen dodged it
Author : plam503711
Score : 73 points
Date : 2025-09-28 18:19 UTC (4 hours ago)
(HTM) web link (virtualize.sh)
(TXT) w3m dump (virtualize.sh)
| indigodaddy wrote:
| If anyone was looking there are still some Xen VPS providers
| around, one of the oldest being Tornado VPS (formerly prgmr.com).
|
| https://tornadovps.com/about
|
| The founders literally wrote the book on xen:
|
| https://nostarch.com/releases/xen.html
| transpute wrote:
| On HP business PCs, Xen's microkernel architecture was extended
| for copy-on-write nested virtualization microVMs (VM per browser
| tab or HTTP connection) and UEFI-in-VM,
| https://www.platformsecuritysummit.com/2018/speaker/pratt/ |
| https://news.ycombinator.com/item?id=42282053#42286147
|
| Imminent unification of Android and ChromeOS will likely use a
| similar h/w nested-virt architecture based on L0 pKVM + L1 KVM
| hypervisors on Arm devices.
|
| Honda is using Xen, _" How to accelerate Software Defined
| Vehicle"_ (2025),
| https://static.sched.com/hosted_files/xensummit2025/93/HowTo...
| yjftsjthsd-h wrote:
| I guess I don't quite follow. The attack can let an attacker in a
| normal VM see memory in either the host or a Xen dom0 VM. Why is
| it less impactful to get memory from the management VM instead of
| the host?
| bayesnet wrote:
| While it's interesting that Dom0 avoids Spectre-style branch
| prediction attacks it's not clear from TFA exactly why that is
| so. How does the architecture of the hypervisor avoid an attack
| that seems to be at the hardware level? From my limited
| understanding of Spectre and Meltdown, swapping from a monolithic
| to a microkernel wouldn't mitigate an attack. The mitigations
| discussed in the VMscape paper [0] are hardware mitigations in my
| reading. And I don't see Xen mentioned anywhere in the paper for
| that matter.
|
| I guess it's sort of off topic, but I was enjoying reading this
| until I got to the "That's not just elegant -- it's a big deal
| for security" line that smelled like LLM-generated content.
|
| Maybe that reaction is hypocritical. I like LLMs; I use them
| every day for coding and writing. I just can't shake the feeling
| that I've somehow been swindled if the author didn't care enough
| to edit out the "obvious" LLM tells.
|
| [0]: https://comsec-files.ethz.ch/papers/vmscape_sp26.pdf
| remix2000 wrote:
| It's not necessarily a sign of AI slop -- could be just proper
| typography! :3
| duskwuff wrote:
| It's not the em dash, but the negative parallelism ("not X,
| but Y"). This is a pattern which some LLMs really like using.
| I've seen some LLM-generated texts which used it in literally
| every sentence.
|
| (The irony of opening with this pattern is not lost on me.)
|
| As an aside, Wikipedia has a fascinating document identifying
| common "tells" for LLM-generated content:
|
| https://en.wikipedia.org/wiki/Wikipedia:Signs_of_AI_writing
| exe34 wrote:
| I have autism and I like using that kind of comparison when
| writing.
| somat wrote:
| Maybe this is the problem with LLMs, Using them feels great,
| But having them be used on you is highly unpleasant.
| mikewarot wrote:
| I think it might be translation from French instead of LLM
| usage.
|
| While Microkernels are great for overall security, it's also
| not obvious to me how it helped in this case.
| BobbyTables2 wrote:
| I don't quite see what they're getting at.
|
| Is it just because it's another VM switch to get to dom0? Seems a
| bit unlikely...
|
| Xen has a hypervisor for dealing with the low level details of
| virtualization and uses dom0 for management and some HW
| emulation.
|
| QEMU/KVM uses the host kernel for the low level details of
| virtualization and the QEMU userspace portion to do the actual HW
| emulation.
|
| They're actually remarkably similar aside from the detail that
| the Xen hypervisor only juggles VMs but the KVM design involves
| it juggling other normal processes...
|
| The people praising Firecracker are just turning a blind eye to
| the 10000+ lines of (really hairy) C code in the kernel doing x86
| instruction emulation and the actual hypervisor part.
| aborsy wrote:
| Which is precisely why Qubes OS uses Xen.
| eigenform wrote:
| Since everyone is upset about the lack of technical details in
| the article, I'll try:
|
| The takeaway from that paper (imo, afaict) is that guest
| userspace can influence indirect predictor entries in KVM host
| userspace. I don't really know anything about Xen, but presumably
| it is unaffected because there is no Xen host userspace, just a
| tiny hypervisor running privileged code in the host context. With
| KVM, Linux userspace is still functional in the host context.
|
| Presumably, the analogy to host kernel/userspace in KVM is dom0,
| but in Xen this is a guest VM. If cross-guest cases are mitigated
| in Xen (like in the case of KVM, see Table 2 in the paper), you'd
| expect that this attack just doesn't apply to Xen. Apart from
| there being no interesting host userspace, IBPB/STIBP might be
| enough to insulate other guests from influencing dom0. If you're
| already taking the hit of resetting the predictors when entering
| dom0, presumably you are not worried about this particular bug.
|
| edit: Additional reading, see https://github.com/xen-
| project/xen/blob/master/xen/arch/x86/...
___________________________________________________________________
(page generated 2025-09-28 23:00 UTC)