Johannes Hofmann wrote: >I don't understand what this has to do with Xen or similar approaches. >Every process has it's own address space anyway. And if there >are local root exploits, they need to be fixed, just as security flaws >that might exist in Xen or whatever. Just the fact that Xen enables you >to run several operating system instances does not increase security. > > Auditing the IIRC about 50K code in Xen is muuch easier than auditing a whole system, don't you think? More lines of defense generally don't hurt (you don't claim chroot to be bad do you? In some ways, VMs can be viewed as the extensions of those and of course, virtual hosting with root access is quite widely offered).
And the fact that you can migrate Xen VMs on the fly is particularly important in some areas.
