undefined | Better HN

0 pointskentonv4y ago0 comments

> Firecracker [0], likely to be more, not less, secure than Isolates [1]

This is debatable. It's true that V8 is a much larger attack surface than Firecracker, therefore likely to have more security bugs than Firecracker itself. However, Firecracker runs attacker-provided native code directly on hardware, which means that hardware itself becomes an attack surface, one that is quite wide, not fully documented, and very hard to patch if problems arise. It's much easier to work around hardware bugs when you're working from JS / Wasm and can control the code generation.

Ultimately I don't think you can really say one or the other model is more or less secure.

(Disclosure: I'm the tech lead for Cloudflare Workers so I am obviously biased here.)

0 comments

ignoramous4y ago

Thanks Kenton.

> Firecracker runs attacker-provided native code directly on hardware, which means that hardware itself becomes an attack surface, one that is quite wide, not fully documented, and very hard to patch if problems arise. It's much easier to work around hardware bugs...

I see your point. I mean, Google wouldn't put as much effort as they are on gVisor if KVMs were the best possible answer.

kentonvOP4y ago

To be fair, gVisor also runs native code directly on hardware. Any modern VM-based system is still depending on the CPU to enforce boundaries. A big CPU bug could ruin that at any time. (Spectre has been pretty bad, but not quite a showstopper...)

j / k navigate · click thread line to collapse