Hacker News new | past | comments | ask | show | jobs | submit login

>Pretty much every cloud outside the big three (AWS, GCE, Azure) runs on QEMU.

QEMU typically uses KVM for the hypervisor, so the vulnerabilities will be KVM anyway. The big three all use KVM now. Oxide decided to go with bhyve instead of KVM.




No, QEMU is a huge C program which can have its own vulnerabilities.

Usually QEMU runs heavily confined, but remote code execution in QEMU (remote = "from the guest") can be a first step towards exploiting a more serious local escalation via a kernel vulnerability. This second vulnerability can be in KVM or in any other part of the kernel.


> The big three all use KVM now.

This isn't true - Azure uses Hyper-V (https://learn.microsoft.com/en-us/azure/security/fundamental...), and AWS uses an in-house hypervisor called Nitro (https://aws.amazon.com/ec2/nitro/).


>This isn't true - Azure uses Hyper-V

I thought Azure was moving/moved to KVM for Linux, but I was wrong.

>AWS uses an in-house hypervisor called Nitro

Nitro uses KVM under the hood.


Nitro does not use QEMU or many other parts traditionally used with KVM, however.

https://www.brendangregg.com/blog/2017-11-29/aws-ec2-virtual...


Still KVM, that is the core of the hypervisor.


Azure uses hyper-v, unless things have changed massively, the linux they run for infra and customers is in hyper-v.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: