Virtual machines (VMs) offer better isolation than containers: it's one of those "known facts" that most people never question, and one that server virtualization fans (and vendors) use as a key point in their arguments in favor of VMs and against containers.
It's probably a fair point to make, because an application running in a virtual machine is isolated from apps running in other virtual machines on the same host, and indeed from much of the host itself.
It's also true that applications running in containers are additionally isolated from applications running in other containers on the same container host, and indeed from the container host itself — but to a lesser degree. That's because, the argument runs, containers share the host's operating system kernel with each other and with the host. So if there's a vulnerability in the kernel, this could provide a way into, or out of, the containers that are sharing it.
Of course, if there's a vulnerability in a virtualization hypervisor the same could be true, but since a hypervisor provides far less functionality than a regular Linux kernel (which typically implements file systems, networking, application process controls and so on), it presents a much smaller attack surface.
But just because virtual machines are (arguably) better isolated from each other than containers, and despite a hypervisor having a smaller attack surface, that doesn't mean escaping from this isolation can't happen.
VM Escape Exploit Showcased at Pwn2Own Hacking Conference
This was proved last month at the Pwn2Own hacking conference in Vancouver, when one team showed off a VM escape: the Qihoo 360 security team chained together three exploits to get from Microsoft's Edge browser running in a VMware virtual machine to pwning the underlying host.
Now that's pretty scary: think of the number of applications running on virtual machines on shared hosts in cloud data centers where application owners have no idea who they are sharing the host hardware with.
No Need for Surprise When It Comes to VM Security Shortcomings
On the other hand, we shouldn't be surprised, according to Dino Dai Zovi, a security expert quoted by Ars Technica. "A virtual machine hypervisor is just another software-based isolation layer that can have vulnerabilities in it that permit attacks to break through," he told the web site. "Isolation layers such as sandboxes, virtualization, and containerization all add more work for an attacker, but none is perfect. Defenders should always assume they can be broken through with enough work by an attacker."
It seems that the problem in VMware's software is not an isolated case, either. The company recently issued patches to its software to sort out a number of serious problems. The first two are a heap buffer overflow and an uninitialized stack memory usage in SVGA. "These issues may allow a guest to execute code on the host," VMware warns. Yikes!
Another is a bug in its XHCI controller, allowing uninitialized memory usage. "This issue may allow a guest to execute code on the host," says VMware. Double yikes!
Another case of uninitialized memory usage is less serious since it only offers the possibility of information leakage rather than a complete takeover of the host machine. Still, not ideal by any means.
At least one of these problems is linked to Qihoo 360's Pwn 2Own hack, but the others? Who knows?
It just goes to show that virtual machines may be more secure than containers, but only by degree. There's no room for complacency, and wrapping stuff up in a virtual machine — even a container — doesn't guarantee security. It just helps a little, but if you end up getting pwned, that's not really much help at all, is it?
Paul Rubens is a technology journalist and contributor to ServerWatch, EnterpriseNetworkingPlanet and EnterpriseMobileToday. He has also covered technology for international newspapers and magazines including The Economist and The Financial Times since 1991.