OpenBSD's security model
- Goal: Correctness.
- Security is a natural byproduct of doing things right.
- Do it right first, don't try to add "security" later.
- START with the best code possible.
- THEN add the cool "tricks". (W^X, stack protection, etc.)
- NEVER rely on the safety net of the cool tricks.
Nick's security rules:
- Don't let the bad guys on your computer.
- Don't run bad stuff on your computer.
- Running hostile code on your computer is bad.
- Virtualizing it changes that!
- no, not really.
- VM to host and VM to VM exploits have been shown.
- Virtualization code is more about "making it work"
- security record is bad.
- fix problems when exposed.
- Meltdown, Spectre, AMD flaws....
- Running hostile code on your computer is still bad.
- SURPRISE! no, not really.
- Virtualization doesn't really change this.