Every few days, weeks, or months, it seems, there’s an announcement that this VM or that web browser has a newly discovered vulnerability that allows someone to arbitrarily execute code outside of the intended “sandbox”. And while I am a software developer, and understand the basic nature of some of the exploits taking advantages of flaws, over-writing memory, etc. I still don’t seem to accept or fully understand why there’s no way to create an environment in which it was effectively/absolutely impossible — as opposed to semi routine. Can anyone explain it to me?
In: 0
There’s a balance between usability and security. The most secure machine is one that takes no inputs and produces no outputs. However, that machine is useless to almost everyone. This extends to VMs. If you can’t add input to a VM, and the VM doesn’t output anything, what’s the point?
For modern machines to be useful, you’d need an avenue to feed them instructions, at the very least. By virtue of its existence, that avenue is potentially an avenue to feed it *bad* instructions.
Lastly, there exist critical vulnerabilities that can detect/breakout of VMs.
Latest Answers