# LXC versus KVM-Qemu- which is more secure against jail break

## dman777

I see in 2011-05-19 there was  a released fix for two security exploits for Qemu-Kvm. What about LXC? Up to date, which one is more secure against jail breaks? I did a google search and didn't really find anything about LXC in that respect, but then again it's probably not as popular.

----------

## audiodef

I'd be interested in knowing about this, too. 

http://lxc.sourceforge.net/

Looks pretty good to me. Anyone else use it?

----------

## depontius

Now that I see it, I'm quite interested in this, as well.

I use a laptop in a cradle as my desktop, but every now and then I'd like to take it to a meeting, or whatever.  Engineering applications on Linux tend to be quite brittle about the network, and don't like the idea of it going away, coming back, or changing.  The simplest use would be to put the engineering applications in a container, and quiesce that container when away from the desk.  Next up would be some sort of VPN-like connection, so that those applications could keep a consistent IP even though the real network is moving from wired to wireless, etc.  Still, quiescing the container while juggling the network seems necessary to me.

----------

## Hu

Theoretically, KVM should be more secure since it virtualizes an entire machine.  You could then run the suspicious code as an unprivileged user in a guest system.  In order to fully escape, an attacker would need to break out of the hypervisor.  Most, though not all, attacks against hypervisors have required privilege in the guest, so an attacker would need to elevate inside the guest before attacking the host.  However, KVM will also be much heavier than LXC since you need to run a second machine.

----------

## chithanh

If isolation is your top priority, then run QEMU as user. The performance will not be great, but any exploit which allows the attacker to break out of QEMU will give him at most user privileges on the host.

LXC is currently not secure at all against privileged user breaking out

----------

## depontius

In my case, I'm not after it for security, I just want a better and easier chroot.  Plus I want to be able to suspend the chroot temporarily and restart it later.

Question...  It looks to me as if lxc suggests bridged networking in the container.  I believe that for my purposes routed networkworking would work better.  I haven't gone through the documentation thoroughly yet, but haven't seen anything about doing it that way.  Does anyone here have experience with lxc and routed networking?

----------

## dman777

I was on  #gentoo-hardened it was mentioned that with GRSecurity's findtask feature that LXC Container was worthy of being considered secure, if I understood correctly.

Since I read about RHEL reporting this security flaw for Qemu KVM, I'm not sure VM is as secure as it is believed:

 *Quote:*   

> It was found that the virtio subsystem in qemu-kvm did not properly
> 
> validate virtqueue in and out requests from the guest. A privileged guest
> 
> user could use this flaw to trigger a buffer overflow, allowing them to
> ...

 

----------

## Hu

All systems have bugs, and some of those bugs are severe.  The first CVE is in line with the typical problem for paravirtualized systems: a guest kernel can feed bad data to the hypervisor, and the hypervisor may not handle it well.  The second CVE is more concerning, but both are fixable.  If you assume that a malicious user in the guest has permission to make arbitrary system calls and supply crafted data to those calls, then the attack surface is considerably larger.

----------

