HeadlinesBriefing favicon HeadlinesBriefing.com

Theo de Raadt 2007 Xen Virtualization Critique

Hacker News •
×

Theo de Raadt, founder of OpenBSD, posted a scathing rejection of x86 virtualization on the openbsd-misc mailing list in 2007. Responding to a question about Xen, he wrote that virtualization advocates had been "smoking something really mind altering."

De Raadt argued that x86 virtualization places "another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection." He characterized the hypervisor layer as a "brand new pile of shit" inserted between hardware and the guest operating system, expanding the trusted code base rather than reducing it.

His core security objection was straightforward: a worldwide community of software engineers who cannot write operating systems or applications without security holes cannot suddenly produce virtualization layers free of vulnerabilities. The additional complexity introduces new attack surface without solving the underlying code quality problem.

Fifteen years later, this critique remains technically relevant. While hardware-assisted virtualization (VT-x, AMD-V) addressed some page protection flaws, hypervisor vulnerabilities (VENOM, Cloudburst, VM escape CVEs) validate de Raadt's threat model. The industry adopted virtualization regardless, prioritizing isolation density over minimal TCB — a trade-off OpenBSD still rejects in favor of privilege separation and pledge().