[Article] VMScape and why Xen dodged it

tanky0u · September 29, 2025, 8:38am

Some quotes from the article:

a malicious VM can target the hypervisor’s userspace components and start leaking data. For KVM, that means QEMU, which is heavily exposed. VMware is in the same situation.

[…]

Why Xen wasn’t affected

Xen was designed to keep the hypervisor core small and move everything else out. Device emulation, storage drivers, network stacks — they all live in Dom0

[…]

That architectural choice makes Xen closer to a microkernel than a traditional monolithic hypervisor. The core stays minimal, with a narrow set of responsibilities, and anything that doesn’t absolutely need to run at the highest privilege level gets pushed out.

Well that’s something to celebrate for us. Congrats to Xen hypervisor developers and maintainers.

phceac · September 29, 2025, 10:01pm

It’s nice to remember that we could correct that heading to say:

 Why Xen and Qubes weren't affected...

Even nicer to remember that the Qubes philosophy is to push as much as possible of the non-core stuff even further out, into “unprivileged” VMs.

It’s pure genius: congratulations and thanks to the Qubes developers and maintainers, too.

( Personal gripe: Its just a pity their work seems to be hindered by the bizarre manoeuvres of the hardware manufacturers, who seem determined to reserve fully working and secure virtualization of hardware for their high volume server customers. Intel, Nvidia, AMD, and motherboard manufacturers, I’m thinking of you!)