A recent article stated as follows;
"If a service is compromised, only that service is compromised."
What proof do we have of this?
Remember x86 architecture involves two vital security structures, i.e. memory segmentation and capability structure (such as stack only, code segment, data segment, adrees extent linitations and enforcement, etc.) and a 4-ring structure based on MULTICS. Now, let's assume XEN runs at ring 0 and does the stupid thing of setting all/most of the segment registers to a single base address and extent ( the sort of LINUX/Windows mess we got into because of a desire to suport RISC, two state architecture). This means that virtual machines also run in ring 0 or in another ring, say, ring 3, the application level according to Intel.
All an attacker has to do is to restart the memory segmentation structure, for example ( see the work done at SUNY at Stoney Brook, New York) and its all over! Other possibilities exist.
There appears to be some mistake. XEN is NOT a true "B2", MLS level system with complete VM isolation (remember MULTICS and IBM Systems 360/67!). Indeed, with only one MSR register set we have the potential to capture the master register set and jump machines!
No - XEN is really useful - great for development activity BUT never, never should it be proposed as a "saviour" for security! CIO's and management may grab this as a cheap alternative to true security architecture.