For those who haven’t heard about the Xen 0wning Trilogy, make sure to check that out here and here.

In a followup post to some apparent misinformation being spread (Microsoft executive “rebuts” our research!), I was surprised by this comment:

Interestingly, if Mr. Riley only attended our Xen 0wning Trilogy at Black Hat, then he would notice that we were actually very positive about Hyper-V. Of course, I pointed out that Xen 3.3 certainly has a more secure architecture right now, but I also said that I knew (from talking to some MS engineers from the virtualization group) that Hyper-V is going to implement similar features in the next version(s) and that this is very good. I also prized the fact it has only about 100k LOC (vs. about 300k LOC in Xen 3.3).

Xen 3.3 has grown to 300k lines of code for the hypervisor?

At what point does the “tight security auditability” argument start to exponentially diminish for hypervisors in ring 0?