Containers vs. Virtual Machines: Which is Safer?

relemedf5w023 · Post by **relemedf5w023** » Wed Feb 12, 2025 9:40 am

James Bottomley
James Bottomley
Experts have long been unable to agree on which of these two technologies is more secure, but IBM has taken on the task of clarifying the situation. James Bottomley, an engineer at the company's research division and a Linux kernel developer, wrote in his blog that these discussions can hardly be called fruitful, since the level of security of containers and virtual machines (VMs) has often been measured not by means of comparative analysis, but empirically (saying that "hypervisors are more secure than containers because of the implementation of the interface").

In order to compare the two technologies in terms of security, Bottomley developed the Horizontal Attack Profile (HAP). In his assessment, he found that “a Docker container with a well-designed seccomp profile (which blocks malaysia whatsapp data system calls) provides roughly equivalent security to a hypervisor.” He begins his description with the Vertical Attack Profile (VAP), which includes code to ensure the service is up and running, including database updates. Like other program code, VAP code contains vulnerabilities. Obviously, the more code a program has, the higher the chance that it will contain some bugs.

Meanwhile, exploits that work across the entire software stack — both on physical servers and VMs — are HAPs. HAPs are the worst kind of security vulnerabilities, where a breach in one of the underlying layers (such as the Linux kernel or hypervisor) can lead to a complete compromise of the entire infrastructure and gain control over the root environment and all running containers. The level of HAP security depends on the amount of privileged code that is called during the operation of a particular container isolation or virtualization system. The less privileged code is involved in container execution, the higher the security of the entire system, since the number of potential attack vectors is reduced and the likelihood of vulnerabilities is reduced.