Comment by souvik1997
4 hours ago
If I had to rank these, in order of least to most secure, it would be container < VM < WASM.
WASM has:
- Bounds checked linear memory
- No system calls except what you explicitly grant via WASI
- Much smaller attack surface
VMs have:
- Hardware isolation, separate kernel
- May have hypervisor bugs leading to VM escape (rare in practice though)
Some problems with containers:
- Shared host kernel (kernel exploit = escape)
- Seccomp/AppArmor/namespaces reduce attack surface but don't eliminate it
- Larger attack surface (full syscall interface)
- Container escapes are a known class of vulnerability
No comments yet
Contribute on Hacker News ↗