> You have failed to satisfactorily explain why running a specific application

quoted text
> in a VM is more secure then running it in a standard OS. It's nonsense that

> you think it's more secure that way. It saves a lot of money, yes -- you

> don't necessarily want a separate box just to run an application - but

> that's not the debate here. The debate is about security, and I'm amazed

> that you think a virtual environment is somehow more secure then a dedicated

> non-virtual environment.

It's that extra 4MB of poo code, that is what makes it more secure.
It's slippery and sticky at the same time, so that the application

attackers slip and slide and fall into the page boundaries.
If the actual hardware let us do more isolation than we do today, we

would actually do it in our operating system.
The problem is the hardware DOES NOT actually give us more isolation

abilities, therefore the VM does not actually do anything what the say

they do.
While x86 hardware has the same page-protection hardware that an IBM

390 architecture machine has, modern PC machines are a mess.  They are

architecturally so dirty, that parts of the video, keyboard, and other

IO devices are interfaced with even to do simple things like context

switching processes and handling interrupts.  Those of us who have

experience with the gory bits of the x86 architecture can clearly say

that we know what would be involved in virtualizing it, and if it was

so simple, we would not still be fixing bugs in the exact same area in

our operating system going on 12 years.
We know what a VM operating system has to do to deal with the PC

architecture.  It is too complex to get perfectly right.
And now you've entered into the layered approach where *any error* in

the PC model exposed to the client operating system is not just a

crashing bug -- it is now exploitable.
It might be nice, but it is stupid.  And anyone who thinks there is

any security advantage at any level knows nothing about PC

architecture.