Get the top HN stories in your inbox every day.
usrusr
VierScar
You can't claim you're not surprised? So you can claim you are surprised? You're surprised by this. I feel like I'm trying to understand double negatation logic in code haha
walteweiss
I have difficulties to decipher this as well.
In English, there is a sentence structure like ‘I ain’t telling nobody’, which means ‘I won’t tell anyone’, but for me it’s difficult to decipher as well. Why it’s not like ‘I’m telling nobody’ or ‘I’m not telling anyone’? Why the double negative — ain’t and nobody — means negative as well.
Same issue is here. I don’t understand whether they were surprised or not. I assume they are not surprised. But the difficulty of the phrasing makes me wonder the meaning behind it.
usrusr
It means that I don't feel able to give in to the desire of claiming "told me so"
__alexs
Double (triple, even quadruple) negatives meaning a negative are a common feature of english dialects. They are for emphasis!
hiatus
It's the same as saying "I can't say I'm not surprised"—meaning they are unsurprised.
juicypt
It seems to me that they're not unsurprised, and so they're actually surprised.
VierScar
I think that's saying they're surprised. The saying in other contexts: "I can't say I'm not impressed" -> I'm impressed. "I can't say you didn't try" -> you tried.
I think you mean "I can't say I'm surprised" -> this is not at all surprising. But that's just one negative.
undefined
teleforce
The multi-user part for Android OS is not an extrapolation, it is inevitable.
Fun facts, Unix name is a joke to Multics, where Multi stands for multi-user, and everyone know what happened soon to Unix single user name indication.
remram
Multics stands for Multiplexed Information and Computer Services (not multi-user).
I don't think UNIX was ever meant to be single-user. This interview suggests that's not where the name came from anyway: https://www.linuxjournal.com/article/7035
teleforce
Since Multics is written for modern or next-generation time-sharing OS at the time hence it must support multi-process and multi-user capability. This capability is represented by the multiplex terminology. In the early days of analog and digital communication, multiplex is the scheme to transmit and receive multi-user information in time or frequency domain.
If you think about it, much of the complexity of Multics come from its multi-user requirement with overly complex access control matrix, multitude of file types including design for multi-user support, etc. Thus the Unix name metaphor or pun is to make it the latter simple by requirement and design. Remember that Unix was started as a skunkwork and even the original PDP-7 that being used originally was donated by other department of AT&T if I remember correctly it was the sound signal processing department [1]. If it is an official project, the multi-user requirement will be there from the start since arguably AT&T is the largest technical company at the time and they will want multi-user from the get-go.
But after some time and considerable success of Unix, the designers probably looks childish due to the naming since they did introduce multi-user at the later stage, and toned down the exact meaning of Unix. What is the opposite of multi, it is uni.
[1] The Strange Birth and Long Life of Unix:
https://spectrum.ieee.org/the-strange-birth-and-long-life-of...
undefined
codedokode
Looks like something absolutely overengineered and unnecessary. Why do you need a virtual machine with a separate kernel? Why do you need to protect it from kernel? I guess, it is made mostly for playing DRM content?
berkes
A use-case I can imagine is e.g. a password vault, a banking app, or a secure messaging app that you want isolated from everything. Even when running. And where "everything" includes infected apps, an infected host or even physical access.
Not sure if this architecture can handle that, nor of it's the best architecture to solve this problem, though.
jonathanlydall
Yes, yes, yes... those are all "legitimate" and likely good uses of this technology, but they're most likely just additional/bonus tertiary use cases to the main use case which motivated Google to expend effort on this feature: DRM.
It's much like how web browsers' incognito/private mode is really useful for web developers and certain kinds of troubleshooting, but those are tertiary uses to the primary consumer use case for which it was originally built: browsing porn without leaving history behind.
eptcyka
I'd love to be able to use a Qubes like OS on my phones. There's so much vile garbage I need to run on my phone yet at the same time, I want my phone to have access to my passwords and email. Segregating apps is long overdue.
anthk
Not Qubes, mayube something like Unikernels from NetBSD.
lxgr
DRM on Android is already ubiquitous and runs in trusted hardware contexts (TEEs). These are also used for Android’s secure key storage.
Normal apps usually don’t have the opportunity to run there, so this levels the playing field somewhat in terms of security.
And unless there is also attestation or binary encryption involved, I doubt this would give app developers any DRM-like capabilities.
themoonisachees
It is. I'd like to believe that the android team is removed enough from Google's shenanigans that they aren't doing it specifically for them, but there are a lot of corporate app developers (including Google) who want exactly this feature. This means much higher difficulty hacking in multiplayer games (yes haha mobile games, but they're huge in china for example), increased DRM for Netflix et al., and I'm sure the chrome for Android team is salivating at the prospect of running your browser in a trusted VM. Your bank obviously would also enjoy the added security but in reality the current safeguards work well enough for these purposes. This is about protecting apps from adversarial users, not protecting apps from unwittingly infected users.
extraduder_ire
Run an older/newer version of android in the VM, assuming the host is light enough?
Maybe another OS, if someone does the groundwork on that. Or, fully suspend and move running instances across devices, which I think xen can already do.
helloooooooo
One prime example is to protect credentials. Windows already uses this in a feature called credential guard.
Shoop
How does two way isolation work? How do you prevent the host kernel (which presumably has full control of the hardware?) from inspecting the guest VM?
jbott
It looks like the host kernel is not in full control – there is a EL2-level hypervisor, pKVM [1] that is actually the highest-privilege domain. This is pretty similar to the Xen architecture [1] where the dom0 linux os in charge of managing the machine is running as a guest of the hypervisor.
1. https://source.android.com/docs/core/virtualization/architec... 2. https://wiki.xenproject.org/wiki/Xen_Project_Software_Overvi...
pjmlp
Commonly known as type 1 hypervisor architecture, by opposition to type 2 hypervisor, which run as OS services.
Ironically the revenge of microkernels, as most cloud workloads run on type 1 hypervisors.
bonzini
No, KVM is also a type 1 hypervisor but it doesn't attempt (with the exception of pKVM and of hardware protection features like SEV, neither of which is routinely used by cloud workloads) to protect the guest from a malicious host.
fgoesbrrr
I don't know about Android, but AMD CPUs support encrypting regions of physical memory with different keys which are accessible only to one particular VM running, but also not accessible to the host:
AMD Secure Encrypted Virtualization (SEV)
fooker
Does every memory read/write have to go through decryption/encryption or just the paging mechanism?
transpute
The architecture pattern is similar to Bromium/HP AX + Type 2 μXen on x86, https://www.youtube.com/watch?v=bNVe2y34dnM (2018), which ships on HP business PCs.
Bare metal runs a tiny L0 hypervisor making use of hardware support for nested virtualization. In turn, the L0 can run an L1 hypervisor, e.g. KVM or "host" OS, or minimal L1 VMs that are peers to the L1 "host"-guest of L0.
Google pKVM-for-Arm tech talk (2022), hopefully x86 will follow, https://www.youtube.com/watch?v=9npebeVFbFw
haltist
You can inspect their hypervisor code and verify the host kernel can not access the VM after creation but if you are running as root then you can obviously inspect whatever process is under host/hypervisor control.
anonuser123456
You make the various hardware modules security context aware. You then give the host a separate security context from guests. You need a trusted hypervisor to bootstrap it.
ignoramous
Protected KVM on Arm64: A Technical Deep Dive, Quentin Perret (KVM Forum 2022), https://www.youtube.com/watch?v=9npebeVFbFw (first 5m)
ReactiveJelly
It must be relying on a TPM somehow, right? That isn't possible with any normal software VM
transpute
This eschews hardware-based TEE (like TrustZone or TPM) in favor of hardware support for nested virtualization, plus open-source L0 hypervisor code.
In the best case future, this will offer security properties based on a small OSS attack surface, rather than black box TEE firmware.
darig
[dead]
Animats
So what is something running in this virtual machine allowed to do? Talk to the Internet? Talk to the screen? Talk only to whatever started it?
How much of this is closed source?
keepamovin
Possibly one cybersecurity-related thing you could do is run a headless browser inside this VM, and bridge the network requests to the host network (a little bit like Docker).
Using my open-source BrowserBox^0 project then you could have a "bit more isolated" Browser running on your Android device that would add "VM escape" to any zero-day exploit chain that might be a risk.
This is speculation tho, I don't know if it's actually feasible based on the Android reality right now, but assuming the capabilities that are provided are like a regular headless VM, then it should be. :)
codedokode
Why do you need VM for isolation? ARM architecture already provides tools for isolation, like MMU and privilege levels. Why do you need another kernel, emulation of hardware devices? It is completely wrong method.
keepamovin
For sure, ARM's MMU and privilege levels are solid for base isolation. But consider the VM for a headless browser as an extra layer of defense, especially in the wild and crazy web threat landscape. Yes, it involves another kernel and some hardware emulation, but modern VMs, particularly with Android's AVF, are designed to be lightweight and efficient.
With AVF, we're looking at tailored isolation, where a VM can be as minimal or as comprehensive as needed. This flexibility means we can create a highly controlled environment for the browser, enhancing security against web-specific exploits. It's about using ARM's strengths and adding a VM where it makes sense for focused, web-centric security. The idea's to mix and match security layers for the best defense, especially with Android's new AVF making VMs more streamlined.
I guess you could say the goal here is to tailor the security approach to the specific risks associated with web browsing, making the system resilient against a broader range of exploits.
stevenhuang
If defense in depth is a foreign concept I imagine a lot of modern security mitigations will look wrong to you too.
surajrmal
The kernel simply has too much code in it and too wide of a boundary to consider a good security boundary. VMs have a much smaller surface by comparison. I don't think reaching for a VM would be necessary if you had a smaller kernel.
codedokode
This is probably for playing DRM content, apps like Netflix will provide an encrypted VM image to play a movie.
Animats
How does the video get out? That implies a strong connection to the screen, which has a big attack surface.
This is the classic problem with isolation via virtual machines. To do anything, they have to talk to something, and that's where the security breaches occur.
jrpelkonen
DRM already uses a trusted execution environment (TEE), which provides more robust isolation than a VM. Thus I doubt needs of video streaming apps are the main motivation.
bobdvb
The DRM TEE on Android needs to be baked in at the factory. If an app brings its own DRM then it's not able to use the TEE. If this enabled apps to use TEE like functionality it'd be good for that use case.
saagarjha
I think the design is intended so that you mostly only get to do the last one.
kmeisthax
The use of the word "privileged" seems to imply that only system apps will be able to use this - i.e. no installing virtual machines off Google Play anytime soon. Bleh.
transpute
Hopefully standard tooling will appear in time. Patreon PoC of unprivileged VMs, https://www.xda-developers.com/nestbox-hands-on/
> On the Pixel 7, the most configuration you'll need to do is similar to Shizuku. You connect to your own phone over wireless adb, configure the maximum container size, and then choose your Linux distribution. It'll download, configure, and then execute the virtual machine.
rstat1
Its annoying that I can't use this without greater-than-normal-user access.
3abiton
It is still baffling that root is so shunned upon in the Android communities. Imagine not having root access to your linux laptop. Magisk users are persecuted and punished by Google for getting root access, which is the bare minimun for a device you own.
i5-2520M
As a big root user, I don't lay the blame on Google. They don't prevent much on rooted devices, mostly just gpay, but they do provide the tools for other apps to do detection. Google devices are also the best for modding from a technical standpoint.
pjmlp
Easy, that is how many of us use UNIX like OSes, macOS, Windows devices on corporate environments.
Not everyone gets to be root, and even for devs there are IT management tools that only allow root for specific use cases, or time boxed.
josephcsible
Sure, you shouldn't always get to be root on other people's computers. But you absolutely should get to be root whenever you want on your own computers.
codedokode
No, I think the reason is that not letting user have full control over hardware is more profitable for manufactures, government and economy as a whole.
rstat1
>> It is still baffling that root is so shunned upon in the Android communities.
I haven't seen this personally (not saying it isn't a thing to be clear, just I haven't seen it).
My major issue is that for some reason there are carriers in the US that seem to think a user having control over their own device is something to frown on. I get the potential support and warrently nightmare involved but on the other hand it's not a super easy process that one would do accidentally.
awoimbee
Will this allow running linux VMs on any Android device ? Via something like nestbox: https://www.patreon.com/posts/74333551 ?
heavyset_go
This is already possible if your phones ship with the KVM kernel module, like on some Pixel devices, but reading the article suggests that KVM will become standard on all Android devices to enable this.
edit: according to this[1], yes, the pKVM functionality that's standard in Android exposes KVM functionality so that you can run VMs on Android.
[1] https://www.xda-developers.com/android-13-dp1-google-pixel-6...
angm128
A full linux environment (with external monitor support) sounds awesome. I hope that enabled KVM becomes standard
Would graphics acceleration work properly?
heavyset_go
Depends on the kind of acceleration you want. VirGL is available on Linux host/Linux guest setups with recent kernels, not sure if QXL/SPICE will be available or can be added to the userland. Can't imagine a hardware passthrough situation making sense on a phone/tablet, either.
anthk
You can already to that with termux, XSDL and some scripts. No virtualization needed.
walteweiss
Which Pixel devices? Is it something new or not-so-new?
heavyset_go
I couldn't tell you, sorry. Just going off what I've read in some articles like the one I posted.
saagarjha
AVF supports this, people have used it to boot Linux and Windows. See for example https://twitter.com/kdrag0n/status/1493089098944237568
codethief
Straight from the horse's mouth:
> pKVM is built on top of the industry standard Kernel-based Virtual Machine (KVM) in Linux. It means all existing operating systems and workloads that rely on KVM-based virtual machines can work seamlessly on Android devices with pKVM.
_ea1k
It sounds like it will become common eventually. I just wish that there were a more supported pathway to running full VMs like that. These devices are powerful enough to do it pretty well now.
ForkMeOnTinder
So on desktop, if I spin up a VM with networking disabled I feel pretty confident I can run anything safely, even malware is not going to escape.
What's the current state of the art for Android virtualization? Let's assume we're talking about the newest Pixel and newest Android version. Is there any way to safely run malware or the Facebook app in some sort of air-gapped container and throw it away when you're done?
fleventynine
> if I spin up a VM with networking disabled I feel pretty confident I can run anything safely, even malware is not going to escape.
You are putting too much faith in your VM monitor to keep you safe. There's a lot of attack surface in (for example) QEMU peripherals, and there's plenty of examples of VM escape [1]. CrosVM is probably the only publicly available VMM I'd be willing to trust, and even then I'd be nervous running state-sponsored malware on a machine with important data.
bonzini
While QEMU uses C, which is not great, it has on its side 15+ years of hardening by the KVM developers. The problem with QEMU is not so much insecurity, it's that it contains the kitchen sink.
However, most of the exploits you'll find in QEMU are against configurations that are never used in real world virtualization scenarios where guests are untrusted. You can recognize them because hardware not commonly used with untrusted guests does not get a CVE.
For a while, slirp was the remaining major issue because it was used way beyond the original intention. But now it's been tamed and there's also passt, a much higher performance and much more secure implementation of user-mode networking.
ungamedplayer
> You can recognize them because hardware not commonly used with untrusted guests does not get a CVE.
This is not true. Even non default configuration of any software or hardware that contains a security vulnerability can get a CVE. It has in the past and will again in the future.
Source: I have assigned over 2000 cves for the kernel.
csdvrx
> But now it's been tamed and there's also passt, a much higher performance and much more secure implementation of user-mode networking
In case anyone else needs a link: http://blog.vmsplice.net/2021/10/a-new-approach-to-usermode-...
monocasa
I'd probably trust firecracker too since it was designed specifically to avoid qemu's attack surface and runs in production for Amazon.
my123
Qemu also runs in production darn near everywhere, especially on Xen.
surajrmal
It also happens to be a fork of crosvm
undefined
surajrmal
Luckily android is using crosvm
jmprspret
> Is there any way to safely run malware or the Facebook app in some sort of air-gapped container and throw it away when you're done?
User profiles can be used in this exact way. Guest user if you intend to install+wipe it right away (though this will prove cumbersome eventually due to having to reinstall the app every time, etc). There is a significant isolation benefit to them, though not currently virtualized. With the isolation can come usability issues. Like transferring files from one profile to another.
They can very slow however (slow to load+setup, and switch between, I mean. when you're inside its effectively a separate, fresh, OS install).
ClassyJacket
*malware like the Facebook app
heavyset_go
Pretty sure Android already uses Linux containers/namespaces for app isolation.
seabrookmx
You're thinking of ChromeOS I think, which uses a combination of containers and virtualization (via the same VMM in this article) for Linux and Android apps..
heavyset_go
Yeah, apparently Android uses users and namespaces, but not containers as we typically know them like ChromeOS does.
tripdout
Why does the tutorial for creating a demo app, https://source.android.com/docs/core/virtualization/writeavf..., only work on Cuttlefish (emulator)?
Nevermind, only the demo app, not the tutorial, so who knows what its doing.
saagarjha
Maybe because it requires a platform signature to use?
undefined
jeffrallen
Another salvo in the war on general purpose computing.(https://lwn.net/Articles/473794/)
transpute
If Android phones can run non-Android VMs of the user's choice, the phones will gain new purpose.
jeffrallen
Ok cool.
But you and I both know that this feature was designed for the DMCA-lovin' Hollywood types and the control-freak enterprise IT BOFHs, not for your cool hack.
Let's use their tools of oppression against them! (fist emoji)
transpute
Media and Enterprise already have TrustZone, Knox, Intune, etc. which work "enough".
Newer markets include cashless (CBDC) payments and digital identity anchored in human biology, demanding more security than legacy content.
> Biometrics: By deploying biometric trusted applets in an isolated virtual machine, developers will have the isolation guarantee, access to more compute power for biometric algorithms, easy updatability regardless of the Trustzone operating system, and a more streamlined deployment.
Fortunately, OSS can enable N-party transaction transparency, we don't have to settle for one-way mirrors and WeChat clones.
robertwt7
Although this is very exciting. Surely performance is not the benefit here? It won’t perform better than android app built not on top of the virtualisation tdchnology?
omeid2
Android apps are already running on top of a Virtualisation Technology", both current ART (Android Runtime) and the previous one, Delvik, runtimes are virtual machines, process level virtual machines, but they do bytecode translation/JIT nonetheless.
If AVF allows running native code, it might actually be cheaper than the current arrangement.
IAmLiterallyAB
Android apps can already run native code, so there's no performance benefit.
Also, Java "virtual machines" and native virtual machines are two very different things, they shouldn't be equated.
undefined
glacia01
I'm not Android expert in any way, but VM have nothing to do with virtualization. I think you're confusing something.
walteweiss
What do you mean?
Literally, the title: ‘Virtual Machine as a core Android Primitive’ and the very first sentence: ‘The Android Virtualization Framework (AVF) will be available on upcoming select Android 14 devices.’
fragmede
what does VM stand for?
ips1512
Android apps performs better if built natively, Google might take some steps to enhance its performance.
Get the top HN stories in your inbox every day.
Back at university one lecture included an infographic about how CPU and operating system features like MMU, increasing register width and the like all started at mainframe-scale installations and trickled down to desktop scale systems and later to handheld devices at a surprisingly consistent pace. It was the time w2k was trying to make NT features mainstream and J2ME arrived on phones. I extrapolated a little and made a joke about multi-user concepts arriving on phones and a few years later Android was right on schedule (when that happened, repurposing Linux users as units of app isolation was the headline feature in tech news).
By that measure, virtualization is long overdue, but I really can't claim that I'm not surprised.