Complete isolation via virtualization is not possible, even on systems where hardware components of the underlying guests are dedicated. DoS is the most common problem, where one guest impacts another. I've had many systems where a reboot of the hypervisor is required to fix a problem with one guest, affecting all. Including systems with dedicated processors and memory boards.
There are, and continue to be, bugs in virtualization software/firmware.
In addition, the solution described in the link uses X -- X requires userland code to have direct access to memory (the aperture sysctl that is disabled by default in OBSD), which is another vector where one guest may possibly find a way to scribble in another guest's RAM.
|