Re: Some good points --
"And of course this system makes inter-process communication more difficult. That's part of the point, again IMHO: if you have always-on, widespread comms between many processes then obviously a security flaw in any one of them becomes a vulnerability in all of them. If you want to keep attackers in one room, you have to shut the door. Or at least vet the traffic in and out."
Which poses a problem if said door is the kitchen door of a restaurant. People come and go all the time as part of the business AND they frequently do so with their hands full. Thus the passageways are either open (with bends for privacy) or are doors built with double-action spring hinges that allow opening with some body part other than an arm. Similarly, what if you do FREQUENT inter-process communication. You interfere with this, things don't get done. And again, who cares about security if the job isn't getting done?
"But, as noted by others, successfully attacking a hypervisor as well as attacking the processes running inside it adds a layer of difficulty an attacker must overcome. It's not trivial. Probably an order of magnitude harder."
They said the same thing about sandboxes, and look where we are now. Figure out how to crack one egg and dealing with any other egg becomes a lot easier. We're just at the probing stage at this time for VMs, but once they figure out how to reliably hit the hypervisor, I expect a house of cards effect to follow.
"Whatever. You make good points. I do think OS modifications will have to move toward raising the security bar, though. The bad guys are not getting stupider, nor fewer."
But you still have to deal with the customer, and The Customer is Still King. What do you do when the customer's demands are a direct conflict with your security model?