Okay, I talked to someone else who is also a high level security expert. He is probably one of the most skilled security professionals that I know, actually. He doesn't want me to post logs of our conversation, but did say I can discuss the information that I learned from him. I will include a few quotes. One thing that is unrelated but which I would like to point out is that we had to agree to terminology prior to starting the real interesting conversation. For example, he calls sandboxing what I call OS virtualization. This is common in security circles, different people/groups use different terminology to describe the same things. This actually leads to a lot of confusion and inability to properly communicate, and I think it is something that the computer security community needs to work on fixing, with more standardized terminology. Let me think of how to organize the information I learned. How about we start with a point by point list A. The more code complexity a virtualization solution has, the more likely it is that an attacker can find a vulnerability that allows them to break out of the isolation. B. Full hardware virtualization has the most complexity C. Full hardware virtualization allows for more host OS access controls to be placed on the guests, for example they can be further isolated with mandatory access control systems to a greater extent than other virtualization solutions. D. There is a distinction between breaking out of a hypervisor and breaking into the host. Although it is easier to break out of full hardware virtualization guests it can be made harder to break into the host OS if proper access controls are used on the host E. One issue with full hardware virtualization is that it is a waste of resources and the greatly increased complexity leads to security issues, such as increased ease for an attacker trying to break out of the hypervisor F. He thinks using paravirtualization is probably the best choice, if you use virtualization based isolation G. He thinks using any virtualization based isolation is better than not isolating network facing applications from your external IP address H. OS virtualization is immune to the sort of archetecture virtualization problems that Theo was discussing, paravirtualization is not at as much risk from them as full hardware virtualization is I. He also suggests using OS virtualization over using full hardware virtualization, and seems to indicate that he actually had trouble picking between it and paravirtualization J. Comparing these different sorts of virtualization in general terms (full hardware, paravirtualization, os virtualization) is not the best way to go about things, because a lot depends on the specific OS you are using, the specific virtualization product you are using, etc. Talking about things as generally as we are only allows for general comparisons to be made, at some point you need to compare specific solutions instead of types of virtualization, if you want to decide what the best choice for your task is. K. FreeBSD has really good OS virtualization built into it (I love jaiils also) L. The security of hardware assisted virtualization is dependent on the correctness of the virtualization hardware you are using (for example vt-d, this stuff is on your CPU if you have it btw) M. In cases where para-virtualization requires API's to be added on a kernel level, a breakout could lead to direct kernel control. He suggests against using paravirtualization solutions that require additional kernel space API's N. OS virtualization gives anyone who roots the virtualized OS direct view of the hosts kernel, and an attacker may be able to pwn the kernel from the guest. O. OS virtualization is the least complex of the types discussed, potentially, although many solutions are probably over complex and shit. P. Regardless of the type of virtualization used, nothing states that an attacker must first root or otherwise gain an account on the virtualized system before they can exploit the virtualization solution and get to the host. However, many potential ways of breaking through the isolation require the attacker to pwn the guest first. Q. If you run an OS on hardware it is going to be a much more secure environment than virtualizing the same operating system. Virtualization decreases security of the virtualized operating environment in several ways as compared to running the environment on actual hardware. R. In general / usually, full hardware virtualization causes the largest hit to guest OS security, followed by paravirtualization followed by OS virtualization. The hit to security correlates with the complexity of the virtualization solution, largely if not entirely because the correctness of the virtualization solution negatively correlates with its complexity. S. Virtualization is more focused on cost reduction than security T. The best possible solution is to run each network facing application on its own physical hardware and connect the different machines with a physical network while isolating applications from external IP address, while running Tor / Firewall / Intrusion detection systems on a dedicated machine as well and forcing all traffic to be routed via Tor. This is his number one suggestion. U. Using full hardware virtualization will make it significantly easier for an attacker to pwn your guest OS (versus running it on hardware), but using full hardware virtualization to keep network facing applications away from external IP address will require an attacker to use more / more sophisticated attacks to trace you with a proxy by pass attack. He did ironically note that since you are significantly more vulnerable to having your guest OS pwnt (versus running it on hardware) that this will remove some of the protection from being traced: yes an attacker will likely need to pwn the VM then break out of it and into the host OS to get your external IP address (although they don't need to have an account on the guest to break out of the hypervisor and into the host OS). However, he pointed out that since you are more likely to have your (guest) OS pwnt in the first place that this may end up reducing the previously mentioned added protection against traces. and now let's wrap it up with a list of techniques and how he rated (or apparently rated, to me) them 1. Physical hardware isolation, with Tor on one machine, Firefox on another isolated from external IP address (strong number 1) 2. Paravirtualization based isolation 3. OS virtualization based isolation 4. Full hardware virtualization based isolation 5. No isolation I think if you take advantage of the ability to further isolate a full hardware virtualization guest OS with mandatory access control systems, he might bump it up the list. One of the main benefits of full hardware virtualization is the ability to isolate it additionally on the host OS, so that even if an attacker breaks out of the hypervisor they can't break into the host OS. It is harder to gain this protection from break INs to the host OS by using paravirtualization or OS virtualization solutions (however it is harder to break OUT of paravirtualization or OS virtualization in the first place 0_0). Also I think in reality he would want to know specific details, specific goals, specific software programs used, operating system used, configuration details, etc before he made a list of 'best' to 'worst'