2

Currently OpenBSD supports these architectures ( http://www.openbsd.org/plat.html ): 

alpha   Digital Alpha-based systems
amd64   AMD64-based systems
armish  ARM-based appliances (by Thecus, IO-DATA, and others)
hp300   Hewlett-Packard HP 9000 series 300 and 400 workstations
hppa    Hewlett-Packard Precision Architecture (PA-RISC) systems
i386    Standard PC and clones based on the Intel i386 architecture and compatible processors
landisk     IO-DATA Landisk systems (such as USL-5P) based on the SH4 cpu
loongson    Loongson 2E- and 2F-based systems, such as the Lemote Fuloong and Yeeloong, Gdium Liberty, etc.
luna88k     Omron LUNA-88K and LUNA-88K2 workstations
macppc  Apple New World PowerPC-based machines, from the iMac onwards
mvme68k     Motorola 680x0-based VME systems
mvme88k     Motorola 881x0-based VME systems
sgi     SGI MIPS-based workstations
socppc  Freescale PowerPC SoC-based machines
sparc   Sun sun4, sun4c, sun4e and sun4m class SPARC systems
sparc64     Sun UltraSPARC and Fujitsu SPARC64 systems
vax     Digital VAX-based systems
zaurus  Sharp Zaurus C3x00 PDAs

Currently QEMU supports these architectures ( https://en.wikipedia.org/wiki/QEMU#Emulated_hardware_platforms ) - but FIXME: 

IA-32 (x86)
x86-64 PCs
MIPS R4000
Sun's SPARC sun4m
Sun's SPARC sun4u
ARM development boards (Integrator/CP and Versatile/PB)
SH4 SHIX board
PowerPC (PReP and Power Macintosh)
ETRAX CRIS
MicroBlaze architectures.

So combined (what has boths support, but FIXME..): 

i386 OR IA-32
amd64 OR x86-64
sun4m (SPARC)
macppc OR PowerPC

Searching google (search string || hits): 

site:seclists.org i386 exploit vulnerability || 14600
site:cvedetails.com i386 exploit vulnerability || 24700

site:seclists.org IA-32 exploit vulnerability || 650
site:cvedetails.com IA-32 exploit vulnerability || 3510

site:seclists.org amd64 exploit vulnerability || 11000
site:cvedetails.com amd64 exploit vulnerability || 29900

site:seclists.org x86-64 exploit vulnerability || 540
site:cvedetails.com x86-64 exploit vulnerability || 4970

site:seclists.org x86_64 exploit vulnerability || 6590
site:cvedetails.com x86_64 exploit vulnerability || 36800

site:seclists.org sun4m exploit vulnerability || 17
site:cvedetails.com sun4m exploit vulnerability || 0

site:seclists.org SPARC exploit vulnerability || 7750
site:cvedetails.com SPARC exploit vulnerability || 43800

site:seclists.org macppc exploit vulnerability || 1
site:cvedetails.com macppc exploit vulnerability || 3490

site:seclists.org PowerPC exploit vulnerability || 7130
site:cvedetails.com PowerPC exploit vulnerability || 32000

-->>

http://i.imgur.com/jbsBNj0.png

So I want to run an OpenBSD guest with QEMU on an OpenBSD host. But with different arch then the host OpenBSD has. (For security reasons, if an exploit works on ex.: i386 it's not 100% that it runs on ex.: sun4m).

for first look if I would use i386 or amd64 as host, the guest would need to be: sun4m (? - but SPARC has many hits.. and can QEMU really use sun4m???)

p.s.: yes, I know, searching for historically vulnerabilities isn't the best method, but there aren't any better.. or?

Q: So what would be the most safest architecture to use?

gasko peter
  • 843
  • 1
  • 12
  • 20

1 Answers1

1

Exploit counting is not helpful here, because the numbers are skewed by non-targetted attacks. If a bad guy doesn't care what machines she gets control of, then she will target Windows on x86, because there's a billion more of those out there than BeOS on PDP-11.

Since you are primarily defending against targeted attacks, your focus should be on hardening the specific instance.

Indeed, there's a case to be made that you should go for x86 on your guest as well. It's probably the most popular port (citation needed), which probably means the most eyeballs are on it looking for bugs.

Graham Hill
  • 15,394
  • 37
  • 62