The security boost that comes from removing the operating system from between the hardware and the hypervisor doesn't necessarily eliminate attacks, according to a competitor of Citrix.

In the absence of an operating system to attack, malicious parties can attack the hypervisor itself, says Dave Kleidemacher, CTO of Integrity Global Services, which sells the only client hypervisor with the highest U.S. government security rating known as EAL 6+.

The highest rating possible for hypervisors not designed specifically with EAL6+ criteria in mind is EAL 4, he says. . "The bar is so much lower," he says. The higher rating is awarded to software that can withstand persistent attacks from knowledgeable, well funded adversaries, he says

But in the real world, there have been no successful hypervisor exploits, although security researcher Joanna Rutkowska last year at the Black Hat security conference ways to subvert the Xen server hypervisor with rootkits.

"It's more theoretical," says Natalie Lambert, an analyst with Forrester Research who says she has not heard from clients about their hypervisors being exploited. "Security folks use it as a stop mechanism to not let virtualization projects move forward."