Startup Taps Virtualization To Stop Security Threats

As end users come to rely on outside services and downloaded code, it gets difficult for IT to know who to trust and how each desktop should be allowed to operate. The answer, says Bromium's CTO and co-founder Simon Crosby, is trust no one.

Startup Bromium uses virtualization to address what so far has been a difficult problem: secure end-user computing when the end user is constantly interacting with and importing files from untrusted sources on the Internet and outside the company's firewall.

Firewalls are set up, policies put in place, and watchdogs put on guard against intruders. But programmers "leave holes in software. Humans are gullible. They click on the link. This is not changeable and we can't solve the problem" with the already-tried approaches, Crosby said in an interview prior to his appearance at GigaOm's Structure 2012 event Wednesday in San Francisco.

Bromium assumes "the bad guys are going to get in. The detection systems have their limits, and in some cases, won't detect the intruder," Crosby said.

Instead, IT needs to not simply virtualize the Windows desktop--that is, put the operating system and its applications in a virtual machine--but to virtualize all potentially vulnerable tasks executed on the desktop. If a new application makes a call to the system hard drive, that task needs to be isolated in a micro virtual machine, with its hypervisor making a decision on whether the access should be allowed. Bromium calls its hypervisor a Microvisor and says it will be able to assess whether an interaction is going on between trusted or untrusted parties. If the code involved was just downloaded from the Internet, the Microvisor knows to refuse the access.

[ Learn how tech giants are partnering to stop malicious advertising. See Google, Facebook, Twitter, AOL Fight Badware. ]

Bromium was launched a year ago by Crosby, University of Cambridge professor Ian Pratt (the second person to virtualize the x86 instruction set after VMware's Mendel Rosenblum), and entrepreneur Gaurav Banga, now CEO.

The Bromium approach uses Intel's VT-x technology embedded in its recent chips to determine whether the hardware device is trusted. When a system is activated, VT-x etched into the CPU checks for a signature to the hypervisor that confirms it is an unmodified copy. The Microvisor goes through that check, then can police newly minted micro-VMs.

As a desktop starts up, Bromium becomes an application running in the background. It assesses the machine it is running on and launches "hundreds of micro-VMs in under a second," said Crosby. Potentially vulnerable application tasks are executed from inside a micro-VM, which restricts their access to general purpose memory, I/O, and CPU.

By making direct use of the hardware assists to virtualization that both Intel and AMD have built into their chips, the Microvisor can quickly assign limited memory, CPU, and networking to a task--a logical sandbox--which restricts it from seeing the Windows operating system or any files, other than the ones it's authorized to access. "There's no reason why you can't download Angry Birds. It just won't be trusted," said Crosby. And if malware planted in Angry Birds tries to access the C drive, the micro-VM will pause, handing control off to the Microvisor. It will ask whether a file freshly downloaded from the Internet is trusted and decide no, and access won't be granted.

"The Microvisor assumes the code is untrustworthy," unless it has a policy that says Angry Birds normally accesses the file, said Crosby. Likewise, a downloaded program for doing a currency conversion would be assigned a micro-VM in which it would carry out its calculations. If it contained hidden code that sought to report to an outside website or download more code, that move would be blocked as not allowed under its restricted trust level.

Any potentially vulnerable operation is conducted inside a micro-VM, and micro-VMs are isolated from each other, much as virtual machines are isolated from each other on a shared host. Without explicit permission to do so, a micro-VM cannot access a trusted network, view enterprise files, or gain access to the system's I/O process, Crosby said.

The Microvisor assumes the application code may have been corrupted or may be trying to make changes to the Windows operating system. If such an event occurs, the changes will be discarded when the micro-VM is shut down. A fresh copy of the Microvisor is verified upon the next system startup by VT-x, and it starts checking the integrity of all micro-VMs generated. Crosby claimed the overhead induced by Bromium's operation is not detectable to the end user.

The Microvisor itself is a small attack surface. Since it works closely with virtualization extensions in the hardware, it will be under 100 megabytes as it is finished, said Crosby, or "a few tens of MBs" as a Bromium whitepaper described the Microvisor. That is much smaller than Citrix's XenServer, VMware's ESX Server, or Microsoft's Hyper-V.

Bromium Microvisor is still in prerelease form. The firm is now signing up potential beta users at www.bromium.com. No date has been set for general availability. The Microvisor currently only works with Windows desktops and laptops and Windows-based mobile devices.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)