Some of the minds behind virtualization technology used by Amazon Web Services are launching new security software today called Bromium, which is designed to protect against attacks by keeping apps and their individual tasks separate from the operating system.
While traditional antivirus software prevents known malware from infecting machines, and firewalls block unauthorized packets from getting into the network, there isn't really a good solution for the biggest problem in security today -- the naive end user. An unwise click on a malicious attachment or URL is often the easiest way into an organization's network.
"We're all gullible and our computer systems are riddled with holes, so the bad guy always gets in," said Simon Crosby, co-founder and chief technology officer of Bromium, based in Cupertino, Calif., and Cambridge, U.K. To address this the industry needs "a computer system that is fundamentally resilient in the face of my making a mistake," he added.
To tackle this problem, Crosby and other Bromium executives who hail from the firm behind the Xen hypervisor technology (acquired by Citrix Systems in 2007) and other security companies, have come up with a new twist on virtualization targeting the problem of systems security. Whereas traditional hypervisors like Xen enabled multiple virtual machines to run on a single physical server to boost reliance, performance, and security in cloud environments, Bromium takes virtualization to a more micro level to protect a desktop computer against attacks on the system from within.
The system uses what is called a "Bromium Microvisor" -- a nod to the term "hypervisor," which is used to manage virtual machines -- that automatically isolates running tasks within an operating system as they are created. The initial version runs on Windows 7 64-bit (other platforms, including Mac OSX, will come in the future) and works with Intel's virtualization hardware extension to sequester the tasks on the fly. "We use this Microvisor to divide the world on your desktop into a trusted zone and an untrusted zone," said Crosby.
Every time someone clicks on a URL in the browser, opens a document or an attachment in an e-mail, or opens a file on a USB thumb drive, each task that gets created in the operating system as a result of the action is put into its own Micro-VM (virtual machine). All system resources, such as files, networks, clipboard, the user at the keyboard, are managed in Windows on the trusted side of the system. Any attempt by the Micro-VM to gain access to a file on that part of the system causes the Intel hardware to stop the action.
"The moment one of these tasks in a Micro-VM [tries to access the trusted area], for example the browser wants to open a cookie file, the hardware stops the execution of the task and hands control to the Microvisor," said Crosby. "That's the key innovation here. Instead of relying on software to police access to resources, we're going to now be sure that there's no way that these tasks can access any of my privileged resources, the file system, network access, clipboard, devices, printing."
If malware attempts to infect a computer when someone visits a malicious Web page, for instance, the malware is injected as a change to the local view of the environment only and can not be injected into Windows. "It's as if the attacker sees a big sheet of glass between him and Windows," Crosby said. "When you close the browser tab the whole thing is automatically discarded. So we have a PC that magically discards malware by design."
Bromium also offers the ability to analyze attacks as they are happening and to visualize attacks that traditional security methods can't detect, such as when a piece of software is trying to do something unauthorized from within a Micro-VM, like overwriting a registry, kernel bits or the master boot record. "We can profile zero-day attacks [exploiting previously unknown holes] in real-time without false alarms," he said.
The isolation Bromium offers brings to mind the sandbox approach used by Google's Chrome and Adobe Reader, but Crosby says there is a big difference. The more lines of code a piece of software has, such as a browser, the more bugs it is likely to have, which can compromise the sandboxing capability, he said.
"We've built a system of general purpose applicability. Anything can run in a Micro-VM," he said. "For an attacker to break our system they have to break the Intel Virtualization Technology. If the attacker tries to send a packet, to talk to the DNS (Domain Name System), talk to any device, the hardware will stop the execution of that task and check with the Microvisor to see if that is a legit task. There is no way for the attacker to get out of the Microvisor containment without being stopped by the hardware."
Several security experts were intrigued by Bromium's strategy.
"The idea of encapsulation is an important one in computer security. Defending a perimeter is always easier when a distinct perimeter can be identified," said Gary McGraw, chief technology officer of Cigital. "The trick is making sure any virtual boundary is water tight. As we've seen over and over again with Java, Chrome and other solutions relying on the sandbox idea, the solution is only as secure as its weakest link."
A Microsoft project, dubbed "Drawbridge," features a "picoprocess, which is a process-based isolation container with a minimal kernel API surface." Within the picoprocess runs a lightened version of Windows, dubbed "library OS," according to the Microsoft literature on the research that describes it as a prototype.
"Bromium, unlike Microsoft and VMWare, the way they do their virtualization of apps is specifically for security and fills in the gaps based on being a very different architecture," said Marc Maiffret, chief technology officer of BeyondTrust. "As a business, they have some room to grow, as long as Microsoft doesn't come out with their own thing. Bromium could be an attractive acquisition for VMWare or even Intel McAfee."