Bromium: A virtualization technology to kill all malware, forever

Bromium: A virtualization technology to kill all malware, forever

Summary: A new approach to virtualization could vaporize malware on desktops, mobile operating systems and even cloud-based Desktop-as-a-Service.


A few years ago, I wrote a speculative piece about how off-the-shelf x86 desktop virtualization technology such as VMware, Parallels and Oracle VirtualBox could be used as a means to defend PCs against all kinds of malware attacks.

I called that theoretical technology the "Browser Deflector Shield," evoking the defensive force field technology from "Star Trek." 

Shortly after, a company named Invincea actually implemented something very similar to what I described.

Invincea uses host-based virtualization technology on Windows desktops in order to provide the isolation for the browser, as well as a proprietary detection engine which will destroy and reset the virtual machine should any malware be detected.

While isolating the browser is certainly a good idea, there may be a better way of protecting desktop PC users from malware. That technology is micro-virtualization, or a "Microvisor."

I had a chance this week to speak for some time with Simon Crosby, co-founder and chief technology officer of Bromium, a company that is one of the first to market with a Microvisor security solution for desktop PCs, called vSentry. 

If Crosby's name rings a bell, that's because he was formerly chief technology officer of Citrix, and is the co-founder of XenSource, the company that first commercialized the Xen hypervisor, the very same that powers the core of Amazon Web Services (AWS) and its EC2 public cloud. XenSource was acquired by Citrix Systems in 2007.

Bromium vSentry is quite different from other virtualization technology that exists in the datacenter and on the desktop or even in mobile today.

vSentry is a "thin" hypervisor and does not manage hardware resources like a Type-1 hypervisor, like Microsoft's Hyper-V, which is built into Windows 8 Pro and Windows Server 2012, or like VMware ESX as part of the vSphere/vCloud suite, or even Xen for that matter. 

It also does not behave like or perform the same function as a typical Type-2 desktop virtualization product, like VMware Workstation, Parallels Desktop or Oracle VirtualBox.

The vSentry microvisor sits on top of an existing operating system that manages the hardware resources like Type-2 hypervisor might, however it makes heavy use of the hardware virtualization extensions (VT-x and VT-d) present in the current generation x86 processors.

And rather than managing the hardware, it strictly manages how operating system processes are created and destroyed, rather than creating new instances of a hosted operating system itself.

The closest type of technology I could compare a microvisor like Bromium vSentry to is something like a "containerized" solution, such as Solaris Zones or Parallels Virtuozzo/OpenVZ, where a root/privileged operating system copies out clones of itself in memory to create pseudo-servers with unique libraries, configuration files and application storage all isolated into their own region of memory, all running on top of a shared kernel instance.

This is also referred to as "OS Virtualization."

OS Virtualization is a highly efficient way of virtualizing servers and applications, but has mostly been confined to the UNIX and Linux space.

Microsoft Research has conducted some initial work and has published various academic papers on an operating system virtualization project called "Drawbridge," which has many of the same characteristics as Solaris Zones and OpenVZ, as well as some significant architectual improvements to the basic concept. But so far it has not made its way into Windows. 

(I realize this stuff sounds very geeky and borderline nerdy, and most of you are nodding off at this point, but bear with me.)

Bromium's and micro-virtualization's key purpose is not to virtualize apps or operating systems in order to increase datacenter density and maximize resource utilization, although that may be a pleasant side effect. The purpose of Bromium vSentry is to virtualize every single process that is launched by a user or spawned by an application.

Still with me? OK, great. Here's a picture that sheds a bit more light on this.

Image Credit: Bromium

In the Bromium systems architecture, every time the user fires up an application — and let's say for the sake of simplicity that this is a Web browser like Internet Explorer, Firefox, or Chrome — it's isolated into its own virtual machine called a "Micro-VM".

A Micro-VM puts the application on a "need-to-know" basis, and only provisions out exactly what it needs in order to function. For example, it doesn't have access to every library on the system; only the ones that it needs to run.

Applications may have multiple processeses running within them, such as multiple tabs in a Web browser. In this case, a browser tab as well as any plugins inside them would be given their own Micro-VM. There are no "child" virtual machine processes, only parallel Micro-VM processes, all running within the microvisor's "ring of trust".

Now here is where things get interesting. When the application or the process within the application is closed, that Micro-VM also dies. Any malware that may have entered the system via that process is destroyed along with it.

Bromium also introduces the concept of "copy on write," which clones out system resources like dynamic-link libraries (DLLs) as well as things like user profiles and data into temporary memory, so the original copy cannot be affected if an attack takes place. 

But Bromium also pre-emptively inspects every single Micro-VM for the telltale signs of a malware attack, and uses crowdsourcing for determining if the process is being attacked.

Image Credit: Bromium

For instance, if you are visiting a website and get hit with a redirect/cross-site scripting or a phishing attempt, it employs what the company refers to as Live Attack Visualization and Analysis (LAVA), which uses the behavioral signature of the attack to determine that it needs to shut down the virtual machine and notify the user before the compromise actually occurs. This includes sophisticated malware attacks including those that utilize polymorphism as well as rootkits and boot-kits.

Bromium's intention is to share these behavioral patterns through an open standard, so all anti-malware products as well as open source projects can reap the benefits.

Today, Bromium vSentry is restricted to running "on-the-metal" on Windows-based desktop PCs and servers, and cannot currently sit on top of an existing hypervisor platform. But there is no reason why this architecture could not be implemented in existing hypervisor platforms to provide this process isolation for Desktop-as-a-Service (DaaS) through a virtual desktop infrastructure (VDI) or virtualized session-based computing.

Bromium vSentry is able work with session-based desktop computing now, using an "on the metal" session host running Microsoft RDS or Citrix XenApp.

The fundamental technology could also be ported to Linux, or even to the Mac. Additionally, once virtualization acceleration technology makes its way onto ARM-based SoCs in the next few years, the same principles of micro-virtualization could also be used on mobile devices as well, including smartphones and tablets running different OSes.

Could micro-virtualization be the killer technology that rids the world from malware once and for all? Talk back and let me know. 

Topics: Virtualization, Android, Apple, Linux, Security, PCs, Windows


Jason Perlow, Sr. Technology Editor at ZDNet, is a technologist with over two decades of experience integrating large heterogeneous multi-vendor computing environments in Fortune 500 companies. Jason is currently a Partner Technology Strategist with Microsoft Corp. His expressed views do not necessarily represent those of his employer.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Where there is a will

    Where there is a will there is a way.
    People will continue to get in malware one way or another.
    That does not mean to stop trying to prevent it of course.
    • new approach

      new approach means it will give a break for some time for junkies
      • Let the Microsoft ecosystem die...

        ...and IT world will be a little bit better.
    • QUBES?

      How does Bromium compare with Qubes? How does it improve upon Qubes?
      • my thoughts exactly

        as soon as i started reading this i thought, hey that sounds just like qubes. i think he made a reference, though not expressly at qubes, to the fact that this type of virtualization was available for UNIX/Linux and solaris
        • I was thinking Qubes...

          is an amalgam of trusted computing and secure hardware; so it requires buying more hardware/infrastructure to be implemented - but then I never got this far on trying to understand it. It is also based on the "Trusted Computing" software which is scaled and graded by a system that is known only to serious security geeks. In fact my whole statement could be wrong here - it is just the way I perceive it.
    • I agree! My vote is here!

      I agree ! My vote is here!
  • why is this new?

    This "virtualization" technology has been how UNIX separates processes for decades. Many years ago BSD has introduced "jails" that can virtualized the entire OS, not only services, even different versions including the networking stack - on a common kernel. As mentioned it is also very common on Solaris. There should be something similar for Linux as well.

    I am sort of surprised such technology does not already exist as standard in Windows. Without technology like this, there is no protection against malware.
    • uefi...

      windows' forcing uefi sh#t instead...
    • This is very different from the UNIX process separation model.

      Rather than software enforced separation this is hardware enforced and it's for the desktop, not the server. Each new task (browser tab or open pdf) opens in a new VM so if malware compromises IE or acrobat and then entire OS, all it has to play with is a restricted VM with no access to the host OS, local network etc. Also, because the microvisor codebase is so small (~10k LoC) the attack surface is greatly decreased from the ~10M LoC in a typical modern OS.
      • UNIX process separation

        UNIX does not differentiate between smartphone, desktop, server or a supercomputer (in today's understanding a cluster of many computers). It uses the same model for process separation.

        Of course, UNIX uses the hardware capabilities to separate processes, typically the so called MMU. This is why Microsoft's experiments with XENIX, that attempted to emulate UNIX running on a 80286 class CPU did not work well -- that Intel CPU simply didn't have the required hardware.

        One of the key differences between UNIX and Windows has always been in resource separation. Ironically, the open nature of Windows, that allows any software to access anything on the computer (more or less restricted in recent versions) was what made Windows so popular -- because programmers needed little training on how to write software to OS APIs.

        By the way, everything on a computer happens because of software. There might be hardware to help software do it's task, but it is all software that "decides" what happens. This includes the finite state machines that run the CPU microcode, that interprets "machine code" instructions and commands the various execution units etc. Microcode is software too and modern CPUs let you upgrade it as well.
        • nice differentiantion

    • Microsoft finally catches up only to realize they are still behind!

      Microsoft is simply catching up with Linux & Unix :-). So the question is, why are we USING Microsoft s/w lol lol.
  • Sounds a lot like VMware ThinApp

    "The Microvisor sits on top of an existing operating system that manages the hardware resources like Type-2 hypervisor might, however it makes heavy use of the hardware virtualization extensions (VT-x and VT-d) present in the current generation x86 processors.

    And rather than managing the hardware itself, it strictly manages how operating system processes are created and destroyed, rather than creating new instances of a hosted operating system itself."

    Sounds a lot like the same thing as this:
    • Different

      ThinApp requires application packaging. This does not, so it could be a consumer technology, not just an enterprise one.
      • Thanks for the clarification, Jason

        I agree, the goal seems to be to take what ThinApp (and similar technologies) provides for specific, isolated applications and tries to apply that to everything on your system.

        It appears that they're not targeting the consumer market with this - at least not yet. Their website and literature seems very focused on enterprise sales.
      • Different?

        I have to agree that this sounds like any number of application virtualization technologies in use today including but not limited to App-V, App-X, VMware ThinApp, and XenApp. These are an extension of Windows built-in technologies like UAC Virtualization (of which AppSense is an expensive iteration of the same but with a SQL back end). And UAC Virtualization is really a derivative of a filter driver that dates back to NT days when Mark Russinovich introduced it as a SysInternals product known as Regmon. Later, it was adapted for file system redirection for Wow64 operations. Sandboxing is also built into Microsoft Office and Internet Explorer and labeled as, "Protected Mode". A "Microvisor" sounds really fancy but it sounds like it is probably hooking into the Windows Driver Framework API to extend the existing capabilities with some malware scanning algorithms. It also sounds expensive, overly complex, difficult to manage and late to the game. Windows 8 Modern UI already sandboxes all applications through App-X and the same is built into Windows Phone 8. You can already sandbox any process that is invoked through a Windows executable on Windows Vista, Windows 7 and Windows 8 by creating a "shim" through the Application Compatibility Toolkit. This is also known as UAC virtualization but that not with standing, I only mention all of this because it sounds like a bunch of marketing spin for a product that is probably using one or several Microsoft API's and then charging alot of money for it in much the same way that AppSense does. I'm sure that their marketing team put alot of time into the visualizations to try to make it seem like they have secret sauce but if they do, it is limited to the effective of their malware algorithm and whether they can reset a virtualized application process without blowing something else up. There there is the matter of the trusted circle jerk and whether that works consistently. Be sure to congratulate them for figuring out how to port the .sdb shim database into their own (guessing SQL back end) and using Run as Invoker and Run as Administrator gratuitously throughout.
        • I seriously doubt this

          We're talking about a company that was formed by the creator of Xen. I seriously doubt Bromium is simply re-using existing Microsoft infrastructure without adding some significant value add. That they are extending into the VT-x and VT-d CPU instructions with this suggests that there is definitely some "secret sauce" involved here.
        • Uh, no

          It truly is a VM-based technology, not a repackage of some existing MS APIs/capabilities. If you examine their system architecture, they started with Xen, and heavily adapted from there to end up with a new type of hypervisor. It's really truly virtualizing a set of very important functions - not just wrapping them in access controls.

 has an interesting alternative that's also in development.