Bromium: A virtualization technology to kill all malware, forever
A few years ago, I wrote a speculative piece about how off-the-shelf x86 desktop virtualization technology such as VMware, Parallels and Oracle VirtualBox could be used as a means to defend PCs against all kinds of malware attacks.
I called that theoretical technology the "Browser Deflector Shield," evoking the defensive force field technology from "Star Trek."
Shortly after, a company named Invincea actually implemented something very similar to what I described.
Invincea uses host-based virtualization technology on Windows desktops in order to provide the isolation for the browser, as well as a proprietary detection engine which will destroy and reset the virtual machine should any malware be detected.
While isolating the browser is certainly a good idea, there may be a better way of protecting desktop PC users from malware. That technology is micro-virtualization, or a "Microvisor."
I had a chance this week to speak for some time with Simon Crosby, co-founder and chief technology officer of Bromium, a company that is one of the first to market with a Microvisor security solution for desktop PCs, called vSentry.
If Crosby's name rings a bell, that's because he was formerly chief technology officer of Citrix, and is the co-founder of XenSource, the company that first commercialized the Xen hypervisor, the very same that powers the core of Amazon Web Services (AWS) and its EC2 public cloud. XenSource was acquired by Citrix Systems in 2007.
Bromium vSentry is quite different from other virtualization technology that exists in the datacenter and on the desktop or even in mobile today.
vSentry is a "thin" hypervisor and does not manage hardware resources like a Type-1 hypervisor, like Microsoft's Hyper-V, which is built into Windows 8 Pro and Windows Server 2012, or like VMware ESX as part of the vSphere/vCloud suite, or even Xen for that matter.
It also does not behave like or perform the same function as a typical Type-2 desktop virtualization product, like VMware Workstation, Parallels Desktop or Oracle VirtualBox.
The vSentry microvisor sits on top of an existing operating system that manages the hardware resources like Type-2 hypervisor might, however it makes heavy use of the hardware virtualization extensions (VT-x and VT-d) present in the current generation x86 processors.
And rather than managing the hardware, it strictly manages how operating system processes are created and destroyed, rather than creating new instances of a hosted operating system itself.
Read this
The closest type of technology I could compare a microvisor like Bromium vSentry to is something like a "containerized" solution, such as Solaris Zones or Parallels Virtuozzo/OpenVZ, where a root/privileged operating system copies out clones of itself in memory to create pseudo-servers with unique libraries, configuration files and application storage all isolated into their own region of memory, all running on top of a shared kernel instance.
This is also referred to as "OS Virtualization."
OS Virtualization is a highly efficient way of virtualizing servers and applications, but has mostly been confined to the UNIX and Linux space.
Microsoft Research has conducted some initial work and has published various academic papers on an operating system virtualization project called "Drawbridge," which has many of the same characteristics as Solaris Zones and OpenVZ, as well as some significant architectual improvements to the basic concept. But so far it has not made its way into Windows.
(I realize this stuff sounds very geeky and borderline nerdy, and most of you are nodding off at this point, but bear with me.)
Bromium's and micro-virtualization's key purpose is not to virtualize apps or operating systems in order to increase datacenter density and maximize resource utilization, although that may be a pleasant side effect. The purpose of Bromium vSentry is to virtualize every single process that is launched by a user or spawned by an application.
Still with me? OK, great. Here's a picture that sheds a bit more light on this.
In the Bromium systems architecture, every time the user fires up an application — and let's say for the sake of simplicity that this is a Web browser like Internet Explorer, Firefox, or Chrome — it's isolated into its own virtual machine called a "Micro-VM".
A Micro-VM puts the application on a "need-to-know" basis, and only provisions out exactly what it needs in order to function. For example, it doesn't have access to every library on the system; only the ones that it needs to run.
Applications may have multiple processeses running within them, such as multiple tabs in a Web browser. In this case, a browser tab as well as any plugins inside them would be given their own Micro-VM. There are no "child" virtual machine processes, only parallel Micro-VM processes, all running within the microvisor's "ring of trust".
Now here is where things get interesting. When the application or the process within the application is closed, that Micro-VM also dies. Any malware that may have entered the system via that process is destroyed along with it.
Bromium also introduces the concept of "copy on write," which clones out system resources like dynamic-link libraries (DLLs) as well as things like user profiles and data into temporary memory, so the original copy cannot be affected if an attack takes place.
But Bromium also pre-emptively inspects every single Micro-VM for the telltale signs of a malware attack, and uses crowdsourcing for determining if the process is being attacked.
For instance, if you are visiting a website and get hit with a redirect/cross-site scripting or a phishing attempt, it employs what the company refers to as Live Attack Visualization and Analysis (LAVA), which uses the behavioral signature of the attack to determine that it needs to shut down the virtual machine and notify the user before the compromise actually occurs. This includes sophisticated malware attacks including those that utilize polymorphism as well as rootkits and boot-kits.
Bromium's intention is to share these behavioral patterns through an open standard, so all anti-malware products as well as open source projects can reap the benefits.
Today, Bromium vSentry is restricted to running "on-the-metal" on Windows-based desktop PCs and servers, and cannot currently sit on top of an existing hypervisor platform. But there is no reason why this architecture could not be implemented in existing hypervisor platforms to provide this process isolation for Desktop-as-a-Service (DaaS) through a virtual desktop infrastructure (VDI) or virtualized session-based computing.
Bromium vSentry is able work with session-based desktop computing now, using an "on the metal" session host running Microsoft RDS or Citrix XenApp.
The fundamental technology could also be ported to Linux, or even to the Mac. Additionally, once virtualization acceleration technology makes its way onto ARM-based SoCs in the next few years, the same principles of micro-virtualization could also be used on mobile devices as well, including smartphones and tablets running different OSes.
Could micro-virtualization be the killer technology that rids the world from malware once and for all? Talk back and let me know.