Bromium's new twist on BYOD malware: Cordon it off with micro VMs

Xen veterans have unveiled the Bromium Microvisor – a piece of lightweight kernel-level code that cordons off untrusted application tasks, allowing employees to use potentially untrustworthy devices for business purposes

In a novel approach to keeping out malware, start-up Bromium has developed a mini hypervisor that sets up a virtual security cordon around untrusted application tasks.

The company, founded by Xen veterans, introduced the Bromium Microvisor technology at GigaOm Structure on Wednesday. The hypervisor-like piece of kernel-level code is designed to help businesses cope with the Bring Your Own Device (BYOD) trend, where employees use their personal devices for work.

The Microvisor isolates vulnerable application tasks in a lightweight virtual machine, described by Bromium as a 'micro-VM'. In this way, it places restrictions on access to data, networks and systems resources, according to a Bromium whitepaper (PDF).

For example, if a user carries out a copy-and-paste using Microsoft Word, Bromium should create a micro-VM to access Windows system resources on behalf of the task. This shields the system from malware, even if there are zero-day vulnerabilities in the OS or apps, without the user seeing any difference in the way they are working.

"Bromium micro-virtualisation delivers on the promise of trusted computing, enabling enterprises to safely embrace the key trends affecting IT: consumerisation, mobility, device diversity and cloud computing," the company's chief executive Gaurav Banga said in a statement.

The California-based start-up, which is setting up a new UK office in Cambridge, believes this means employees can use their own devices to connect to business systems, without using a VPN in some cases. They can also use unpatched devices, as untrusted application tasks are isolated from whitelisted processes.

Byzantine Generals Problem

Xen veterans Simon Crosby and Ian Pratt co-founded Bromium. Crosby, who founded XenSource before it was acquired by Citrix, said that by aiming to provide security amid the diversity of scenarios faced by businesses, Bromium is grappling with the Byzantine Generals Problem (PDF).

In the classic computer science problem, a group of Byzantine military leaders must find a way to create trusted communications between each other and their cohorts, even though any one of these may be treacherous.

"We are engaged on a quest for the desktop holy grail — a system that is trustworthy by design," Crosby said in a blog post.

The Microvisor can protect the generals and cohorts (a computing device) no matter whether any traitors (malfunctioning or compromised components) are in play, Crosby said. It operates on the principle of 'least privilege', only allowing enough application processes to run for the system to operate, he noted.

No date has been publicly set for the release of Microvisor. Bromium said on Wednesday it has secured second-round funding of $26.5m (£17m) from investors, following an initial investment of $9.2m in 2011.