|With the release of Bromium's vSentry product, we figured we'd re-post this article from one of Bromium's founders: Simon Crosby. Simon submitted this as a guest blog post on June 20, 2012, where it has since received 7000 views and 17 comments.|
Many of you know that Simon Crosby, former XenSource cofounder & Citrix CTO, left Citrix to cofound a new company called "Bromium." Bromium has been operating in stealth mode... until today. This is a guest post from Simon explaining what Bromium's technology is, how it will work, and what it can be used for. Simon's been a reader and commenter on this site for years, so don't hold back any commentary on his new company!
Bromium micro-virtualization: trustworthy systems by design
Bromium aims to transform the resilience of computer systems, making them affordable, manageable and trustworthy by design. We are aware that this is a lofty goal, and we know we can’t achieve it overnight. But we are confident that our architecture possesses key ingredients to dramatically advance the state of the art. It is simple, elegant and can be broadly applied.
We believe that a trustworthy system empowers the user without increasing risk to the enterprise, and can enable IT to securely navigate the challenges of consumerization, mobility, and personal use of enterprise devices. Bromium’s key innovation—micro-virtualization—is the key building block of a trustworthy system. Micro-virtualization protects vulnerable software (even when the device hasn’t been patched) and secures enterprise data at runtime, automatically discarding malware to deliver a resilient system—all industry firsts that save money and time, and keep users productive.
Bromium micro-virtualization is a second-generation virtualization technology that extends the isolation principles of virtualization into a running operating system (OS - let’s assume Windows for now). It is implemented by the Bromium Microvisor, a lightweight special-purpose hypervisor that is deployed as a small MSI package that extends a single, natively installed Windows desktop, making it naturally resilient in spite of user errors and software vulnerabilities, and protecting it when accessing data or code of unknown provenance and unfathomable trust. The Microvisor is completely hidden from the user, who enjoys a native desktop user experience.
The Microvisor automatically, instantly and invisibly identifies each vulnerable task and instantly hardware-isolates it within a micro-VM - a lightweight, hardware-backed isolation container that polices access to Windows services. Micro-VMs run natively, with full performance, but continually protect the system – even from unknown threats: A micro-VM can only access Windows services and resources via “enlightened” service APIs that cause the virtualization hardware to pause execution of the micro-VM (a hardware VM_EXIT) yielding control to the Microvisor.
The architecture specifically relies on Intel VT to guarantee that task-specific mandatory access control (MAC) policies will be executed, in a trusted execution context, whenever a micro-VM attempts to access key Windows services. It imposes tight control over access to sensitive files, networks and devices according to the “principle of least privilege”. The Microvisor creates micro-VMs instantaneously, and can easily control hundreds of concurrent micro-VMs on a modern (Core i3/i5/i7) PC. Micro-VMs are tiny because they contain only task-specific state, and they run natively. They are hardware isolated from each other and from Windows. Trusted and untrusted tasks can thus coexist on a single system with guaranteed mutual isolation. To Windows, micro-VMs are just tasks - it schedules them for execution, and tracks their performance and resource usage. Key properties of the system include:
- When a micro-VM executes, any changes it attempts to make to its view of the “golden” IT provisioned Windows instance are “Copy on Write” or CoW. For example, if an attacker changes a Windows kernel memory page, it only succeeds in modifying an instantly created local copy of that page, and not the original.
- Each micro-VM is granted only a narrow view of the file system that contains just the files it needs – an implementation of the principle of “least privilege” – with CoW update semantics.
- When a micro-VM terminates (the user closes the window, or it terminates) the Microvisor discards the task’s memory image and uses a persistence policy to determine whether to persist any new files. Any persisted files are securely tagged with meta-data that encodes their provenance and trust; the Microvisor ensures that untrusted files can only be accessed from a micro-VM.
- The Microvisor restricts micro-VM access to network services: Untrustworthy tasks cannot access “trusted” networks or “high value” SaaS/RDS applications, and access to “high value” sites over an untrustworthy network requires a secure end-to-end VPN.
Because micro-VMs are just tasks, their lifecycle and resource management must be automatic and instantaneous, in response to user actions. This permits us to use virtualization to deliver enhanced security and resilience without any change to the end user experience. It also means no new IT skill sets or tools are required to manage the Microvisor. The Microvisor is managed using simple enterprise policies and has no management console of its own.
The Microvisor’s attack surface is narrow. To escape from a micro-VM an attacker must compromise the system at the enlightened Windows service API – the hypercall API. The Microvisor does not trust hypercalls and the interface is implemented in less than 10,000 lines of hardened code. The architecture changes the attack surface of the system from O(10M) LOC to O(10K) LOC.
Micro-virtualization in Action
Micro-virtualization adds hardware-enforced task isolation to the operating system. It can be used to solve some of the most challenging problems in enterprise IT where traditional software abstractions for isolation have been shown to be inadequate. Some uses are discussed below.
Blocking advanced persistent threats
Recent security compromises have shown that sophisticated attackers use advanced malware to evade host and network based security. Using micro-virtualization it is possible to make end points vastly more secure.
By ensuring that each vulnerable or untrustworthy task (eg: opening a web page or an email attachment) is executed in its own micro-VM, Bromium can guarantee that a compromised task cannot access enterprise data or applications.
Bromium assumes that at some point a task in a micro-VM will be attacked and will be compromised. The granular isolation afforded by the Microvisor, together with the resource control policies, ensures that any attack will be confined to the micro-VM, that no enterprise data will be stolen, and that the attack will be automatically discarded.
Protection of Sensitive Applications
Increasingly, users need to access enterprise applications from untrustworthy networks. While it is possible to securely identify the user, the enterprise still cannot trust the device. If a key-logger or screen-scraper has compromised the PC then data from the application session can be stolen.
This problem can be overcome by first ensuring that all access to untrustworthy domains and documents is isolated in micro-VMs. Second, we can isolate access to the remote application within an additional micro-VM so that application data cannot be stolen. The Microvisor permits the micro-VM to communicate only with the authenticated remote application using an encrypted session. It can also enforce enterprise policies to prevent local storage/printing of sensitive data.
Data loss prevention
Bromium micro-Virtualization can empower every user with powerful Data Loss Prevention (DLP) features. An untrusted micro-VM cannot access files that are hidden by its resource policy, but it is possible to define policies that would allow this in some circumstances. For example, one could permit a user to attach a confidential document to an untrusted web mail, only if the document is encrypted when presented to the micro-VM, and the enterprise is securely notified.
Desktop virtualization done right
Many enterprises have been piloting deployments of Virtual Desktop Infrastructure (VDI) as part of their desktop virtualization strategy. But VDI is useful for only a small percentage of users. For the vast majority of users the preferred client form factor is the PC, with a strong trend toward laptops that serve a mobile workforce. Micro-virtualization delivers every benefit of VDI together with application security on the devices that users love to use – their PCs and laptops.
- Every new micro-VM is created from the known-good golden image, which only changes under IT control
- Enterprise data is protected at runtime, ensuring security and compliance
- Users get to safely use enterprise data and applications both on- and off-line, from any network
- The desktop is protected from malware, viruses and APTs
- Granular policies for access to and distribution of enterprise data are applied on every PC, for every task
- IT manages updates when it suits them, using existing tools for image management and patch distribution.
PC configuration & lifecycle management
Desktop administration teams in the enterprise are rightly concerned about the security of their desktops when new vulnerabilities are exposed and before devices can be patched.
Because Bromium assumes that any task may be compromised and because the Microvisor is designed to isolate compromised tasks, the desktop will always be protected, even with vulnerable software. IT staff can apply patches when it suits them and users, with full confidence that their systems are always protected.
Perhaps as importantly, Bromium enabled PCs do not need to be re-imaged when an attack occurs. The system shrugs off malware, keeping the system “gold”. This saves countless hours of IT time, reduces support calls, and keeps users productive.
Onward, toward trustworthy computing!
Bromium micro-virtualization adds granular, resilient task-based isolation to Windows. It has the opportunity to dramatically enhance security, simplify software lifecycle management, and to protect data at all times, by making endpoints trustworthy and resilient. It can achieve this without changes in management practice or toolsets, and without sacrificing the powerful native desktop user experience. It has the opportunity to be a key ingredient of any future trustworthy computer system.