Bromium vSentry a Next Generation Hypervisor to End Malware Woes?

Desktop security start-up Bromium announced the general availability of vSentry, at the Gartner Security and Risk Management management Summit in London today. Their first product to be based on the Bromium Microvisor designed to protect from advanced malware that attacks the enterprise through poisoned attachments, documents and websites.

Today’s approach to enterprise information security is based on the underlying principle that malware must be detected in order to prevent attacks. However even the most sophisticated anti-malware tools are never fully effective at identifying all possible threats. And are frequently overwhelmed by threats that appear to be state-sponsored. The biggest single factor in limit the effectiveness of today’s anti-malware solutions is that’s no matter how sophisticated the security system is, it is all based on the understanding that only when a threat signature is detected can malware be blocked the obvious shortcoming here being the existence of zero day exploits where no previous signature has been identified.

The Bromium Microvisor takes a new approach to security that runs counter to that of established practice. Instead of relying on the sequential process of threat development, threat detection, countermeasure development and countermeasure deployment. vSentry does not rely on detection, nor does it actually prevents malware from running. Instead it employees the  principles of least privilege security to grant individual tasks no more rights than are necessary for them to perform their specific function, and any attempt by the task to exceed its authority will result in rapid expulsion. All disk and memory writes performed by the suspect task are protected through Copy on Right so that any attempt at an a low task might perform exist only within the confines of the secure virtual machine when the task finishes executing, the contents are all discarded, and the defaults restore. The Individual tasks are locked inside their own hardware isolated micro VM’s that conform to a set of policies governing what they are permitted to do, ensuring the tasks cannot perform unauthorized activities, shielding the rest of the environment from harm.

Unlike other anti-malware solutions, that rely on detection in order to prevent attacks, vSentry decouples protection from detection, making it fully effective even against zero-day attacks.

I had the opportunity to put some questions to Bromium co-founder Simon Crosby last week to ask him about vSentry as it stands today and where it it might finish up.

 By way of introduction, is vSentry a type I hypervisor, type II hypervisor, or something entirely new? And can you answer that without resorting to calling it type zero or type 1.5.

It is not easy to use the traditional hypervisor type in this context, since that is used to indicate which software on the system owns/drives the hardware. Our purpose is not to virtualize hardware – since our customers want to be able to take advantage of all of the capabilities of Windows and WHQL – every device you could buy in Fry’s must work in a vSentry enabled PC. The Microvisor needs only VT-x to function correctly. This could incorrectly lead you to believe that this is a type-2 hypervisor, but recall that there are no “guest VMs” in a vSentry system. There are only hardware isolated tasks running within Windows. Nor indeed is there a concept of a host. There is just Windows, and a system architecture that is divided into trusted tasks and untrusted tasks. Untrusted tasks see a file system, network, clipboard, device and user-access view that is minimized according to “least privilege”; whenever a micro-VM attempts to access one of these resources it will be interrupted by hardware, take a VM_EXIT, and control will pass to the Microvisor to implement mandatory access control. In addition, execution within a micro-VM is Copy on Write, preventing malware from modifying the Windows memory image or file system.

Does this mean then that a vSentry protected operating system cannot be installed as a guest on top of another hypervisor? Type I and type II?

The primary limitation in this regard is the challenge of sharing Intel VT. We can technically share with VMware, since they write good code, but the semantics are still undefined. That said, it is fair to say that there are very few users of client side virtualization today. It’s geeky, disrupts the UX, messes with battery life and doesn’t really serve a broad use case. Bromium addresses a use case that suits every user: A great user experience with all the power of Windows, that delivers protection against malware.

What is its relationship with µ-Xen (micro-Xen)?

The Bromium Microvisor in vSentry v1.0 is built from multiple open source code bases, and also proprietary code.

Does this mean that, setting aside any licensing implications, it may be possible to incorporate Bromium technology into a future release of Citrix XenClient and other Xen-based hypervisors?

XenClient is a Citrix proprietary product. It happens to contain the Xen hypervisor. It is worth pointing out that the use case for XenClient is completely different than for vSentry. XenClient was built to deliver a multi-level secure client computing system where different security domains are explicitly visible in the user experience. vSentry aims to do the exact opposite – deliver a system with an unchanged UX that protects the user from untrustworthy execution

What about Hyper-V and ESXi?

These hypervisors are used for server virtualization, which is a different use case. Client Hyper-V in Win8 is intended to address use cases for developers/IT personnel needing multiple traditional VMs. vSentry does not support this use case. I think it’s fair to say that we’d recommend client Hyper-V for those use cases, since it will offer a far better user experience as a “feature of the OS”

 At present vSentry will only be available for Windows 7, and presumably Windows 8 when it comes out. Given the degree of commonality between Windows 7 and Windows Server 2008 R2 is it possible to envisage vSentry being used in conjunction with RDS?

The Bromium Microvisor is a general purpose hypervisor, so one could envisage using it for server-side use cases in the future. However Bromium is trying to evolve desktop computing from the stone age first: moving to a model of relative trust and least privilege to protect the enterprise and deliver real value to users. The business model for server hypervisors is server virt/private cloud in the enterprise. The market is well established and the Bromium use cases would not make sense to the majority of buyers.

So from the perspective of desktop virtualization and VDI, I am limited to non-hypervisor-based solutions such as brokered blade PCs, and native operating system solutions that incorporate layering technologies such as Mirage that VMware picked up when it acquired Wanova?

For now, yes.

Conversely, assuming the hardware permits, could vSentry technology be incorporated in Windows XP to provide a degree of protection for organizations unable to complete the migration to Windows 7 before April 2014?to

Theoretically, yes. However vSentry supports Windows 7 64-bit today. We find that customers are keen to move to Windows 7 and view vSentry as another good reason to do so.

What about other operating systems? OS X is an obvious candidate provided the market is there, but unless it can work in conjunction with a Type II hypervisor, users of products like VMware Fusion will be shut out.

OS-X support is coming. Fusion and Parallels are niche use cases in our view.

Looking further into the future, as ARM offers better hardware virtualization support, might we see vSentry for Android?

We are making good progress on Android on x86.

There have been a number of high profile targeted malware attached over the past year. How would malware tools like Duqu, Gauss, Flame and Shamoon have fared if they had gone up against vSentry protected PCs?

This requires a longer answer based on the specifics of each of the above. Happy to put you in touch with our Chief Security Architect…

I would certainly look forward to that opportunity. Until then let me just say that vSentry is immediately available for Windows 7 64-bit edition. Bromium have not released product pricing, other than to say it will be licensed per user enterprisewide and priced according to volume. Without releasing pricing information I would expect Bromium to be charging significantly more than that of conventional anti-malware solutions that in many cases appeared to do little more than swat flies and apologize for the mess

Until Bromium’s CSA is available, I can repeat what I saw at VMworld in San Francisco a few weeks ago. Bromium was demonstrated a Beta version of vSentry in San Francisco the same week of VMworld2012 when coincidentally there was a major unpatched Java bug ripe for exploit. Seeing vSentry demonstrated from the point of view of a hacker,  showed both its effectiveness, and ease-of-use. Comparing two identical system one running the most up-to-date Microsoft Windows security patches and the other running the vSentry. The vSentry protected desktop continued to run quite normally where the standard anti-malware offering was ruthlessly compromised in moments leading to the complete loss of the machine.

Based on this track record, I do not doubt that vSentry will have a significant impact in the desktop security business, and have every expectation of seeing the technology extend into other platforms in the future. whether it will encourage the slow migration from Windows XP to Windows 7 remains to be seen, and would suggest that’s there is sufficient opportunity for Bromium to explore Windows XP as a worthwhile opportunity for growing Bromium with minimal risk