Bromium vSentry Defends Enterprises with Microkernel Virtualization
Microkernel-based virtualization approach hits general availability. But can it stop all malware?
For most of this year, security startup Bromium has been talking about the promise of its Byzantine Fault Tolerant IT security solution. Today after months of testing and development, Bromium's solution is now generally available under the product name vSentry.
Bromium vSentry is a microkernel virtualization-based solution that aims to provide secure systems by minimizing, and in some cases eliminating, the risk and attack surface from modern IT security threats.
"The grand problem that we think we're tackling is the trustworthiness of infrastructure," said Bromium CTO and co-founder, Simon Crosby.
Prior to Bromium, Crosby was one of the founders of virtualization vendor XenSource, which was acquired by Citrix for $500 million in 2007. Virtualization plays a strong role in the vSentry solution, leveraging a virtualization microvisor that also takes advantage of hardware-based virtualization.
How It Works
"Whenever any code starts up, it will be isolated within a micro-VM," Crosby explained.
The micro virtual machine limits the potential attack surface by only presenting a view of the system that is required by the application code to operate. So, for example, if a user visits Facebook, the code only has access to the files it needs to execute and no other system files or resources. This eliminates the potential risk of infection from some kind of Facebook malware to the rest of a system. Each time a new application starts up, a new micro-VM is spun, further reducing the risk of any cross-site scripting or cross-tab attack.
It's important to note, however, that Bromium's technology does not actually prevent malware from attacking. A problem with modern security approaches, Crosby said, is that they try to detect attacks in an effort to block them. In his view, it's not possible to keep up with the volume of attacks in the modern IT security threat landscape. With vSentry that's not a problem, as the micro-VM does not enable access to privileged networks or data.
The micro-VM uses a copy-on-write execution model. As such, any modifications are cached locally within the micro-VM and not made to the real system. Crosby stressed that the model applies to the in-memory image of Microsoft Windows that is running on a given system.
Making an analogy, Crosby said that while an attacker might think they are attacking Windows in a vSentry secured environment, in reality they are just spray painting on a sheet of glass that sits in front of Windows.
"The key property of copy on write is that the moment you close the browser tab, we discard the entire execution container and any changes made," Crosby said.
Going a step further, Bromium will also help enterprises identify new forms of attacks as they come in.
"What we've seen in the industry of late is a complete failure to detect attacks," Crosby said. "Why? Because Moore's law is delivering more CPU cycles to the bad guys and so attacks are highly customized."
The Bromium vSentry solution offers users systems with only the minimum amount of privileges, providing no data to attackers to be stolen. So even though attacks are not detected at the outset, attackers are unable to steal data. That said, vSentry can collect data on what attackers tried to do.
Bromium's data solution component of vSentry is called Live Attack Visualization and Analysis (LAVA). With it the company will provide organizations with a view into attacks, as well as the data required to help prevent similar attacks in the future.
"LAVA generates a complete kill chain for any malware that executes within a Micro-VM," Crosby said. "These are attacks that are undetectable using other traditional mechanisms."
The vSentry LAVA component generates the attack data information in an XML schema that can then be used by third-party security solutions to generate rules and policies to prevent similar attacks in the future.
Crosby and his team have a lot of history and experience with the open source Xen hypervisor. While vSentry does benefit from Xen, it is not entirely based on it.
"Technically this hypervisor is not mainline Xen," Crosby said. "It's composed of multiple open source code bases."
Crosby added that it's fair to say that Bromium is securely in the camp of those that believe that security-critical software should be open source. He said the market will hear more from Bromium on that subject at some point in the future.