Size matters: Bromium 'microvisor' to guard PCs for big biz
Clap these mutinous dogs in th' app brig, mister mate
Bromium, the security software company that was started by the techies who brought us the Xen open-source hypervisor out of Cambridge University, has brought vSentry, its first product, to market. But unless you are buying a new PC from a partner who is bundling the vSentry tool on a new machine, you probably won't be able to get your hands on it anytime soon.
That's because the nature of building a hierarchy of trust on a PC or server means starting with a machine that you know is absolutely clean – at least until Bromium gets a little more experience in the market and extends vSentry so it can figure out how to trust machines in the field.
Right now, that is a slightly bigger job task than Bromium is ready to tackle. Simon Crosby, co-founder of Bromium, told El Reg there is an immediate and large demand for vSentry security for Windows-based PCs running on Intel vPro hardware among government agencies and companies in the financial services, pharmaceuticals, healthcare, and energy sectors. The company therefore does not have to figure out how to support individual punters using existing – and possibly compromised – small iron.
Perhaps by this time next year Bromium will offer vSentry on installed PCs, but right now it is only going to be made available on specific PCs that are certified as clean by vendors and the IT department. Crosby gave El Reg a demo, and it looks like the kind of thing a lot of us might want, particularly because of the way it makes use of virtualization electronics in Intel Core chips to run many instances of what the company calls a microvisor to isolate processes and secure then individually.
This is in contrast to using the same VT-x and VT-d virtualization features to run hypervisors that in turn host whole operating systems inside of virtual machines. (With VT-d, you get better security because the virtualization assistance is zippier.)
The microvisor isolates tasks from protected OS and apps on a PC
Bromium came out of stealth mode in June 2011 just after securing $9.2m in Series A funding from Andreessen Horowitz, Ignition Partners, and Lightspeed Venture Partners. Crosby and Ian Pratt, co-founder of the Xen project and the XenSource company that commercialized that hypervisor (and bought by Citrix Systems in 2007 for $500m), tapped Gaurav Banga, previously CTO and senior vice president of engineering at computer BIOS maker Phoenix Technologies, to be CEO of the new firm.
Bromium didn't say much about what it was up to last summer when it uncloaked, but this summer the company lifted the veil a bit about the microvisor technology at the heart of its security model. The basic idea is that there are 100 million lines of code in a typical Windows PC stack of software, and that trying to detect and defend against malware that comes into the machine and changes that code, or your own application and data, is a losing battle.
Instead, what Bromium's techies have done is create a baby hypervisor that isolates individual processes in applications inside of applications inside of a microVM. This microvisor has only 10,000 lines of code and only trusts itself and the VT-x and VT-d and a shiny new copy of Windows and its PC app stack. The microvisor has its own hypercall API, and Bromium would be the first one to tell you that it is not absolutely impenetrable.
Rather than trying to detect malware by scanning bits, the microvisor and its microVMs know what different programs are supposed to do and what they are not supposed to do. For instance, a PDF viewer is not supposed to overwrite Windows DLLs, and if it tries to because a PDF contains malicious code, the microvisor will give it fake copies of the DLLs and let it do its mischief and then delete everything it does inside of the machine, which has been quarantined inside microVMs - and the attack code never goes near the real Windows software.
Moreover, vSentry includes something called Libe Attack Visualization and Analysis, or LAVA for short, which is a feature that Bromium had not talked about in June but which is a key part of the tool. LAVA watches malware as it attacks and actually lets the malware tasks run to completion so they can be fully analysed. vSentry then uploads this data to security software such as antivirus packages from Symantec, Intel, or Trend Micro so they can identify these exploits at once as they are coming live into the field for the first time.
"We see malware at the points it really attacks, and this gives us a powerful platform from which to drive intelligence into security tools," says Crosby.
You need to have a vPro system with a Core i3, i5, or i7 processor with VT-x or VT-d support as well as nested page tables support to run vSentry. That nested page tables feature, sometimes called rapid virtualization indexing or extended page tables, is what allows for microVMs to be spawned quickly as processes launch inside the PC. These microVMs are spawned in about 20 milliseconds, and Crosby says this is fast enough that users do not notice them at all. Right now, vSentry is limited to Windows 7-based PCs. Bromium is working on a version that works on Mac OS X systems based on Intel Core machines. Bromium is not making any promises when it will support Windows 8, due on 25 October, but Crosby says vSentry will support Windows 8 in a timeframe that is matched when large enterprise and government customers in the industries it has targeted are ready to put Windows 8 on their machines.
Bromium is early enough in its product cycle that it does not want to give out precise pricing for vSentry, but it is on the order of hundreds of dollars per client, which is a bit too rich for a lot of PC users right now. But those desperate for better security will be willing to pay more, and Bromium can count on that for a start.
As for servers, there is an interesting little problem that Bromium needs to solve. Getting vSentry to work on a physical server would not be such a big problem, provided the Xeon processor has the VT-x or VT-d features and EPT support for virtual memory. The problem is that server virtualization has been a bit too successful, and hypervisors and microvisors cannot share VT-x and VT-d.
The obvious answer, of course, is to embed vSentry inside the hypervisor, but that is going to take working with Microsoft, VMware, Red Hat, and Citrix Systems and their respective development teams or communities to get it done. The open-source hypervisors would have the easiest time absorbing the vSentry technology - if VSentry itself was open source - but it seems very unlikely vSentry will be open sourced, no matter how much Pratt and Crosby love open development and the community. Bromium doesn't need a development community. It needs good lawyers and willing partners in the server virtualization, antivirus, and firewall spaces. ®
Sponsored: Global DDoS threat landscape report