Feeds

Size matters: Bromium 'microvisor' to guard PCs for big biz

Clap these mutinous dogs in th' app brig, mister mate

Combat fraud and increase customer satisfaction

Bromium, the security software company that was started by the techies who brought us the Xen open-source hypervisor out of Cambridge University, has brought vSentry, its first product, to market. But unless you are buying a new PC from a partner who is bundling the vSentry tool on a new machine, you probably won't be able to get your hands on it anytime soon.

That's because the nature of building a hierarchy of trust on a PC or server means starting with a machine that you know is absolutely clean – at least until Bromium gets a little more experience in the market and extends vSentry so it can figure out how to trust machines in the field.

Right now, that is a slightly bigger job task than Bromium is ready to tackle. Simon Crosby, co-founder of Bromium, told El Reg there is an immediate and large demand for vSentry security for Windows-based PCs running on Intel vPro hardware among government agencies and companies in the financial services, pharmaceuticals, healthcare, and energy sectors. The company therefore does not have to figure out how to support individual punters using existing – and possibly compromised – small iron.

Perhaps by this time next year Bromium will offer vSentry on installed PCs, but right now it is only going to be made available on specific PCs that are certified as clean by vendors and the IT department. Crosby gave El Reg a demo, and it looks like the kind of thing a lot of us might want, particularly because of the way it makes use of virtualization electronics in Intel Core chips to run many instances of what the company calls a microvisor to isolate processes and secure then individually.

This is in contrast to using the same VT-x and VT-d virtualization features to run hypervisors that in turn host whole operating systems inside of virtual machines. (With VT-d, you get better security because the virtualization assistance is zippier.)

The microvisor isolates tasks from protected OS and apps on a PC

The microvisor isolates tasks from protected OS and apps on a PC

Bromium came out of stealth mode in June 2011 just after securing $9.2m in Series A funding from Andreessen Horowitz, Ignition Partners, and Lightspeed Venture Partners. Crosby and Ian Pratt, co-founder of the Xen project and the XenSource company that commercialized that hypervisor (and bought by Citrix Systems in 2007 for $500m), tapped Gaurav Banga, previously CTO and senior vice president of engineering at computer BIOS maker Phoenix Technologies, to be CEO of the new firm.

Bromium didn't say much about what it was up to last summer when it uncloaked, but this summer the company lifted the veil a bit about the microvisor technology at the heart of its security model. The basic idea is that there are 100 million lines of code in a typical Windows PC stack of software, and that trying to detect and defend against malware that comes into the machine and changes that code, or your own application and data, is a losing battle.

Instead, what Bromium's techies have done is create a baby hypervisor that isolates individual processes in applications inside of applications inside of a microVM. This microvisor has only 10,000 lines of code and only trusts itself and the VT-x and VT-d and a shiny new copy of Windows and its PC app stack. The microvisor has its own hypercall API, and Bromium would be the first one to tell you that it is not absolutely impenetrable.

Rather than trying to detect malware by scanning bits, the microvisor and its microVMs know what different programs are supposed to do and what they are not supposed to do. For instance, a PDF viewer is not supposed to overwrite Windows DLLs, and if it tries to because a PDF contains malicious code, the microvisor will give it fake copies of the DLLs and let it do its mischief and then delete everything it does inside of the machine, which has been quarantined inside microVMs - and the attack code never goes near the real Windows software.

Moreover, vSentry includes something called Libe Attack Visualization and Analysis, or LAVA for short, which is a feature that Bromium had not talked about in June but which is a key part of the tool. LAVA watches malware as it attacks and actually lets the malware tasks run to completion so they can be fully analysed. vSentry then uploads this data to security software such as antivirus packages from Symantec, Intel, or Trend Micro so they can identify these exploits at once as they are coming live into the field for the first time.

"We see malware at the points it really attacks, and this gives us a powerful platform from which to drive intelligence into security tools," says Crosby.

You need to have a vPro system with a Core i3, i5, or i7 processor with VT-x or VT-d support as well as nested page tables support to run vSentry. That nested page tables feature, sometimes called rapid virtualization indexing or extended page tables, is what allows for microVMs to be spawned quickly as processes launch inside the PC. These microVMs are spawned in about 20 milliseconds, and Crosby says this is fast enough that users do not notice them at all. Right now, vSentry is limited to Windows 7-based PCs. Bromium is working on a version that works on Mac OS X systems based on Intel Core machines. Bromium is not making any promises when it will support Windows 8, due on 25 October, but Crosby says vSentry will support Windows 8 in a timeframe that is matched when large enterprise and government customers in the industries it has targeted are ready to put Windows 8 on their machines.

Bromium is early enough in its product cycle that it does not want to give out precise pricing for vSentry, but it is on the order of hundreds of dollars per client, which is a bit too rich for a lot of PC users right now. But those desperate for better security will be willing to pay more, and Bromium can count on that for a start.

As for servers, there is an interesting little problem that Bromium needs to solve. Getting vSentry to work on a physical server would not be such a big problem, provided the Xeon processor has the VT-x or VT-d features and EPT support for virtual memory. The problem is that server virtualization has been a bit too successful, and hypervisors and microvisors cannot share VT-x and VT-d.

The obvious answer, of course, is to embed vSentry inside the hypervisor, but that is going to take working with Microsoft, VMware, Red Hat, and Citrix Systems and their respective development teams or communities to get it done. The open-source hypervisors would have the easiest time absorbing the vSentry technology - if VSentry itself was open source - but it seems very unlikely vSentry will be open sourced, no matter how much Pratt and Crosby love open development and the community. Bromium doesn't need a development community. It needs good lawyers and willing partners in the server virtualization, antivirus, and firewall spaces. ®

3 Big data security analytics techniques

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Kingston DataTraveler MicroDuo: Turn your phone into a 72GB beast
USB-usiness in the front, micro-USB party in the back
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
BOFH: Oh DO tell us what you think. *CLICK*
$%%&amp Oh dear, we've been cut *CLICK* Well hello *CLICK* You're breaking up...
AMD's 'Seattle' 64-bit ARM server chips now sampling, set to launch in late 2014
But they won't appear in SeaMicro Fabric Compute Systems anytime soon
Amazon reveals its Google-killing 'R3' server instances
A mega-memory instance that never forgets
Cisco reps flog Whiptail's Invicta arrays against EMC and Pure
Storage reseller report reveals who's selling what
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.