Bromium is a security start-up hoping to permanently eradicate entire classes of malware. CTO Simon Crosby gave ITWeb an exclusive demonstration of the company's first product, vSentry, in action.
Using virtualisation technology, Bromium's security model does not prevent malware from landing on a machine, but prevents it from accessing data or spreading, mitigating the risk of unknown malware and zero-day attacks.
Bromium broke cover last June, founded by senior figures in the virtualisation world, and has just released its first product, vSentry. vSentry sandboxes specific applications from the operating system, ensuring that malicious code cannot access the host system and is eradicated when the application terminates.
The company's credentials are impressive. Its founders include Simon Crosby and Ian Pratt, who were co-founders of the open source Xen hypervisor (and the XenSource company). XenSource was acquired by Citrix in 2007, and Pratt and Crosby both continued to work in senior roles at Citrix - Crosby was CTO of the virtualisation team - until founding Bromium with Gaurav Banga, who led file system virtualisation at NetApp.
vSentry uses what Crosby dubs a "microvisor" - a very thin virtualisation layer - to isolate each process within a "micro-VM". vSentry uses Intel's VT-x hardware virtualisation technology, and requires very little code of its own, ensuring the performance hit is minimal. With new micro-VMs spawned for every process, the system could create and remove wrappers by the hundred, without the user noticing any performance degradation, Crosby says.
vSentry maintains a known good-state of the operating system, as defined by the IT manager, and ensures that any changes made by a protected application are reverted in a "copy on write" method when the process terminates. Untrusted data is maintained between sessions, but isolated from other apps. A Web browser visiting a Web site, for example, exposes only the data required for that specific site, such as its browser cookies, which are walled off from other sites (running in their own micro-VMs). Admins can create zones of trust to provide specific sites with deeper access, but by default, everything is untrusted.
At present, specific application classes are protected by vSentry, including Internet Explorer and document software like Microsoft Office and Adobe Acrobat Reader, as well as I/O - any files arriving from the outside (such as USB or network shares) are automatically untrusted and segregated. Bromium's long-term goal is to provide microvisor protection for any application, Crosby says.
"Supporting new apps isn't difficult," adds Tal Klein, senior director at Bromium. "It's just a matter of QA time. As our customers and prospects inform us of apps that need to be supported, we add them to the list. Remember that the majority of attacks come from e-mail, documents and Web pages - we have those covered on day one; everything else is incremental."
Virtually sandboxing applications is not a new idea. Projects like Sandboxie have tried (with mixed results), and complete operating system rewrites like Qubes OS use ubiquitous virtualisation to separate zones of trust. But Bromium claims to be the first to use Intel's own virtualisation technology to achieve a thin, fast virtualisation layer, native to Windows, which does not degrade the user experience. "Our goal is not to screw with the user experience in any way," Crosby stresses. For IT management, virtualisation for security has historic flaws, too, Crosby notes. "A virtual desktop is not more secure, it's just in a different place."
vSentry also provides detailed analyses of process behaviour for every VM it creates, helping IT managers identify and investigate misbehaving processes, including recreating and replaying malware attacks with its Lava (Live Attack Visualisation and Analysis) engine.
Still in early stages, vSentry does have its limitations. At launch, it only protects a small number of applications, with browser support limited to Internet Explorer. It currently runs only on Windows, and supports only specific Intel architectures - no mobile support yet. (See "Platform roadmap" sidebar for more details.) And there is, at the outset, no central management tool. Policies are created and deployed as Active Directory group policy objects, and event data can be exported into a third-party event monitor.
vSentry's protection is, for the time being, limited to enterprise customers: the company has no immediate plans to release a consumer version. Crosby says the target market is strictly defined: Bromium is working with large enterprises that are particularly concerned with protecting critical information. "People whose business will fail if their IP is exposed," Crosby says. High-value intellectual property is a popular target for custom malware, which easily defeats signature-based anti-malware tools. Last year's high-profile attack against security firm RSA, for example, included custom malware targeting a zero-day vulnerability within Windows. Isolating such malware from the OS could help prevent such an attack.
No specific pricing information is available, and Crosby says the process of appointing partners around the world is still in the very early stages. Although Bromium's founders own patents on their technology, the company hopes to embrace the open source community, similar to the way Citrix maintained Xen as an open source project after acquisition. "Open source is critical," Crosby says. "It simply leads to a better code base."
More information on vSentry is available here.
Share