Network Computingwww.networkcomputing.com

Bromium Unveils MicroVMs for Endpoint Security

Posted by Mike Fratto
June 20, 2012

After a year of teasing, start-up Bromium is going public with its technology. Actual product announcements will come later in the year. Bromium's technology focuses on separating tasks on workstations into privilege levels and isolating them from each other and the underlying operating system.

Bromium's technology relies on Intel's hardware-assisted virtualization technology (VT) to isolate tasks such as processes or browser tabs into what it calls a microVM. A microVM does not create a new guest OS running a task or application--that would take too long to launch and would disrupt the user experience, which Bromium is trying very hard to avoid. Rather, a microVM is an isolated process that can access only a minimal set of OS resources and can't interact with other processes.

Bromium is unlike other sandboxing technologies like Okena StormWatch, which Cisco acquired in 2003 and rebranded as Cisco Security Agent. Sandboxing often requires IT to define application profiles and distribute them to end users. If the application profiles are incorrect or incomplete, the application will fail and disrupt the user experience. A key requirement, according to Simon Crosby, CTO and co-founder of Bromium, is to not disrupt the user experience in any way. Otherwise, users will look for ways around the protections in place--disallow access to Facebook, and users will bring in a Wi-Fi hotspot and access it anyway.

According to Crosby, IT will be able to define relatively simple policies that determine which applications are trusted, with the assumption being that if an application or task is not trusted, it should run in a microVM. In that way, a trusted application (which could be an application, file, software as a service, or cloud or Internet service) will run natively in the OS and won't require a microVM; everything else will. For example, in the same browser, a tab connected to a malware-infested site will be isolated on a microVM from Salesforce.com because the infected site is not trusted.

Similarly, applications that open other links are similarly protected because each untrusted link will open in its own microVM. If you connect to a site that redirects elsewhere, each redirect creates a new microVM and launches the link until a webpage is rendered. Tal Klein, a senior director of products at Bromium, demonstrated this by going to a Twitter image page that eventually redirected eight times before the page was rendered. Each redirect created a new microVM, executed the link and destroyed the micro VM in real time, with no discernible delay.

In addition to isolating tasks using Intel's VT technology, Bromium relies on copy on write, which is used to allow multiple tasks to access the same set of resources such as the OS, and marks the resources as read-only. When a task in a micro VM wants to modify the OS, it makes a local copy of the resource and can modify it, but those changes are visible to only that task. Other tasks aren't aware of the change. For example, a piece of malware might try to overwrite a critical file. When the malware attempts the write, the microVM performs a copy on write and executes the modification. If the malware launches a new task, the second task won't be able to use the modified file and will fail.

Bromium still has a number of things to work out, which is why it isn't announcing products yet. For example, Bromium detects secure websites, and will run them in a protected mode ensuring that all traffic passes via SSL and denying HTTP only. Yet many SSL-protected webpages include plain HTTP elements such as images and scripts. The challenge that Crosby acknowledges is what to do in that case. If Bromium simply denies the HTTP elements, the pages won't render properly; if it does allow HTTP connections, they open the possibility of executing malware. The company is also working on ways to generalize the isolation features even with complex Web applications. Creating application-specific profiles is neither scalable nor sustainable.

Mike Fratto is editor of Network Computing. You can email him, follow him on Twitter, or join the Network Computing group on LinkedIN. He's not as grumpy as he seems.

Related Reading

---