Is Application Sandboxing The Next Endpoint Security Must-Have?
Virtualized containers expected to catch on in the enterprise, but the technology has its weaknesses, too
With the onslaught of zero-day attacks continuing to increase the barrage of unanswered threats against endpoints, there's a growing contingent of security advocates championing the addition of a virtualized container layer in the endpoint security mix. Analyst predictions are rosy for the virtual containerization market to grow as a security niche and enterprises are certainly clamoring for a way to help them beat the signature-defense hamster wheel.
But this containerization approach, also referred to as application sandboxing, has some researchers pointing to what they call a potentially fatal flaw: kernel vulnerabilities.
More Security Insights
White PapersMore >>
- Agile Service Desk: Keeping Pace or Getting out Paced by New Technology?
- Inside Threats: Is Your Company at Risk?
"Essentially if an application can pull the kernel into stumbling on a logic bug in the kernel itself when the kernel is working for the application, you can compromise the kernel directly and thereby step over and directly bypass any form of sandbox protection," says Simon Crosby, co-founder and CTO of Bromium, which took the wraps off such a bypass earlier this spring at Black Hat Europe. Now Crosby says the firm plans to release new proofs of concept at Black Hat USA in August. "And, by the way, it's a very large and rapidly growing list of kernel vulnerabilities, a huge footprint of code."
That nevertheless may not deter the market for virtualized containers, which essentially operate under the principle of reducing the attack surface within the endpoint.
[Why does SQL injection linger? See 10 Reasons SQL Injection Still Works.]
"The whole notion is machines get infected when users interact with untrusted content and so the container essentially segregates the large attack surface that the operating system presents to untrusted code from the untrusted code," says Anup Ghosh, CEO of virtualized containerization vendor Invincea, who points to recent Gartner predictions that the virtualized container market will grow from less than one percent of the enterprise market today to 20 percent by 2016.
According to Gartner analyst Neil MacDonald, the security market is due for a renaissance in sandboxing and containerization. "The idea is compellingly simple: define a core set of OS and applications as 'trusted,'" he says. "Then, if you need to handle a piece of unknown content or application, by default treat it as untrusted and isolate its ability to damage the system, access enterprise data and launch attacks on other enterprise systems."
Interestingly, even Bromium could be lumped into this same category as Invincea, as the company segregates application processes into what it calls microvisors. According to Crosby, Bromium differentiates itself through its use of hardware isolation.
"Sandboxing just isolates the application user space code. [It] assumes that the bad stuff is executing as an application within the context of an application, when in fact, the bad stuff could be executing within the kernel anyway because the kernel was doing some work for the application," he says. "Fundamentally, we have a completely new approach which isolates all kernel activity on behalf of the tasks [using] hardware to isolate instead of software."
But Ghosh contends that Bromium uses a virtualized containerized approach as well, and that for all of its hardware claims it is still a software company.
"They don't like to talk about it, but they ship as software. They do use the what are called the VT extensions in to the Intel chip set," he says. "People who work in virtualization understand that the VT extensions are a hardware performance upgrade; it's an extension of the chipset language to optimize performance for virtualization. But they're using that to try to convince the market that they have hardware-based security."
As for the vulnerabilities discovered by Bromium, Ghosh doesn't deny the imperfection of the sandboxing approach. Vulnerabilities are part of any security architecture, he says.
"Architecturally, it's a sound approach. Is it infallible? No. Will there be vulnerabilities that get through our approach? Probably," he says. "And that's OK, because the customers sort of expect that you'll have breaches of different layers of security and that's why you have multiple layers."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.