Risk

12/17/2012
01:40 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Bromium Secures Older PCs, Terminals Via 'Microvisor'

CTO Simon Crosby says goal is to isolate untrusted tasks on Windows XP machines, thin clients as users bring outside code and content inside the enterprise.

Bromium, the startup that isolates potentially intrusive end-user tasks in micro virtual machines, says it's extended the first version of its vSentry software to protect legacy Windows XP and terminal server desktops -- those frequently running on older versions of the Intel and AMD chip family.

VSentry was launched Sept. 19, and the 1.1 vSentry update, announced Dec. 11, begins to make it applicable to Windows XP, thin clients and terminal services devices.

The older chips are virtualization unaware, so they lack the ability to realize they're dealing with a virtual machine. They thus can't use Bromium 1.0 capabilities to assert micro-hypervisor or "microvisor" control over end-user tasks. Virtualization hooks built into modern Intel and AMD chips allow vSentry to "hardware-isolate each untrustworthy task." With the 1.1 release, vSentry has been upgraded to terminal services and Windows XP systems, even though the devices running them don't necessarily contain the most modern chips.

Sometimes these legacy desktops are under consideration for upgrade through a virtual desktop infrastructure -- being managed through central servers with only displays running locally. That move allows users to stick with a familiar system but puts it on server hardware and under more automated management.

Author and researcher Shawn Bass wrote recently on the brianmadden.com virtualization website that virtual desktops and virtual desktop infrastructure are no more secure than non-virtualized systems. There's been a presumption they were somewhat safer due to the fact they run on central servers under IT, with all data stored in the data center. But Bass says end users make use of too many public resources to avoid exposures to malware, and the virtual desktop is just as much at risk as its bare metal counterpart.

[ Want to learn more about how Bromium takes a different approach to security? See Bromium Strengthens Desktop Security Using Virtualization. ]

Bromium's CTO Simon Crosby picked up on the theme in a blog written to announce the release of vSentry 1.1 Dec. 11.

"Virtual desktops are vulnerable to exactly the same attacks as native PCs ... A compromised virtual desktop puts the attacker in an ideal location -- the data center -- from which he can further penetrate the infrastructure," said Crosby, echoing Bass' blog post.

The exposure may be greater than with standard desktops, Crosby continued, because once an intruder gains access to a virtual desktop, he's inside the data center and attached to many other networked desktops. "Since VDI desktops typically all appear on the same LAN segment (or VLAN), it is possible for attackers to spread laterally from one virtual desktop to another," he wrote.

What Bromium does about the risk is impose a new form of security, one that isolates untrusted activity in a micro virtual machine, then discards it when its stated purpose is completed. Tasks that might be isolated under a microvisor would include rendering an email attachment, or rendering a consumer website with misrepresented download invitations embedded in its presentations.

Bromium's vSentry detects the nature of the activity and spins up a micro virtual machine where the task must execute. If the task attempts to access files, network, devices or the Windows clipboard, the hardware interrupts the execution and turns the task over to the microvisor, which then enforces policies specific to the task.

If what the code is attempting to do is outside the nature of the task, the attempt is written to cache in that part of the virtual machine, making it appear to the attacker that everything is proceeding as planned. Meanwhile, the microvisor has isolated the attack and created an event log record of what was being attempted.

When the task is done, the virtual machine is flushed from the system, eliminating the malware involved, as well. The microvisor has been given enough intelligence to take action when common forms of intrusion appear -- e.g., the request for a file that is not part of the task or an attempt to gain access to a network not involved in the task. "It's a step beyond sandboxing," said Crosby in an interview.

"If the task in a micro VM does something bad, we know there's only one task inside the VM. We'll be able to look inside and see an attack as it happened, see what was the intent. We'll be able to see where the attacker is from, what registry entries were modified, what networks were activated. Every task is a honeypot" in which to catch an attacker, Crosby added.

The idea of isolating untrusted tasks in a micro VM is a different approach to end-user security than trying to keep all malware out with firewalls and intruder detection. It assumes some malware will get through and seeks to isolate it from other systems where it might inflict its damage.

Bromium is a young company with 75 people seeking to rapidly expand its capabilities beyond Windows Server, Windows 7 and 8, Windows XP and terminal services. A Macintosh version is in the works, along with vSentry versions for Android, BlackBerry and iPhone. With more computing being done on personal devices, end-user security is taking on increasing importance. Crosby said the microvisor approach puts handcuffs on an intruder and allows forensic experts to study him in a "cell" at their leisure.

But exactly how much work IT does, compared to vSentry, to invoke policies governing tasks is not yet supported by user testimony in the press or on the Bromium website. Enterprise deals are priced at $100-$150 per end user for a perpetual license, depending on volume, Crosby said.

Sentry 1.1 works with the virtual desktop infrastructure environments provided by VMware, Citrix Systems and Microsoft.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Equifax CIO, CSO Step Down
Dark Reading Staff 9/15/2017
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Jan, check this out! I found an unhackable PC.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.