Risk
12/17/2012
01:40 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Bromium Secures Older PCs, Terminals Via 'Microvisor'

CTO Simon Crosby says goal is to isolate untrusted tasks on Windows XP machines, thin clients as users bring outside code and content inside the enterprise.

Bromium, the startup that isolates potentially intrusive end-user tasks in micro virtual machines, says it's extended the first version of its vSentry software to protect legacy Windows XP and terminal server desktops -- those frequently running on older versions of the Intel and AMD chip family.

VSentry was launched Sept. 19, and the 1.1 vSentry update, announced Dec. 11, begins to make it applicable to Windows XP, thin clients and terminal services devices.

The older chips are virtualization unaware, so they lack the ability to realize they're dealing with a virtual machine. They thus can't use Bromium 1.0 capabilities to assert micro-hypervisor or "microvisor" control over end-user tasks. Virtualization hooks built into modern Intel and AMD chips allow vSentry to "hardware-isolate each untrustworthy task." With the 1.1 release, vSentry has been upgraded to terminal services and Windows XP systems, even though the devices running them don't necessarily contain the most modern chips.

Sometimes these legacy desktops are under consideration for upgrade through a virtual desktop infrastructure -- being managed through central servers with only displays running locally. That move allows users to stick with a familiar system but puts it on server hardware and under more automated management.

Author and researcher Shawn Bass wrote recently on the brianmadden.com virtualization website that virtual desktops and virtual desktop infrastructure are no more secure than non-virtualized systems. There's been a presumption they were somewhat safer due to the fact they run on central servers under IT, with all data stored in the data center. But Bass says end users make use of too many public resources to avoid exposures to malware, and the virtual desktop is just as much at risk as its bare metal counterpart.

[ Want to learn more about how Bromium takes a different approach to security? See Bromium Strengthens Desktop Security Using Virtualization. ]

Bromium's CTO Simon Crosby picked up on the theme in a blog written to announce the release of vSentry 1.1 Dec. 11.

"Virtual desktops are vulnerable to exactly the same attacks as native PCs ... A compromised virtual desktop puts the attacker in an ideal location -- the data center -- from which he can further penetrate the infrastructure," said Crosby, echoing Bass' blog post.

The exposure may be greater than with standard desktops, Crosby continued, because once an intruder gains access to a virtual desktop, he's inside the data center and attached to many other networked desktops. "Since VDI desktops typically all appear on the same LAN segment (or VLAN), it is possible for attackers to spread laterally from one virtual desktop to another," he wrote.

What Bromium does about the risk is impose a new form of security, one that isolates untrusted activity in a micro virtual machine, then discards it when its stated purpose is completed. Tasks that might be isolated under a microvisor would include rendering an email attachment, or rendering a consumer website with misrepresented download invitations embedded in its presentations.

Bromium's vSentry detects the nature of the activity and spins up a micro virtual machine where the task must execute. If the task attempts to access files, network, devices or the Windows clipboard, the hardware interrupts the execution and turns the task over to the microvisor, which then enforces policies specific to the task.

If what the code is attempting to do is outside the nature of the task, the attempt is written to cache in that part of the virtual machine, making it appear to the attacker that everything is proceeding as planned. Meanwhile, the microvisor has isolated the attack and created an event log record of what was being attempted.

When the task is done, the virtual machine is flushed from the system, eliminating the malware involved, as well. The microvisor has been given enough intelligence to take action when common forms of intrusion appear -- e.g., the request for a file that is not part of the task or an attempt to gain access to a network not involved in the task. "It's a step beyond sandboxing," said Crosby in an interview.

"If the task in a micro VM does something bad, we know there's only one task inside the VM. We'll be able to look inside and see an attack as it happened, see what was the intent. We'll be able to see where the attacker is from, what registry entries were modified, what networks were activated. Every task is a honeypot" in which to catch an attacker, Crosby added.

The idea of isolating untrusted tasks in a micro VM is a different approach to end-user security than trying to keep all malware out with firewalls and intruder detection. It assumes some malware will get through and seeks to isolate it from other systems where it might inflict its damage.

Bromium is a young company with 75 people seeking to rapidly expand its capabilities beyond Windows Server, Windows 7 and 8, Windows XP and terminal services. A Macintosh version is in the works, along with vSentry versions for Android, BlackBerry and iPhone. With more computing being done on personal devices, end-user security is taking on increasing importance. Crosby said the microvisor approach puts handcuffs on an intruder and allows forensic experts to study him in a "cell" at their leisure.

But exactly how much work IT does, compared to vSentry, to invoke policies governing tasks is not yet supported by user testimony in the press or on the Bromium website. Enterprise deals are priced at $100-$150 per end user for a perpetual license, depending on volume, Crosby said.

Sentry 1.1 works with the virtual desktop infrastructure environments provided by VMware, Citrix Systems and Microsoft.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.