Risk
12/17/2012
01:40 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Bromium Secures Older PCs, Terminals Via 'Microvisor'

CTO Simon Crosby says goal is to isolate untrusted tasks on Windows XP machines, thin clients as users bring outside code and content inside the enterprise.

Bromium, the startup that isolates potentially intrusive end-user tasks in micro virtual machines, says it's extended the first version of its vSentry software to protect legacy Windows XP and terminal server desktops -- those frequently running on older versions of the Intel and AMD chip family.

VSentry was launched Sept. 19, and the 1.1 vSentry update, announced Dec. 11, begins to make it applicable to Windows XP, thin clients and terminal services devices.

The older chips are virtualization unaware, so they lack the ability to realize they're dealing with a virtual machine. They thus can't use Bromium 1.0 capabilities to assert micro-hypervisor or "microvisor" control over end-user tasks. Virtualization hooks built into modern Intel and AMD chips allow vSentry to "hardware-isolate each untrustworthy task." With the 1.1 release, vSentry has been upgraded to terminal services and Windows XP systems, even though the devices running them don't necessarily contain the most modern chips.

Sometimes these legacy desktops are under consideration for upgrade through a virtual desktop infrastructure -- being managed through central servers with only displays running locally. That move allows users to stick with a familiar system but puts it on server hardware and under more automated management.

Author and researcher Shawn Bass wrote recently on the brianmadden.com virtualization website that virtual desktops and virtual desktop infrastructure are no more secure than non-virtualized systems. There's been a presumption they were somewhat safer due to the fact they run on central servers under IT, with all data stored in the data center. But Bass says end users make use of too many public resources to avoid exposures to malware, and the virtual desktop is just as much at risk as its bare metal counterpart.

[ Want to learn more about how Bromium takes a different approach to security? See Bromium Strengthens Desktop Security Using Virtualization. ]

Bromium's CTO Simon Crosby picked up on the theme in a blog written to announce the release of vSentry 1.1 Dec. 11.

"Virtual desktops are vulnerable to exactly the same attacks as native PCs ... A compromised virtual desktop puts the attacker in an ideal location -- the data center -- from which he can further penetrate the infrastructure," said Crosby, echoing Bass' blog post.

The exposure may be greater than with standard desktops, Crosby continued, because once an intruder gains access to a virtual desktop, he's inside the data center and attached to many other networked desktops. "Since VDI desktops typically all appear on the same LAN segment (or VLAN), it is possible for attackers to spread laterally from one virtual desktop to another," he wrote.

What Bromium does about the risk is impose a new form of security, one that isolates untrusted activity in a micro virtual machine, then discards it when its stated purpose is completed. Tasks that might be isolated under a microvisor would include rendering an email attachment, or rendering a consumer website with misrepresented download invitations embedded in its presentations.

Bromium's vSentry detects the nature of the activity and spins up a micro virtual machine where the task must execute. If the task attempts to access files, network, devices or the Windows clipboard, the hardware interrupts the execution and turns the task over to the microvisor, which then enforces policies specific to the task.

If what the code is attempting to do is outside the nature of the task, the attempt is written to cache in that part of the virtual machine, making it appear to the attacker that everything is proceeding as planned. Meanwhile, the microvisor has isolated the attack and created an event log record of what was being attempted.

When the task is done, the virtual machine is flushed from the system, eliminating the malware involved, as well. The microvisor has been given enough intelligence to take action when common forms of intrusion appear -- e.g., the request for a file that is not part of the task or an attempt to gain access to a network not involved in the task. "It's a step beyond sandboxing," said Crosby in an interview.

"If the task in a micro VM does something bad, we know there's only one task inside the VM. We'll be able to look inside and see an attack as it happened, see what was the intent. We'll be able to see where the attacker is from, what registry entries were modified, what networks were activated. Every task is a honeypot" in which to catch an attacker, Crosby added.

The idea of isolating untrusted tasks in a micro VM is a different approach to end-user security than trying to keep all malware out with firewalls and intruder detection. It assumes some malware will get through and seeks to isolate it from other systems where it might inflict its damage.

Bromium is a young company with 75 people seeking to rapidly expand its capabilities beyond Windows Server, Windows 7 and 8, Windows XP and terminal services. A Macintosh version is in the works, along with vSentry versions for Android, BlackBerry and iPhone. With more computing being done on personal devices, end-user security is taking on increasing importance. Crosby said the microvisor approach puts handcuffs on an intruder and allows forensic experts to study him in a "cell" at their leisure.

But exactly how much work IT does, compared to vSentry, to invoke policies governing tasks is not yet supported by user testimony in the press or on the Bromium website. Enterprise deals are priced at $100-$150 per end user for a perpetual license, depending on volume, Crosby said.

Sentry 1.1 works with the virtual desktop infrastructure environments provided by VMware, Citrix Systems and Microsoft.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio