Risk
10/11/2012
09:06 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Bromium Strengthens Desktop Security Using Virtualization

Ex-Citrix CTO Simon Crosby says Bromium's vSentry technology isolates suspicious activity in a virtual machine, then identifies and flushes it when the VM is erased.

Bromium recently launched a new approach to desktop security that virtualizes end-user activities when they have the potential to bring in outside agents or malware. The move isolates and monitors potentially harmful actions and blocks suspicious activity once it is identified.

Most approaches to end-user security rely on upfront protection, such as antivirus software looking for identifiers of a virus or other malware in incoming messages. Each end-user device is loaded with protective software containing known attack signatures, then watches for them as the user undertakes connections to the Internet and other activity. But attack signatures can be varied more rapidly than end-user devices can be updated, and some malware creeps through into the enterprise anyway, Crosby said in an interview.

A user's Windows machine, equipped with Bromium's vSentry (launched Sept. 19), relies on isolation of suspect activity, along with an ability to block its access to restricted resources and flush it out of the system, said Bromium CTO Simon Crosby, who departed from Citrix last year.

Under Bromium's approach, "You don't need to detect malware early to be protected," Crosby said in an interview.

[Want to learn more about how Bromium uses microvisors and micro virtual machines to attack security threats? See Virtualization Pioneers Crosby, Pratt Tackle Cloud Security.]

Crosby is often the public voice of a former Cambridge University research team lead by Ian Pratt, which virtualized the x86 instruction set about two years after Mendel Rosenblum did at VMware. They set up a competing open source project, Xen, and then XenSource, a company to support it. XenSource was acquired by Citrix in 2007 for $500 million.

Bromium's vSentry can invoke a micro virtual machine in which to run any potentially hazardous task, such as opening an attachment to an email file or downloading programs from the Internet. If the activity shows any sign of mischief, such as trying to access a resource designated as restricted for the task involved, the process is interrupted and control over it handed off to the microvisor, a hypervisor managing a tiny virtual machine. A microvisor can launch hundreds of micro VMs simultaneously to safeguard multiple application tasks.

If a process calls on a spreadsheet to access data from a Sharepoint source on the internal network, and the spreadsheet would normally be allowed to do so, the process continues. If it tries to access the Windows kernel or overwrite a DLL to allow some function that it wishes to do, the attempt is written to a cache in the virtual machine, which makes it appear to an attacker that an attack has gone off as planned, according to information in a Bromium white paper.

But in fact, the microvisor running the process has blocked the attempt and started an event log as it assesses each further request of the process. Only those requests for files or data that meet a need-to-know standard-- e.g., would this process normally need to know the information that it's seeking?--are allowed.

Requests that don't meet the need-to-know standard are blocked, protecting restricted resources while creating a picture of what the process is seeking to do. Looking at that picture--reconstructing the sequence of events captured in the event log--gives security administrators a clear record of what they're dealing with.

That picture results in security administrators being able "to generate the signatures of malware" on their own and add them to the list in their firewalls and intrusion detection systems, Crosby said. With vSentry, they may in some cases be doing so before their antivirus vendor or other supplier has come up with the signature.

Any attack isolated to a micro VM is flushed from the system when the micro VM is shut down. No lengthy, interdisciplinary team of security, server, and network administrators needs to be called together to try to root out the attacker or undo its damage, Crosby said.

Telling a microvisor that a resource is restricted to particular types of activity is both a human IT function and a function of intelligence built into vSentry, according to information on the Bromium website. But it is not clear how much IT effort must be invested to make vSentry work as advertised.

Bromium plans to add the Macintosh to its protected end-user systems in the future, but no date has been specified.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
PJS880
50%
50%
PJS880,
User Rank: Ninja
10/16/2012 | 7:23:55 AM
re: Bromium Strengthens Desktop Security Using Virtualization
So this opens another virtual machine and runs that particular task, opening an attachment, etc.., is that machine there for good or does a new machine get created every time a new task is preformed? It sound like a great idea to isolate and contain potentially dangerous malware. Overall for larger corporations who have to deal with threats daily this would save a lot of time, just shut down the vm, all good.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.