Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/17/2012
01:40 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Bromium Secures Older PCs, Terminals Via 'Microvisor'

CTO Simon Crosby says goal is to isolate untrusted tasks on Windows XP machines, thin clients as users bring outside code and content inside the enterprise.

Bromium, the startup that isolates potentially intrusive end-user tasks in micro virtual machines, says it's extended the first version of its vSentry software to protect legacy Windows XP and terminal server desktops -- those frequently running on older versions of the Intel and AMD chip family.

VSentry was launched Sept. 19, and the 1.1 vSentry update, announced Dec. 11, begins to make it applicable to Windows XP, thin clients and terminal services devices.

The older chips are virtualization unaware, so they lack the ability to realize they're dealing with a virtual machine. They thus can't use Bromium 1.0 capabilities to assert micro-hypervisor or "microvisor" control over end-user tasks. Virtualization hooks built into modern Intel and AMD chips allow vSentry to "hardware-isolate each untrustworthy task." With the 1.1 release, vSentry has been upgraded to terminal services and Windows XP systems, even though the devices running them don't necessarily contain the most modern chips.

Sometimes these legacy desktops are under consideration for upgrade through a virtual desktop infrastructure -- being managed through central servers with only displays running locally. That move allows users to stick with a familiar system but puts it on server hardware and under more automated management.

Author and researcher Shawn Bass wrote recently on the brianmadden.com virtualization website that virtual desktops and virtual desktop infrastructure are no more secure than non-virtualized systems. There's been a presumption they were somewhat safer due to the fact they run on central servers under IT, with all data stored in the data center. But Bass says end users make use of too many public resources to avoid exposures to malware, and the virtual desktop is just as much at risk as its bare metal counterpart.

[ Want to learn more about how Bromium takes a different approach to security? See Bromium Strengthens Desktop Security Using Virtualization. ]

Bromium's CTO Simon Crosby picked up on the theme in a blog written to announce the release of vSentry 1.1 Dec. 11.

"Virtual desktops are vulnerable to exactly the same attacks as native PCs ... A compromised virtual desktop puts the attacker in an ideal location -- the data center -- from which he can further penetrate the infrastructure," said Crosby, echoing Bass' blog post.

The exposure may be greater than with standard desktops, Crosby continued, because once an intruder gains access to a virtual desktop, he's inside the data center and attached to many other networked desktops. "Since VDI desktops typically all appear on the same LAN segment (or VLAN), it is possible for attackers to spread laterally from one virtual desktop to another," he wrote.

What Bromium does about the risk is impose a new form of security, one that isolates untrusted activity in a micro virtual machine, then discards it when its stated purpose is completed. Tasks that might be isolated under a microvisor would include rendering an email attachment, or rendering a consumer website with misrepresented download invitations embedded in its presentations.

Bromium's vSentry detects the nature of the activity and spins up a micro virtual machine where the task must execute. If the task attempts to access files, network, devices or the Windows clipboard, the hardware interrupts the execution and turns the task over to the microvisor, which then enforces policies specific to the task.

If what the code is attempting to do is outside the nature of the task, the attempt is written to cache in that part of the virtual machine, making it appear to the attacker that everything is proceeding as planned. Meanwhile, the microvisor has isolated the attack and created an event log record of what was being attempted.

When the task is done, the virtual machine is flushed from the system, eliminating the malware involved, as well. The microvisor has been given enough intelligence to take action when common forms of intrusion appear -- e.g., the request for a file that is not part of the task or an attempt to gain access to a network not involved in the task. "It's a step beyond sandboxing," said Crosby in an interview.

"If the task in a micro VM does something bad, we know there's only one task inside the VM. We'll be able to look inside and see an attack as it happened, see what was the intent. We'll be able to see where the attacker is from, what registry entries were modified, what networks were activated. Every task is a honeypot" in which to catch an attacker, Crosby added.

The idea of isolating untrusted tasks in a micro VM is a different approach to end-user security than trying to keep all malware out with firewalls and intruder detection. It assumes some malware will get through and seeks to isolate it from other systems where it might inflict its damage.

Bromium is a young company with 75 people seeking to rapidly expand its capabilities beyond Windows Server, Windows 7 and 8, Windows XP and terminal services. A Macintosh version is in the works, along with vSentry versions for Android, BlackBerry and iPhone. With more computing being done on personal devices, end-user security is taking on increasing importance. Crosby said the microvisor approach puts handcuffs on an intruder and allows forensic experts to study him in a "cell" at their leisure.

But exactly how much work IT does, compared to vSentry, to invoke policies governing tasks is not yet supported by user testimony in the press or on the Bromium website. Enterprise deals are priced at $100-$150 per end user for a perpetual license, depending on volume, Crosby said.

Sentry 1.1 works with the virtual desktop infrastructure environments provided by VMware, Citrix Systems and Microsoft.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15731
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.2.1. Non-members were able to comment on merge requests despite the repository being set to allow only project members to do so.
CVE-2019-15732
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Community and Enterprise Edition 12.2 through 12.2.1. The project import API could be used to bypass project visibility restrictions.
CVE-2019-15733
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Community and Enterprise Edition 7.12 through 12.2.1. The specified default branch name could be exposed to unauthorized users.
CVE-2019-16366
PUBLISHED: 2019-09-16
In XS 9.0.0 in Moddable SDK OS180329, there is a heap-based buffer overflow in fxBeginHost in xsAPI.c when called from fxRunDefine in xsRun.c, as demonstrated by crafted JavaScript code to xst.
CVE-2019-8371
PUBLISHED: 2019-09-16
OpenEMR v5.0.1-6 allows code execution.