Xen creator Ian Pratt gives every task its own virtual machine!
Bromium, a stealthy start-up founded by the creators of the open-source Xen hypervisor, has a radical approach to securing your laptop: every single task on the machine runs in its own tiny virtual machine.
Because it’s no longer possible to secure the perimeter of a company, security firms have moved to endpoint security, where the activity on every laptop, phone or tablet is monitored. This approach doesn’t work either since no one can keep up with all the possible attacks or monitor all the possible forms of suspicious behaviour. Instead, Bromium’s vSentry uses highly granular virtualisation, running a “microvisor”, and giving every single task its own virtual machine (VM) – effectively a brand-new throwaway computer. The company has been selling in the US for a short while, and made its UK debut this month.
Virtual end points
“Endpoint security is wretched and worthless,” Bromium vice president of marketing Franklyn Jones told us, on a visit to TechWeekEurope. Endpoint security is so broken that large companies have people on staff whose only job is to fix infected laptops, he tells us, before handing over to the brains behind the product – Ian Pratt, senior vice president of products.
As a Cambridge academic, Pratt created the Xen open source hypervisor, and led XenSource, the company which commercialised it, before it was bought by Citrix in 2007. He remained as CTO of Citrix until 2011, when he left to found Bromium.
The security pitch of Bromium is that young Internet natives need and expect access to the whole of the Internet, so the problem of security has effectively become that of securing an “Enterprise of One”.
The way to do this is to isolate all the activities that person carries out, so that none of them can impact on each other, or on other users, says Pratt. This approach developed out of Citrix’s XenClient, which uses the Xen hypervisor to isolate applications on separate virtual machines, to minimise the security risk of them interfering with each other. “XenClient is widely used in the intelligence community,” Pratt told us.
But XenClient was little more than a proof of the concept of isolation, he explained. To realise endpoint security through virtualisation required task-level isolation, which needed a new, very lightweight hypervisor, making use of Intel VT, the hardware assist for virtualisation which Intel builds into its features in its Xeon, Pentium and Core chips.
The Bromium vSentry microvisor launches a new VM for every task, right down to every tab in a browser, or every document that is opened. Each of these gets a completely blank slate – so none of its resources are shared with other tasks, and closes down after the task is finished.
This sounds like a massive overhead, but he shows the system working on a normal Intel i5 laptop from Lenovo running windows 7. Tabs and applications open at a normal speed, while a monnitor application shows dozens of separate virtual machines running.
To prove everything really is in its own VM, Pratt launches Task Manager within a tab. The Windows 7 screen comes up within that tab, and we see a machine with only one application running, and no access to anything else on the machine. He opens a PDF file which infected RSA. It does its stuff, and then every trace is removed when the VM is closed down.
There seems to be no delay and no overhead. “It takes tens of milliseconds to create a microVM,” says Pratt.
This subjective opinion is borne out by tests from NSS Labs, which found vSentry 100 percent effective at blocking embedded exploits and drive-by malware, with a three percent performance penalty (the report is for sale here).
If a user opens a dodgy email attachment, it can’t make any changes to the whole system, even if it installs malware in this temporary VM. In fact, doing this might even help security, Pratt explains, since the malware can be observed safely in that microVM, and a record of its activity given to central security staff. “It’s like Black Box flight recorder,” says Pratt.
But what if the infected document is saved to the hard disk? Any time our vSentry user opens it again, the malware is contained as before – and the document is tagged with metadata warning there is a problem with this document, so other users without vSentry can be forewarned.
vSentry currently runs only on Intel machines running Windows 7, but later this year, Bromium plans to deliver it for OSX and Windows 8. Android and iOS appear in the longer range plans, and other Linux systems could follow the Android version, Pratt says. Android and iOS phones and tablets can be covered, he says, because the ARM-based processors they use have virtualisation support equivalent to that in Intel chips.
At the moment, vSentry is a pricey proposition. It costs $150 per laptop – although there are steep discounts if you have a lot of laptops to secure. And Pratt and Jones both strongly imply the business model will change in future, perhaps having the software bundled with hardware from particular providers.
Bromium has been selling actively in the US for a couple of quarters, and currently have deals with half a dozen large US organisations – though only the New York Stock Exchange has gone public so far with a plan to roll it out gradually to all its users. Typically, a user will start with high risk users – those who can’t be trusted or reined in, such as CEOs – and gradually get the software to everyone else.
How well do you know Internet Security? Try our quiz!