Professional Documents
Culture Documents
Micro- virtualization
Trustworthy By Design™
Introduction
Bromium, Inc. is a pioneer in trustworthy computing. Its products transform the resilience of
computer systems, making them affordable, manageable and trustworthy by design. The founders of
Bromium led the development of the Xen® hypervisor, and Bromium’s team is comprised of industry
experts in virtualization and security who have dedicated their careers to advancing the state of the
art in systems architecture, security and performance.
This document provides an introduction to Bromium micro-virtualization and shows how it can be
used to deliver powerful new benefits in security, manageability and trust, transforming end-point
security, data loss prevention, patching and lifecycle management. Bromium empowers users
without increasing risk to the enterprise, and enables IT to securely navigate the challenges of IT
consumerization and the transformation of the desktop, saying 'yes' to mobility and personal use of
enterprise devices, without increasing risk and with full compliance. Bromium protects systems even
when they haven’t been patched, automatically discarding malware and eliminating remediation
when attacked, and protecting enterprise data at runtime – all industry firsts that save money and
time, and keep users productive at all times.
Management
application lifecycle, OS updates, end-point security and
VM
Hypervisor
configuration of the OS within each VM, for which OS and/or app-
Hardware
specific tools and practices are required.
Over the last few years CPU and chip-set vendors have introduced increasingly powerful hardware
extensions that accelerate and automate many low-level virtualization tasks and assist the
hypervisor to control hardware resources. All modern hypervisors use these features because they
offer significant performance benefits and because they increase the security of the hypervisor and
the isolation between VMs. Today, enlightenment is used only for non-virtualization-safe devices.
Hardware virtualization support includes functions that virtualize the CPU, memory (including
nested page tables), the I/O subsystem, and networking. Hardware virtualization for GPUs is in its
infancy, but is expected to become more widely available as use cases for virtualized graphics
become more prevalent. Peripheral interfaces, such as USB, can be easily virtualized in software.
Both Intel and AMD support device I/O virtualization and assignment (Intel VT-d, AMD IOMMU) that
permits I/O devices to be safely directly assigned to guest VMs, and protects the hypervisor and
other guests from device DMA into system memory. Memory used for device I/O is only visible to
the guest that owns the device. (Diagram: Anandtech)
It is important to note that the isolation offered by a hypervisor is limited to the boundaries of each
Guest VM – a full OS and its applications. The attack surface of the hypervisor is small, making it
difficult for malware to escape from a guest VM to attack the hypervisor. But a traditional hypervisor
cannot enhance the security of the OS or apps within any VM. This means that each guest, whether a
virtualized server or a desktop, is vulnerable to every attack to which it is vulnerable when running
natively installed on server or PC hardware.
The core technology required for task-level virtualization is called a Microvisor™, and offers granular
security, manageability and reliability benefits. The technology can be applied to any operating
system, but for simplicity we use Windows terminology. Micro-virtualization enhances the
reliability, security, manageability and availability of Windows and its applications. It can be used to
isolate vulnerable tasks from the OS and each other, protecting enterprise data and allowing users
to safely access untrusted data or removable media. It is the only technology that can safely permit
code and data of different levels of trust to coexist with guaranteed mutual isolation.
Hypercall)API)
virtualized tasks are called micro-VMs and bear no
resemblance to traditional, heavyweight, hypervisor hosted
VMs. Micro-VMs can be created in a flash and simply protect
Windows application tasks and the OS, and as far as Windows
is concerned, micro-VMs are just tasks under its control - it schedules them for execution, and tracks
their performance and resource usage. Micro-VMs are small because they contain only task-specific
state, and they run natively.
One of the key advantages of micro-virtualization is that the Microvisor need not be separately
provisioned on the bare hardware before adding the OS and applications. Instead, it is deployed like
any other application, as a small MSI package of a few tens of MB in size. The Microvisor installs
simple plug-ins that invoke API calls to create and destroy micro-VMs as needed when tasks are
created. The end-user is completely oblivious to the presence of the Microvisor, and enjoys an
unchanged user experience.
All white-listed applications provisioned by IT that process trusted enterprise data simply run as
before, but vulnerable tasks or those needing protection from attack are isolated by the
virtualization hardware, which is configured to police task access to Windows system services,
including network services, the file system, copy-and-paste, keyboard and mouse events, and all
devices. When a micro-VM is created its access to these system resources is restricted according to
a set of simple, task and trust-level related resource policies. Whenever the protected task attempts
to access any restricted system resource the virtualization hardware forces a CPU VM_EXIT,
suspending execution of the task and giving control of the CPU to the Microvisor to arbitrate access
using the resource policies for the task.
To understand the execution mode of a micro-VM it is useful to compare its memory management
to the way that the Unix® fork() system call manages resources. Fork() is used to dynamically create
a new child process to execute application code that is divergent from the execution path of its
parent. A forked process inherits the address space and state of its parent process but its
subsequent execution is copy-on-write (CoW) – any changes it makes to memory are to a private
copy.
When a micro-VM executes, its (VT-managed) memory map contains a representation of Windows
and the necessary DLLs required for execution, plus the task state. Access to OS services is restricted
by the resource policies, and any changes that the task makes to OS memory or the golden file
system is “Copy-on-Write”: Thus, if the task is compromised by malware that modifies the Windows
kernel or white-listed DLLs, it will only succeed in modifying a local copy, and not the IT provisioned,
golden Windows.
μVMs%execute%CoW%
with%“least%privilege”%
access%to%files,% Each%vulnerable%task%
networks%&%devices% is%instantly%isolated%
in%a%μVM,%invisible%to%
Hypercall)API)
the%user%
Each micro-VM is presented a with a narrowed view of the file system that contains only the files it
needs – an implementation of the principle of “least privilege” - with CoW semantics. If malware
modifies a file, the Microvisor will ensure that it only modifies a copy of the file. Any files modified or
saved by a micro-VM are stored efficiently as block-deltas against the original file, which remains
unchanged until the micro-VM exits (the user closes a window, or the task terminates). At this point
the Microvisor discards the task’s memory image and uses a persistence policy for the task to save
relevant task files (if any), and to decide whether to persist any new files. Any persisted files are
securely tagged with the trust level of the micro-VM, and all access to untrusted files must be made
from within another micro-VM.
The resource policy for a task also restricts micro-VM access to networks, which are classified as
trusted, high value, and untrusted. Untrusted tasks cannot access trusted networks or Internet
sites, and access to high value sites must use secure end-to-end communication such as a VPN.
Finally, the resource policy encodes task specific restrictions related to device access, access to and
from copy-and-paste, and interaction with the user at the keyboard.
In general there is no specific logic required for each different application task, however there are
some applications for which task specific enlightenments are required. Bromium is developing a
SDK to permit application developers and existing provisioning tools and practices, such as
application virtualization, to be the default way to deliver new applications to the platform that will
run in micro-VMs.
Hypercall)API)
hypercall parameters from a micro-VM, and the interface is
designed to be hardened to be resilient to attack and it is
checkable by third parties. The Bromium Microvisor
implements the hypercall API in under 10 KLOC of hardened code.
Micro-virtualization in Action
Micro-virtualization adds hardware-enforced task isolation to the operating system – without doubt
the most robust form of isolation possible within a running OS. It can be used to solve some of the
most challenging problems in enterprise IT infrastructure where traditional software abstractions
for isolation have been shown to be vulnerable or unreliable. Some use cases for the technology are
discussed below.
Bromium uses micro-virtualization to isolate such threats from the corporate desktop. By ensuring
that every vulnerable or untrusted task (for example rendering a web page or opening an email
attachment) is executed in its own micro-VM, we can guarantee that a compromised task cannot
The Bromium security model assumes that because of the rapid rate of malware evolution, at some
point an application task in a micro-VM will be attacked and will be compromised, but the granular
isolation afforded by the Microvisor, together with the resource control policies, ensures that any
attack that takes place is quarantined within the micro-VM. In addition, the Microvisor is itself
hardware isolated from all micro-VMs, protecting the Microvisor and Windows.
This use of micro-virtualization places each high value application into its own micro-VM, as opposed
to untrusted code. The Microvisor ensures that the high value micro-VM is allowed to communicate
with the back-end application only, via a secure VPN, and that no other communication is allowed.
Moreover it can ensure that enterprise policies for local storage of any application data are
enforced, for example preventing local storage of data, or encrypting all data that is stored locally,
and blocking access to removable storage such as USB. Critically, when a system is attacked, it
discards any malware, eliminating the need for remediation.
Micro-virtualization delivers all of the benefits of VDI together with application layer security, on the
devices that users want to use – their PCs and laptops.
• Every new micro-VM is instantly created from the known-good golden desktop image, which
does not change except under IT control
• Enterprise data is protected both at rest and at runtime – an industry first
• Users get to safely use enterprise data and access enterprise applications both on- and off-
line, from any network
• The desktop is protected from malware, viruses and APTs
• Granular policies for access to and distribution of enterprise data are applied on every PC.
Because Bromium assumes that some task will be compromised at some point and because the
Microvisor is designed to isolate compromised tasks, the architecture offers security at all times - the
system will still be safe even with vulnerable software. IT staff can apply patches when it suits them
and their users, and with full confidence that their systems are always protected.
Perhaps most importantly, Bromium enabled PCs do not need to be re-imaged when an attack
occurs. The system simply shrugs off malware, leaving the system “always gold”. This saves
countless hours of IT’s time, reduces support calls, and keeps users productive.
Summary
Bromium micro-virtualization adds granular, resilient task isolation and security to Windows. Micro-
virtualization dramatically enhances security, simplifies software lifecycle management, protects
enterprise data at all times by making endpoints trustworthy and resilient. It can achieve this with
no changes in management practice or toolsets, and with an unchanged user experience.
To learn more, and to participate in our Beta program, please visit us at www.bromium.com