Bromium™

 Micro- virtualization
Trustworthy By Design™

Introduction
Bromium, Inc. is a pioneer in trustworthy computing. Its products transform the resilience of
computer systems, making them affordable, manageable and trustworthy by design. The founders of
Bromium led the development of the Xen® hypervisor, and Bromium’s team is comprised of industry
experts in virtualization and security who have dedicated their careers to advancing the state of the
art in systems architecture, security and performance.

Bromium’s products are built on the Bromium Microvisor™ – a second-generation virtualization

technology that extends the isolation, control and security principles of virtualization into the
operating system (OS) - completely hidden from the user. Instead of virtualizing multiple operating
systems, the Microvisor hardware-isolates each vulnerable application task within a single running
OS in a lightweight micro-VM. The Microvisor uses hardware virtualization to guarantee that micro-
VMs are isolated from the OS and each other. It protects enterprise assets by restricting the ability of
each micro-VM to access data, networks and other system resources, according to the “principle of
least privilege”. It is the only technology that can safely permit trusted and untrusted applications
and data to coexist on a single system with guaranteed mutual isolation.

This document provides an introduction to Bromium micro-virtualization and shows how it can be
used to deliver powerful new benefits in security, manageability and trust, transforming end-point
security, data loss prevention, patching and lifecycle management. Bromium empowers users
without increasing risk to the enterprise, and enables IT to securely navigate the challenges of IT
consumerization and the transformation of the desktop, saying 'yes' to mobility and personal use of
enterprise devices, without increasing risk and with full compliance. Bromium protects systems even
when they haven’t been patched, automatically discarding malware and eliminating remediation
when attacked, and protecting enterprise data at runtime – all industry firsts that save money and
time, and keep users productive at all times.

First Generation Virtualization

Server or desktop virtualization uses a hypervisor to virtualize server hardware to permit multiple
independent virtual machines (Windows desktop VMs in the case of desktop virtualization) to
concurrently share the resources of a single machine. Each VM contains an entire operating system
and its applications, stored in a virtual hard disk image. VMs are not installed natively on the
hardware – they are booted from the VHD and executed under control of the hypervisor.

©  Bromium,  Inc.  2011,  2012.    All  Rights  Reserved     1   http://www.bromium.com  

Each VM is managed through its lifecycle via virtual infrastructure
management tools that enable an administrator to start (boot),
App 1 App 2 App 2
stop, pause, suspend, resume, checkpoint, back up and move VMs, VM
VM
Operating System VM
amongst other operations. VM management is independent of the
VM

Management
application lifecycle, OS updates, end-point security and

VM
Hypervisor
configuration of the OS within each VM, for which OS and/or app-
Hardware
specific tools and practices are required.

Hardware Assisted Virtualization

In the early years of x86 virtualization, the hardware of the device was virtualized entirely in
software, either by patching the binaries of guest VMs, or through a technique known as
enlightenment, pioneered in Xen, and also adopted by Microsoft® in Hyper-V.

Over the last few years CPU and chip-set vendors have introduced increasingly powerful hardware
extensions that accelerate and automate many low-level virtualization tasks and assist the
hypervisor to control hardware resources. All modern hypervisors use these features because they
offer significant performance benefits and because they increase the security of the hypervisor and
the isolation between VMs. Today, enlightenment is used only for non-virtualization-safe devices.

Hardware virtualization support includes functions that virtualize the CPU, memory (including
nested page tables), the I/O subsystem, and networking. Hardware virtualization for GPUs is in its
infancy, but is expected to become more widely available as use cases for virtualized graphics
become more prevalent. Peripheral interfaces, such as USB, can be easily virtualized in software.

Using Intel’s VT-x technology, the hypervisor runs in “VMX

root mode” while guest VMs run in “VMX non-root mode”.
Guest VMs are restricted in terms of instruction set and
resource access. For example, instructions including RDMSR,
WRMSR, and CPUID, cause a “VM_EXIT” trap that suspends
the execution of the VM and hands execution to the
hypervisor, moving from non-root operation to root
operation. When a processor operates in root mode, it has
full resource access and an additional ten instructions that
are not available to guest VMs. In AMD-V the hypervisor runs in Host Mode and guests in Guest
Mode. In Guest Mode, some instructions cause VM_EXIT, which is handled in a manner that is
specific to the way the Guest Mode is entered.

Both Intel and AMD support device I/O virtualization and assignment (Intel VT-d, AMD IOMMU) that
permits I/O devices to be safely directly assigned to guest VMs, and protects the hypervisor and
other guests from device DMA into system memory. Memory used for device I/O is only visible to
the guest that owns the device. (Diagram: Anandtech)

©  Bromium,  Inc.  2011,  2012.    All  Rights  Reserved     2   http://www.bromium.com  

In addition, both Intel TXT and AMD SKINIT offer CPU extensions to
permit secure system bootstrap and hardware-based attestation
using a Trusted Platform Module (TPM) that securely stores
signatures for whitelisted code (such as the hypervisor). In a
measured boot, the hardware verifies that the hypervisor has not
been modified, and the hypervisor can then in turn check that each
guest VM is unmodified, prior to it being started. This permits IT to
ensure that the system is in the intended state at start-of-
day.www.sy

Hardware virtualization has played a crucial role in the broad

adoption of virtualization. Without hardware guarantees of isolation between guest VMs and
between guests and the hypervisor, it would not be possible to safely adopt virtual infrastructure for
any mission critical applications, or to comply with regulations that mandate infrastructure isolation,
for example those of the Payment Card Industry (PCI). The benefits of hypervisor-based
virtualization speak for themselves: Both private and public cloud services are founded on the
notion of multi-tenancy, and rely on hardware isolation as the key enabling technology.

It is important to note that the isolation offered by a hypervisor is limited to the boundaries of each
Guest VM – a full OS and its applications. The attack surface of the hypervisor is small, making it
difficult for malware to escape from a guest VM to attack the hypervisor. But a traditional hypervisor
cannot enhance the security of the OS or apps within any VM. This means that each guest, whether a
virtualized server or a desktop, is vulnerable to every attack to which it is vulnerable when running
natively installed on server or PC hardware.

The Future: Bromium Micro-virtualization

Bromium Micro-virtualization is a second-generation virtualization technology that extends the
isolation, control and security principles of hypervisor-based virtualization into the OS and its
applications. It does this by using hardware virtualization to dynamically isolate user tasks. It
provides a hardware-guaranteed backstop for intra-OS software isolation, permitting granular,
hardware-enforced protection.

The core technology required for task-level virtualization is called a Microvisor™, and offers granular
security, manageability and reliability benefits. The technology can be applied to any operating
system, but for simplicity we use Windows terminology. Micro-virtualization enhances the
reliability, security, manageability and availability of Windows and its applications. It can be used to
isolate vulnerable tasks from the OS and each other, protecting enterprise data and allowing users
to safely access untrusted data or removable media. It is the only technology that can safely permit
code and data of different levels of trust to coexist with guaranteed mutual isolation.

Inside the Bromium Microvisor

Whereas a hypervisor hosts multiple independent guest VMs (each with its own OS, applications, and
virtual hardware) the Bromium Microvisor is a lightweight component that is added to a single

©  Bromium,  Inc.  2011,  2012.    All  Rights  Reserved     3   http://www.bromium.com  

natively installed Windows OS instance. It uses hardware
virtualization to isolate individual Windows tasks from each
other and to protect the OS from malware. These hardware-

Hypercall)API)
virtualized tasks are called micro-VMs and bear no
resemblance to traditional, heavyweight, hypervisor hosted
VMs. Micro-VMs can be created in a flash and simply protect
Windows application tasks and the OS, and as far as Windows
is concerned, micro-VMs are just tasks under its control - it schedules them for execution, and tracks
their performance and resource usage. Micro-VMs are small because they contain only task-specific
state, and they run natively.

One of the key advantages of micro-virtualization is that the Microvisor need not be separately
provisioned on the bare hardware before adding the OS and applications. Instead, it is deployed like
any other application, as a small MSI package of a few tens of MB in size. The Microvisor installs
simple plug-ins that invoke API calls to create and destroy micro-VMs as needed when tasks are
created. The end-user is completely oblivious to the presence of the Microvisor, and enjoys an
unchanged user experience.

All white-listed applications provisioned by IT that process trusted enterprise data simply run as
before, but vulnerable tasks or those needing protection from attack are isolated by the
virtualization hardware, which is configured to police task access to Windows system services,
including network services, the file system, copy-and-paste, keyboard and mouse events, and all
devices. When a micro-VM is created its access to these system resources is restricted according to
a set of simple, task and trust-level related resource policies. Whenever the protected task attempts
to access any restricted system resource the virtualization hardware forces a CPU VM_EXIT,
suspending execution of the task and giving control of the CPU to the Microvisor to arbitrate access
using the resource policies for the task.

To understand the execution mode of a micro-VM it is useful to compare its memory management
to the way that the Unix® fork() system call manages resources. Fork() is used to dynamically create
a new child process to execute application code that is divergent from the execution path of its
parent. A forked process inherits the address space and state of its parent process but its
subsequent execution is copy-on-write (CoW) – any changes it makes to memory are to a private
copy.

When a micro-VM executes, its (VT-managed) memory map contains a representation of Windows
and the necessary DLLs required for execution, plus the task state. Access to OS services is restricted
by the resource policies, and any changes that the task makes to OS memory or the golden file
system is “Copy-on-Write”: Thus, if the task is compromised by malware that modifies the Windows
kernel or white-listed DLLs, it will only succeed in modifying a local copy, and not the IT provisioned,
golden Windows.

©  Bromium,  Inc.  2011,  2012.    All  Rights  Reserved     4   http://www.bromium.com  

 The%Microvisor%isolates%
vulnerable%tasks%from%
Windows,%each%other%&%
key%system%resources%

μVMs%execute%CoW%
with%“least%privilege”%
access%to%files,% Each%vulnerable%task%
networks%&%devices% is%instantly%isolated%
in%a%μVM,%invisible%to%

Hypercall)API)
the%user%

Each micro-VM is presented a with a narrowed view of the file system that contains only the files it
needs – an implementation of the principle of “least privilege” - with CoW semantics. If malware
modifies a file, the Microvisor will ensure that it only modifies a copy of the file. Any files modified or
saved by a micro-VM are stored efficiently as block-deltas against the original file, which remains
unchanged until the micro-VM exits (the user closes a window, or the task terminates). At this point
the Microvisor discards the task’s memory image and uses a persistence policy for the task to save
relevant task files (if any), and to decide whether to persist any new files. Any persisted files are
securely tagged with the trust level of the micro-VM, and all access to untrusted files must be made
from within another micro-VM.

The resource policy for a task also restricts micro-VM access to networks, which are classified as
trusted, high value, and untrusted. Untrusted tasks cannot access trusted networks or Internet
sites, and access to high value sites must use secure end-to-end communication such as a VPN.

Finally, the resource policy encodes task specific restrictions related to device access, access to and
from copy-and-paste, and interaction with the user at the keyboard.

Creation and Management of micro-VMs

In a traditional hypervisor the virtualization management tools are used to manage the lifecycle of
VM instances. By contrast, because micro-VMs are just application tasks run by Windows, the
lifecycle and resource management for micro-VMs needs to be automatic, based on the user’s
actions but hidden from view. This is a key requirement, since it permits us to use virtualization to
deliver enhanced security and resilience without modifying the end user experience. It also means
that no new IT skill sets or management tools are required.

In general there is no specific logic required for each different application task, however there are
some applications for which task specific enlightenments are required. Bromium is developing a
SDK to permit application developers and existing provisioning tools and practices, such as
application virtualization, to be the default way to deliver new applications to the platform that will
run in micro-VMs.

©  Bromium,  Inc.  2011,  2012.    All  Rights  Reserved     5   http://www.bromium.com  

A micro-VM is discarded when its task that exits or the window closed by the user. If the task
crashes for some reason (for example due to malware), the system is completely protected and will
continue to operate unmodified.

Vulnerability of the Microvisor

Many use cases of micro-virtualization are security or trust related. It is therefore important to
understand the vulnerability of the Microvisor, since compromise of the Microvisor makes it possible
for an attacker to attempt traditional methods to compromise Windows

The Microvisor attack surface is narrow. Any access to

The$desktop$is$vulnerable$
system services outside the micro-VM (such as the file to$an$a3ack$from$a$μVM$at$
the$hypercall$API.$
system or network services) occurs via enlightened service O(10KLOC)$

APIs. The enlightened services are simply hypercalls that

trigger a CPU VM_EXIT that allows the Microvisor to enforce
access policies for the task. The Microvisor does not trust

Hypercall)API)
hypercall parameters from a micro-VM, and the interface is
designed to be hardened to be resilient to attack and it is
checkable by third parties. The Bromium Microvisor
implements the hypercall API in under 10 KLOC of hardened code.

Micro-virtualization in Action
Micro-virtualization adds hardware-enforced task isolation to the operating system – without doubt
the most robust form of isolation possible within a running OS. It can be used to solve some of the
most challenging problems in enterprise IT infrastructure where traditional software abstractions
for isolation have been shown to be vulnerable or unreliable. Some use cases for the technology are
discussed below.

Blocking Advanced Persistent Threats

Advanced threats can easily evade traditional signature based security solutions. Recent security
compromises have shown that attackers use polymorphic malware to evade host and network
based security. Using micro-virtualization it is possible to take a completely different approach to the
problem of securing end points. Whereas the current state of the art in end point security attempts
to identify attackers and prevent them from compromising the OS, micro-virtualization permits us to
take an approach in which we explicitly acknowledge the limitations of black-listing, augmenting
existing tools with granular isolation in time and space to prevent undetectable advanced threats
from compromising the desktop. Attackers typically enter the enterprise by exploiting the weakest
link in the security chain - the user. Users can be easily targeted through web, email and removable
media and by leveraging social engineering.

Bromium uses micro-virtualization to isolate such threats from the corporate desktop. By ensuring
that every vulnerable or untrusted task (for example rendering a web page or opening an email
attachment) is executed in its own micro-VM, we can guarantee that a compromised task cannot

©  Bromium,  Inc.  2011,  2012.    All  Rights  Reserved     6   http://www.bromium.com  

access important enterprise state or applications, because the attacker is unable to escape from the
hardware-isolated micro-VM into the OS, its file system, or the enterprise network. In this model
every new URL click is isolated in its own micro-VM, protecting enterprise web-apps, and protecting
the desktop from attackers that use compromised web sites to gain access to the desktop.

The Bromium security model assumes that because of the rapid rate of malware evolution, at some
point an application task in a micro-VM will be attacked and will be compromised, but the granular
isolation afforded by the Microvisor, together with the resource control policies, ensures that any
attack that takes place is quarantined within the micro-VM. In addition, the Microvisor is itself
hardware isolated from all micro-VMs, protecting the Microvisor and Windows.

Protection of Sensitive Applications

Increasingly, end users expect to access enterprise applications (whether web based or delivered
using Microsoft’s Remote Desktop Services) over untrustworthy networks (eg: a home network) and
devices (eg: a home PC). While it is possible to securely identify the end user through the use of
two-factor authentication, a key risk to the enterprise arises from its inability to trust the device used
to access the application. If a key-logger or screen-scraper has compromised the remote user’s PC
then all data from the application session can be stolen. This problem can be overcome by ensuring
that the remote application session is isolated within a micro-VM to ensure that none of the
application content can be stolen.

This use of micro-virtualization places each high value application into its own micro-VM, as opposed
to untrusted code. The Microvisor ensures that the high value micro-VM is allowed to communicate
with the back-end application only, via a secure VPN, and that no other communication is allowed.
Moreover it can ensure that enterprise policies for local storage of any application data are
enforced, for example preventing local storage of data, or encrypting all data that is stored locally,
and blocking access to removable storage such as USB. Critically, when a system is attacked, it
discards any malware, eliminating the need for remediation.

Data Loss Prevention

Bromium micro-Virtualization can offer simple and yet powerful Data Loss Prevention (DLP) to every
desktop. An untrusted micro-VM cannot access files that are invisible to it (files that are hidden by
its resource policy), but if we explicitly engage the user in any case where data crosses a trust
boundary, we can empower the user. For example, one could permit a user to attach a sensitive
document to an untrusted web mail, only if the document is encrypted when presented to the
micro-VM, and appropriate logging or alerting of the action occurs. Micro-virtualization can
therefore incorporate a powerful DLP feature set into every PC, empowering the user without risking
compromise of enterprise data.

Secure Desktop Virtualization For Every PC

Many enterprises have been piloting deployments of Virtual Desktop Infrastructure (VDI) as part of
their desktop virtualization strategy. CIOs view the technology as adding a degree of control
(courtesy of centralization) and security (since desktop VMs are restarted from the right golden

©  Bromium,  Inc.  2011,  2012.    All  Rights  Reserved     7   http://www.bromium.com  

image every log-on). VDI today is applicable to a relatively small proportion of desktops – for users
for whom a desktop VM is required (administrators, off-shore developers, traders) and for whom
centralization is strictly necessary – perhaps for reasons of compliance. But for the vast majority of
users the preferred client form factor is the PC; and increasingly the trend is toward the adoption of
laptops by an IT-savvy, mobile workforce.

Micro-virtualization delivers all of the benefits of VDI together with application layer security, on the
devices that users want to use – their PCs and laptops.

• Every new micro-VM is instantly created from the known-good golden desktop image, which
does not change except under IT control
• Enterprise data is protected both at rest and at runtime – an industry first
• Users get to safely use enterprise data and access enterprise applications both on- and off-
line, from any network
• The desktop is protected from malware, viruses and APTs
• Granular policies for access to and distribution of enterprise data are applied on every PC.

PC Configuration & Lifecycle Management

The desktop team in every enterprise is constantly concerned about of the vulnerability of their
desktops. Whenever the security ecosystem identifies a new vulnerability, administrators go into
panic mode as they seek to quickly distribute patches to every PC. But off-line PCs or devices that
are mobile might not get the latest patches, leaving them vulnerable.

Because Bromium assumes that some task will be compromised at some point and because the
Microvisor is designed to isolate compromised tasks, the architecture offers security at all times - the
system will still be safe even with vulnerable software. IT staff can apply patches when it suits them
and their users, and with full confidence that their systems are always protected.

Perhaps most importantly, Bromium enabled PCs do not need to be re-imaged when an attack
occurs. The system simply shrugs off malware, leaving the system “always gold”. This saves
countless hours of IT’s time, reduces support calls, and keeps users productive.

Summary
Bromium micro-virtualization adds granular, resilient task isolation and security to Windows. Micro-
virtualization dramatically enhances security, simplifies software lifecycle management, protects
enterprise data at all times by making endpoints trustworthy and resilient. It can achieve this with
no changes in management practice or toolsets, and with an unchanged user experience.

To learn more, and to participate in our Beta program, please visit us at www.bromium.com

©  Bromium,  Inc.  2011,  2012.    All  Rights  Reserved     8   http://www.bromium.com