Bromium

From Wikipedia, the free encyclopedia
Bromium
Type Private
Industry Computer Software
Headquarters Cupertino, California, United States
Area served Worldwide
Key people Gaurav Banga (CEO)
Simon Crosby (CTO)
Ian Pratt (SVP Products)
Rahul Kashyap (Chief Security Architect, Head of Research)
Employees 110 (2013)
Website www.bromium.com

Bromium is a venture-backed startup based in Cupertino, California that develops software that applies the isolation and security principles of hardware-based virtualization to tasks running within the operating system of a PC, server or mobile device.

History

Bromium was founded in 2010 by Gaurav Banga, CEO and former CTO and SVP, Engineering at Phoenix Technologies, together with former Citrix and XenSource executives Simon Crosby and Ian Pratt [1] The company has raised a total of $35.7M in two rounds of venture funding. Bromium announced the closure of a $9.2M Series A round of funding with Andreessen Horowitz, Ignition Partners and Lightspeed Venture Partners on June 22, 2011.[2] $26.5M in Series B funding from lead investor Highland Capital Partners, new investor Intel Capital, and existing investors Andreessen Horowitz and Ignition Ventures was announced on June 20, 2012.[3]

Technology

Bromium's core technology is called micro-virtualization.[4] It uses the hardware-isolation capabilities available on x86 CPUs for virtualization to isolate tasks in a running operating system. It is implemented by a lightweight, special-purpose, late-load hypervisor called a Microvisor. The Microvisor automatically identifies each user-initiated untrustworthy task (examples: each top-level domain or tab in a web browser, each untrustworthy file, each mail attachment) and hardware-isolates its execution within a micro-VM.

Each micro-VM runs natively within an Intel VT-x VMCS, and uses the Extended Page Tables (EPT) capability to achieve near-native performance. A micro-VM encapsulates all user-space and kernel execution for a given task. A task running within a micro-VM can only access OS services and resources via “enlightened” service APIs that cause the virtualization hardware to pause execution of the micro-VM (and resulting in a hardware VM_EXIT on the CPU) yielding control to the Microvisor.

The Microvisor enforces task-specific mandatory access control (MAC) policies in a trusted execution context (the hypervisor), whenever a micro-VM attempts to access key OS services or resources. It imposes control over access to the file system, a least-privilege network model, and all hardware devices. The Microvisor implements a Least Privilege Separation Kernel [5] by limiting access on a per micro-VM basis to resources in the host operating system.

Micro-VMs are hardware-isolated from each other and from the host OS. Trusted and untrusted tasks can thus coexist on a single system with mutual isolation. To the host, micro-VMs appear as normal tasks, and the host OS schedules them for execution and performs all legitimate file-system, networking and device I/O on behalf of them. The host also tracks performance and resource usage for each micro-VM. Key properties of the system include: • When a micro-VM executes, any changes it makes to its view of the in-memory OS image, or its "golden" file-system are cached “Copy on Write” or in the context of the micro-VM only, and are not made to the host system. For example, if an attacker changes a Windows kernel memory page, it only succeeds in modifying an instantly created local copy of that page, and not the original. • Each micro-VM is granted only a narrow view of system resources that contains only the minimum set of resources it needs for successful execution, according to the principle of “least privilege”. • When a micro-VM terminates (the user closes the window, or it terminates) the Microvisor discards the task’s memory image and uses a persistence policy to determine whether to persist any new files. Any persisted files are securely tagged with meta-data that encodes their provenance and trust; the Microvisor ensures that untrusted files can only be accessed from a micro-VM. • The Microvisor restricts micro-VM access to network services: Untrustworthy tasks cannot access “trusted” networks or “high value” SaaS/RDS applications, and access to “high value” sites over an untrustworthy network requires a secure end-to-end VPN.

Because micro-VMs are just tasks, their lifecycle and resource management must be automatic and instantaneous, in response to user actions. This permits us to use virtualization to deliver enhanced security and resilience without any change to the end user experience. It also means no new IT skill sets or tools are required to manage the Microvisor. The Microvisor is managed using simple enterprise policies and has no management console of its own.

The Microvisor’s attack surface is extremely narrow, making it extremely difficult to penetrate. A report from NSS Labs details penetration testing of the Bromium architecture, which achieved a perfect score in defeating all malware and expert human attempts at penetration.[6]

Products

vSentry 1.0 was available for Windows 7 only. vSentry 1.1 which was released on December 11, 2012, added support for Windows Server 2008 R2 and multi-user Remote Desktop Services[7] vSentry requires an Intel processor with VT-x and EPT.

Bromium is working on a version of vSentry for Mac OS X systems.[8]

References

  1. CrunchBase, Bipul Sinha, October 10, 2012: "Bromium"
  2. TechCrunch, Leena Rao, June 22, 2011:"Virtualization And Cloud Security Startup Bromium Raises $9.2M From Andreessen Horowitz And Others"
  3. TechCrunch, Anthony Ha, June 20, 2012:"Bromium Raises $26.5M For Security Through Micro-Virtualization"
  4. Madden, Brian. "What Bromium is and How it Works". BrianMadden.com. TechTarget. 
  5. Levin et al. "Least Privilege in Separation kernels". 
  6. "Bromium vSentry Sets New Standard for Security Effectiveness". Yahoo! Finance. 
  7. The Virtualization Practice, Andrew Wood, December 13, 2012: "Bromium release vSentry 1.1: trustworthiness for more desktops in the enterprise?"
  8. TheRegister, Timothy Prickett Morgan, September 19, 2012:"Size matters: Bromium 'microvisor' to guard PCs for big biz"

External links

This article is issued from Wikipedia. The text is available under the Creative Commons Attribution/Share Alike; additional terms may apply for the media files.