Simon Crosby and the Security Virtues of Micro-Virtualization
The Bromium cofounder and CTO sketches his startup's system architecture.
Simon Crosby, cofounder and CTO of security startup Bromium, is the first to admit his new company is making some big promises to potential customers -- and it has to make a big hit right out of the box. Virtualization Review Editor in Chief Bruce Hoard talked with Crosby recently about how he intends to do that, and what's in it for customers.
VR: How do CIOs describe their pain points to you when it comes to cloud security?
Crosby: Let me define it my way. Everybody's off busy building their private cloud because the outside world is too scary. But if your enterprise has 50,000 PCs in it, which is not atypical, then you have 50,000 insecure access points to your private cloud. To my mind, the cloud security problem is the problem of security for the enterprise, and the way in is the client. Think about this in terms of the cloud. You would never, as a CIO, consider running your stuff on a cloud infrastructure that wasn't multitenant-aware. But let me ask you this question, then. How many tenants are there on your PC?
VR: One per, usually.
Crosby: Well, you think it's one. If it's a work PC, you might think it's two -- there's enterprise stuff there, and then there's your stuff. In fact, the number of tenants on your PC is the number of Web sites that you've visited, because every one of them sent some code back to your PC to be executed locally. Then how good do you think your PC is at defending multitenancy?
"Bromium solves a very profound problem, which is that there's a fundamental mismatch between our humanity and the computer systems that we use."
Simon Crosby, Cofounder and CTO, Bromium
Crosby: It's pathetic. OK. So that's our problem. The problem is new work styles and consumer use of enterprise devices. It's the client that's the problem. It's the changing expectations of users, their demands for a broader range of applications. And the horrible position that IT finds itself in, which is that the only way it claims it can protect us is by building higher and higher barriers to productivity. Bromium is solving a problem, which is broad. We're starting on the client.
VR: We've set the table here. Give me the overview. How does Bromium work?
Crosby: Bromium solves a very profound problem, which is that there's a fundamental mismatch between our humanity and the computer systems that we use. Let me give you three ways in which humanity does not match up to current systems. You or I will click on the bad attachment because we're gullible -- that's a human property. Somebody wrote the code -- and, by the way, there's roughly 100 million lines of code on your desktop, and so there will always be another zero day. Put the first two together, and you'll find out that the bad guy will get in. There's no way to get out of that. So the first thing that you've got to realize is that our humanity is not modeled properly by our devices.
IT kind of gets this. Then you say, "Well, OK, what are you going to do about it?" IT says, "We're going to build a big wall around the enterprise. Like an old walled city. Like Troy." So now I've got everybody inside the walls of my building, and what's the problem? I'm now no longer a productive enterprise because to be productive as humans, we have to go out. We have to go and find out stuff. We have go and do deals. We have to meet people. We have to go into places of unfathomable trust, and when we go there, our systems can't protect us. That, by the way, is where you'll be attacked. It's when you browse that crazy public Web site or when you open an attachment. You are, at that point, in a domain of unfathomable trust. We don't know it's good. We don't know it's bad. We can't know the innocence of the attacker, and we know the system is vulnerable. That's the problem.
By the way, if you could solve that problem, you'd solve all of the problems of endpoint security, lifecycle patch management, data-loss prevention -- that's how virtualization kind of becomes moot. How do you solve that problem? Bromium has developed a technology, which we call micro-virtualization, which uses virtualization hardware and other features in the chip set for security in order to completely flip the model on its head. To do that, we need to take a break. So the first thing we do here is say "micro-virtualization." The most important thing to realize is that nothing I'm about to say is about the traditional hypervisor or VMs [virtual machines] or any of that. We don't care about any of that stuff.
VR: So what's the secret sauce?
Crosby: What we care about is hardware isolation in the chip set. We use that to wrap a very hard isolation container instantly, automatically and completely unseen by the user in the context of a natively installed, running operating system. We'll talk about Windows. Every single time you click on a URL, every time you open a document, every time you open an attachment or do anything which involves any data of unknown provenance or any code of unknown provenance, I will instantly, invisibly and automatically take that task running in the operating system, and wrap it in a hardware-isolation container, which we call a micro-VM, so it can run concurrently with all the other tasks on your desktop -- but in a way which absolutely protects the system from any untoward consequence.
VR: I'm with you. But how do you detect what's legitimate and what's not?
Crosby: The key here is that you can't. What I have to do is isolate. You click on a URL and it's somewhere out there. I don't know if it's good or bad. I have to deliver it. I have to render it to you, and all the stuff that you'd expect, but I have to protect you from it. And the technology to do that is micro-virtualization. It does some amazing things. You click on a URL, and as far as you're concerned, the Web page is rendered and you're off. You have no clue that the micro-visor is there. Instantly, on the fly, automatically, we're hardware-virtualizing vulnerable tasks running within the operating system.
VR: Tell me more about the micro-VM.
Crosby: The property of a micro-VM is that essentially we revoke its access to any system resources, which would normally require privilege to get hold of. What are those? Read or write file systems, user networks, dealing with the user keyboard, registry, any other devices and so on. The only way that the micro-VM can get access to any system resource is as a result of a VM exit on the hardware. That is, the moment a micro-VM tries to access any system resource, it will be stopped by the hardware, and at that point, the micro-visor is in control, and we know that we're running our code, and our code is good. At which point, we can evaluate the request for resources that the micro-VM had. More importantly than that, a micro-VM is a near-perfect implementation of the principle of least privilege. When you browse to Facebook -- that is, there's some browser tab going to Facebook.com -- what files does it need in its file system? You only need the cookie for Facebook, and nothing else, and that's all it gets. When you open a PDF document, what files do you need? You need the PDF file I asked you to open and nothing else.
So, the system resources that are presented to the micro-VM are an implementation of the principle of least privilege with regard to all core system resources. Specifically, if you're going to some crazy public Web site, and now you want to send packets on the network, I will guarantee that you never send any packets into my intranet or to any site that I consider to be high value because I don't trust you. If you're a PDF document, and you happen to want to send a packet out to the Internet, you'll find you're on a Windows PC with no network interface. By the way, if you're a PDF and you wanted to send a packet out, it's a pretty clear sign that you're a bad guy. So, when we create a micro-VM, we create the worldview for it that it can't change, which presents an implementation of the principle of least privilege. Then when the micro-VM is running, of course, it's impossible to decide whether anything is good or bad, and we're going to have a very simple model for protection, which is this: If the micro-VM changes the operating system in any way, we'll allow it to do so -- copy and write. That is, let's say the bad guy is in the micro-VM and drops some change into some Windows kernel page. As far as I'm concerned, that's fine. Go right ahead. You can copy and write as much as you want against the old system, which is running, but you don't get to change it. Let me give you a way of thinking about this. If you're in the micro-VM, you're looking through a plate-glass sheet at Windows itself. You can go off and I can give you a whiteboard pen, and you can scribble all over [the glass], but you're not changing Windows, you're scribbling, and all I have to do is remember where your scribbles are.
VR: Who's your target audience?
Crosby: Bromium will sell to enterprises, and the folks we're engaging with are enterprises who are being tackled based on advances to system threat, but also enterprises facing challenges of mobility, and workers using devices to access the enterprise set of applications where they can't reason about the security of the device.
VR: So you're not just selling to services providers.
Crosby: No. We're selling to enterprises. This is enterprise software that runs on a PC, and makes that PC essentially invulnerable to me because I'm the one who will make the mistake and invite the bad guy in.
VR: What benefits are you promising your customers?
Crosby: You get a PC, which is secure by design because the architecture is resilient to new attacks without any signatures. You get a PC that naturally protects itself from my silly mistakes. You get a system where data is protected at runtime. Everybody knows how to protect data at rest, but at runtime your data is protected now. You get a system that naturally sheds all malware. The moment you close the window, I'm just going to throw away the entire execution standard, which is micro-VM, and it's just gone. The malware just goes. You get a system that protects you even if the device hasn't been patched. You get a system that's a better PC that doesn't require any new management tools, and that doesn't screw up the user experience -- desktop virtualization definitely screws up the user experience. You just get a great, reliable device, and you get a device that naturally polices boundaries of trust. That's where virtualization people are tying themselves in knots about how to allow people to personalize their virtual desktops. Whenever you go to untrustworthy worksites, it's throwing some code back at the system, which I have to protect the system against.
So you get to have a device that's personal and secure. You get to empower users where IT today has to say no. You get to guarantee compliance and security without locking down the user. You give the user a device that meets their needs.