On the 8/9 Virtualization Security podcast, we continued our discussions on defense in depth with a look at end-user computing devices, specifically laptops and endpoint desktops, with Simon Crosby, CTO of Bromium. While we also discussed phones and tablets, we were focused more on the technology preview that now is Bromium vSentry. Bromium vSentry looks to protect laptops (and other machines) from unknown and zero-day attacks in a unique hardware-assisted way. There is now a new tool in our defense in depth toolbox that meets an ever-growing need. But what is the need, and what is the tool? Simon led off with an interesting problem statement, and I paraphrase:
You are traveling and you suspect, but do not know, that the hotel network has been compromised. If you are in certain countries, this is a guaranteed behavior; if you are in others, it is more than possible. In either case, as soon as you plug your laptop or other end-user computing device into the network, you are at risk from attack, man-in-the-middle, etc. Normal methods to protect against such attacks would be meaningless.
So what is the solution? I paraphrase once more:
What if we could place the initial connection to the hotel network into a micro-VM, then once that connection is established use another micro-VM to establish our VPN connectivity? The micro-VMs do not talk to each other, and once we close the web browser we used for the initial connection, the micro-VM and its contents are thrown away.
Now that sounded interesting to me, as one who carries around a laptop everywhere for work. I often use that laptop to VPN into my datacenter and from there access my virtual desktop. I only go through such draconian measures for critical subsystems, but it works. However, I worry about the VPN connectivity. While a VPN is a defense in depth measure for encryption of data in motion, if the endpoint device has been compromised, the VPN can be compromised, too. Unlike anti-virus and anti-malware, Bromium does not prevent the attack from occurring; it limits the attack surface to whatever is in the micro-VM, which is NOT a huge amount. If you are editing a Word document, for example, the only thing in the micro-VM is the document and no other aspect of the filesystem. So perhaps the attack could infect the Word document or has already infected the Word document. With micro-VMs the infection or attack would NOT propagate past the Word document.
Even so, this does not fully eliminate the need for anti-virus or anti-malware to clean your system once an attack is recognized. Bromium contains attacks. It could be said that since attacks are localized events (local to the micro-VM), that anti-virus and anti-malware is not needed. However, they will still be needed to clean up the system because malware, even running in a micro-VM, could cause a system to run slow.
What Bromium has added into the mix is a hardware-dependent endpoint security measure that allows more defense for your data access, as every process and window can run within its own micro-VM. It is a simple concept. But, it is also a complex one, as it is in itself a form of multi-layer security (MLS) linked to mandatory access controls for some aspects of the environment, not the full environment. MLS is a big win for endpoint devices.
However, the Achilles heel, if there is one, for a tool like Bromium, is that it is currently limited to a windows endpoint device using an Intel processor that supports Intel VT, Intel VT-x, and Intel VT-d instruction sets, which leaves out ARM-based phones and tablets at this time. Intel VT-d is optional, as is VT-x, but Intel VT is required, as Bromium is a hypervisor but on the per-process level, or a microvisor, and depends heavily on hardware support, which means Bromium would not run well within a virtual desktop. As Simon stated on the podcast, the concept of sharing Intel VT is not well understood, and Intel VT does not share very well. However, VMware has started down the path of sharing Intel VT in a well-defined situation, as you are allowed to run virtual-in-virtual or Hyper-v, Xen, or ESX within ESX. Could Bromium make use of the same for VDI security? Could we further our virtual and cloud computing Defense in Depth?
Sharing Intel VT is a question more for Intel than for the hypervisor vendors, as we are talking about the hardware. Perhaps this is a future item and direction for Bromium.