You are here

After Months of Secrecy, Startup Bromium Takes the Wraps Off a New Approach to Securing Client Endpoints

by Sean Michael Kerner

Bromium is a company founded by the team behind the open source Xen hypervisor. For much of the last year, they have said little about the actual technology, talking only about the promise. The promise is all about being able to deliver systems that are secure and trustworthy by design.

It’s a promise that Bromium has convinced investors to fund to the tune of $26.5 million. The startup announced its latest round of funding this week, led by Highland Capital Partners and including Intel Capital, Andreessen Horowitz, and Ignition Ventures.

“We're stocked up and ready to go,” Bromium CTO and co-founder, Simon Crosby told eSecurity Planet.

Crosby was one of the key leaders of the Xen project and served as the CTO of Citrix, when XenSource was acquired in 2007. Crosby explained that Bromium is focused initially on the client and not on server systems, though the technology will work on both.

“The reason why we're focused on the client side first is because, we're trying solve the problem of trust and security,” Crosby said.

In Crosby’s view, every user that logs into an enterprise network represents a potential risk. In his view, the real challenge is the individual user versus the enterprise.

Traditionally, the challenge of secure access into an enterprise has been solved by way of a VPN that encrypts traffic. In Crosby’s view, that approach is no longer adequate. Crosby noted that users still bring the untrusted, potentially infected bits of their PCs with them when they log in to the network on a VPN.

“VPN is like dragging an Ethernet cable into Starbucks that everyone can use,” Crosby said. “It’s about the silliest thing I can think off. It’s high time for VPN to be banned.”

Leveraging his team’s expertise in virtualization, Bromium’s technology uses a small hypervisor (the microvisor) that relies on hardware virtualization.

In typical virtualization deployments today, the hypervisor sits on bare metal and then the virtual machines are on top of that. Crosby stressed that the Bromium model is not about software isolation. In his view, that is too complicated and difficult to do as a typical PC has 100 million lines of code on it.

Instead, Bromium is applying virtualization inside of a running operating system to hardware virtualize tasks.

“The moment you do something as a user, I'll grab the task and put it into an Intel VT Isolated Context and I'll run that task hardware isolated from the rest of the system,” Crosby explained. “In doing so, we create a new mode of execution which is called Access Restricted, Copy on Write.”

Crosby added that when Bromium takes the task and throws it into a VT isolation container, called the micro-vm, they create an abstraction in the micro-vm that is suited to the trust level of the task.

“So if you're browsing to Facebook, what files do you need in your filesystem?” Crosby asked. “Precisely one: The cookie for Facebook.”

By limiting the access, the idea is that the potential attack surface and the risk is significantly minimized. Crosby noted that micro-vm taks run at normal native PC speed and there is no impact on the user experience.

“The vulnerability surface is 10,000 line of code,” Crosby said. “So we've moved from a system with 100 million lines to 10,000.”

While the idea behind Bromium is to have systems that are secure by design, there is still one potential risk. If a system’s Intel VT has already been infected somehow, Bromium won't be of much help. As such, Crosby said that Bromium will have to be installed on a gold master system that comes from a trusted source.

“Cause if the bad guy is already in, he’s in," Crosby said.

Bromium is now in a private beta. Full general availability will come when the company is absolutely confident in the technology, according to Crosby.

Source:  eSecurityPlanet