Micro-virtualization

This thread could also have been titled "Bromium vSentry."

Definition

Still Dreaming of Perfect Code?

Micro-virtualization vs Software Sandboxing (paper):

Code:

 hxxp://www.bromium.com/sites/default/files/Bromium-Whitepaper-Micro-virtualization-vs-sandboxing_0.pdf

Bromium vSentry Sets New Standard for Security Effectiveness

No, bromium will not kill all malware forever

How will microvirtualisation change the security field, if at all?

 

Micro-virtualization for the Security Architect

 

Great thread, there´s a lot of interesting articles on their blog.

I thought this was kinda funny:

http://anti-virus-rants.blogspot.com/2013/05/more-on-bromium-and-snake-oil.html

However, I must say that I still can´t completely wrap my head around Bromium´s concept. If it´s really that awesome, why hasn´t M$ come up with something similar to protect the OS? Is it perhaps because of the overhead? It also makes me wonder: is it perhaps possible to use Intel VT (Micro-virtualization) in Application Sandboxes, like Sandboxie for example?

 

@Rasheed187: I believe that it's policy-based, so appropriate policies need to be supplied/created for each "task."

 

Now that I think of it, it´s a bit of the same as the Qubes OS, but it´s implemented as a HIPS instead of a whole new OS. Every app (and even every task) is running in its own sandbox. I must say that it sounds like overkill, so I would really like to see a demonstration of Bromium´s tech.

Also, like I said before, I wonder if Intel VT could be used by a tool like Sandboxie (or Invincea FreeSpace). So instead of them relying on a regular driver, they could rely on the hypervisor. I wonder if that´s technically possible.

 

Chrome also uses micro virtualisation when your CPU facilitates it on Windows, On Chrome OS and Chrome versions for linux it is even developed further.

 

You probably refer to the Chrome sandbox, which was discussed over here:

http://labs.bromium.com/2013/07/23/application-sandboxes-a-pen-testers-perspective/

 

I don't know about on Windows, but on Linux Chrome uses an empty chroot, PID namespace, and seccomp filters - basically a policy sandbox for restricting interaction with the kernel. It doesn't actually duplicate any kernel resources AFAIK.

That said, the empty chroot jail alone should be pretty effective. Breaking out a chroot is much harder when you don't have any external userspace code to do it with.

 

No the instruction level inner sandbox

 

Can you give a bit more info about this?

 

Native Client uses a processor specific feature called segmentation

 

Btw, about my question in post #5, I found it interesting to read that Invincea is claiming to use true-hardware virtualization (see link). I wonder what that means? Would there be any advantages in speed and perhaps also security?

http://www.techrepublic.com/blog/it...he-power-of-virtualization-to-combat-malware/

 

See

Code:

(direct download) hxxp://www.invincea.com/wp-content/uploads/2014/05/Invincea_tech_throwdown_microvirtualization_050614.pdf

Edit: I now see that you already found this link in another thread.