Virtualization has long been used to wring efficiency out of over-sized, under-used systems, but isolating applications and operating systems from the underlying hardware also produces immense flexibility that cloud services like AWS, Azure and
The essence of virtualization-enhanced security is the ability to arbitrarily shrink the OS and network attack surface of an application to the point that it is completely isolated from everything else on a system. As I put it in describing the NSX enhancements, "The idea is to use the ability to virtualize networks into arbitrarily small, and thus precise, software-definable units to reduce the attack surface for an application by narrowing its scope of network access to the smallest possible window." Bromium, founded by Simon Crosby, a virtualization pioneer and co-founder of the original VMware competitor XenSource, now part of Citrix, applies the same strategy to applications and other untrusted system processes. Unlike traditional VMs that run with OS-level granularity, Bromium has developed a microvisor, a lightweight, highly secure hypervisor, that automatically creates a new micro-VM for every task, which can be a browser tab, media stream, Word document or cloud file share, on a system. In that sense, they resemble Docker containers, but unlike software-based application isolation, micro-VMs exploit hardware security features like Intel VT to protect the underlying OS, network stack and peripherals.
The beauty of micro-virtualization, whether applied to a software task or network segment, is its software-enabled granularity. Creating circumscribed execution and communication layers tailored to a specific application or network service (like Active Directory or DNS) both limits the security risk to other applications and provides a simple way of detecting and neutralizing rogue software without disrupting the rest of the system. Crosby explains the security benefits,
Execution within a micro-VM is ephemeral, with all changes to system state saved in a throw-away cache, so malware cannot persist. When the task ends the micro-VM and the throw-away cache are simply discarded – with any malware. This makes Bromium protected endpoints self-remediating – eliminating any possibility of malware persistence. When an endpoint is attacked, malware may execute in the context of a micro-VM, but no content of value is available to be stolen, and the attacker cannot pivot onto the enterprise network to further his attack.
The Microsoft announcement ensures that Bromium can be easily and seamlessly integrated with Windows 10 clients and management systems. Yet Microsoft had already embraced virtualization as a security tactic. Windows 10 and upcoming server releases incorporate hardware-enforced system sandbox called Virtual Secure Mode (VSM) to protect key parts of the OS, including security tokens and OS boot code, from attack. It's conceptually similar to the iOS Secure Enclave and boot chain, although
We've taken these tokens which were being protected by Windows in a software store which was susceptible to malware or to applications with a high level of privilege and we're putting them inside a container. Even the kernel doesn't have access to take information out of that container if it's compromised. The VSM is basically a mini OS. Think of it as a Windows core OS – it's a very small OS that will require about 1GB of memory…
Microsoft is using the same VSM technique on Hyper-V in Server 2016 to create Shielded Virtual Machines that use a Trust Plane to protect VMs and associated data.
Using virtualization to enhance security is particularly ironic since early skeptics of virtualization's use in critical systems invariably pointed to the security risk of introducing a new software layer, with unknown vulnerabilities that has access to all system resources and applications. This is still a valid concern, however by greatly reducing the software footprint to the smallest set of features (and associated code) necessary to operate a hypervisor or virtual network link, significantly reduces its attack surface. After years of use and millions of installations, virtualization software has proven to be both reliable and remarkably secure and become the platform of choice for most enterprise applications.
Of course, by exploiting hardware security features, software like Bromium microvisors and VSM eliminate many other potential weaknesses. Augmenting system-level secure virtualization with virtual network micro-segmentation provides yet another layer of application isolation. Yet unlike hardware-based network security, a virtual network controller understands the full context of network activity by local applications, system process and file systems. As with micro-VMs, this contextual visibility allows micro-segmented zones to implement precise security policies that can automatically follow an application is it moves around a cloud data center. Borrowing (if not bending) a term used by NSX co-inventor and architect Martin Casado, the combination of system and network micro-virtualization techniques may have created the Goldilocks Zone: an ideal mix of application isolation, situational awareness and hardware-reinforced security.
