When malware infects our computers, we often wish we could consign that infernal software and its creators to some digital hell. Well, it turns out that an effective way to stop viruses and other dangerous code is placing it in a kind of limbo.
This new technique for trapping and neutralizing malware is a form of what’s called virtualization.
Taking Virtualization Out Of The Data Center
Virtualization is often used as an effective tool to use hardware resources more efficiently. With virtualization, one server can run multiple instances of various operating systems simultaneously—as well as the applications that run on top of them. You might have a copy of Linux running alongside a copy of Windows on the same machine, for example.
It’s one of the underpinnings of cloud computing, replacing the old model of server rooms crammed to the rafters with expensive hardware with virtual servers we access over the Internet.
But another use for virtualization could reshape the way we think about security on our personal computers, smartphones, and servers.
The idea of using virtualization as a security tool is not exactly new. If you have enough storage available, for instance, you can create a “clean” version of a virtual machine that can replace an infected computer in a few minutes. But such methods take time to set up and even more time to implement—in other words, it’s a pain in the butt.
Enter microvirtualization, a much more focused approach to creating virtual machines that has the capability to prevent malware from even getting near your operating systems or hardware.
How Our Computers Get Infected
To understand how this process works, here’s a very simplified primer on how things work on a computer. A task is performed, such as clicking on the link of a website. The action taken fires off a series of instructions in the browser that should have one and only expected result: fetch the Web page from the correct Web server and display the page in the browser window.
If only things were that simple. In the real world, that site might be infected with malware, a catch-all term for any kind of hostile code like a virus that attempts to infect our computer. Once it lodges itself on our computer, that malware then acts behind the scenes and adds more tasks the user may not be aware of, tasks such as “record what the user is typing in the password field” or “download this spambot from this site over here and start it running in the background.” Fun stuff like that.
If the machine running the browser has antivirus software or the browser has been configured to look out for such shenanigans, then it might stop the malware right then and there. Then again, it might not, depending on how cleverly the malware is coded.
With virtual machines, which mimic an entire “real” machine, the same problem exists. A virtual copy of an operating system can be affected by malware just like its physical counterpart, because it’s all just software.
What microvirtualization does is different. Instead of imitating an entire machine’s worth of multiple application and operating system tasks all at once, microvirtualized instances run a complete copy of the operating system and just one process.
Bromium CTO and cofounder Simon Crosby explains that this sort of “thin” virtualization is sort of like slices of a pie, where the “pie” is the entirety of the computer: kernel at the center, operating system outside of that, then the applications. A thin microvirtualized instance of that machine still has all of the layers, but just one small slice.
In fact, lots of thin slices. For every process that’s started from outside inputs, a microvirtualized system is very quickly created to handle that one process. For Bromium’s vSentry system, Crosby says it’s under 10 milliseconds.
Crosby was once the CTO of Citrix and then later a cofounder of XenSource, two influential companies in virtualization. Now at Bromium, Crosby is dedicated to the idea that microvirtualization, also known as OS or operating-system virtualization, is the best approach to providing real security to devices.
Go back to the explanation of how a task is performed: click on the link of a website, and the Web page from the correct Web server is fetched and the page is displayed in the browser window. Except this time, it’s on a perfect virtual copy of the operating system. When the operation is complete, the tiny VM is shut down, even as others are spun up for other tasks.
Malware in this type of environment would be rendered immediately inert. In the Bromium system, not only are micro-VMs quickly created, they are also configured with specific rules that instantly hard-stop any process in the micro-VM that tries to do something funny. Try something that’s not in the rules, and the VM evaporates.
Or, Crosby added, you could allow the malware to actually run within the micro-VM and then freeze the process like a fly in amber. Since malware is much easier to detect after it starts running, a frozen “sample” that’s locked off from the actual operating system would provide a rich amount of data for security firms, such as where and when the malware might be “phoning home.”
Bad News For Bad Guys
For malware creators, this is bad news. As far as their creations can tell, they’ve just infected a fresh system. They don’t realize it’s a virtual prison, where they’re going to be trapped and studied by researchers—or just deleted.
As Crosby demonstrated this technology in action, it was hard not to wonder why every single operating system in the world doesn’t have this feature. One thing that helps makes this technology work is Intel Virtualization Technology hardware that’s available in newer Intel processors. As those processors roll out widely, it should be easier to adopt the micro-VM approach for security.
The hurdle right now for Bromium, Crosby explained, is that in order to be properly created and managed, micro-VMs have to contain known processes, such as those generated by a browser or a PDF reader. Right now, Bromium would not fire off micro-VMs for just any application’s processes. Similar products, such as those from Invencia, also only contain select applications’ processes within virtualized containers.
But improvements in hardware and virtualization technology may mean the day is soon coming that any application can be protected from malware intrusion with OS virtualization. And that would be a fine day, indeed.
Image courtesy of Shutterstock.