As the application sandboxing approach to desktop security gains steam, experts caution that it's still not a magic pill.
Startup Bromium Inc. has brought sandboxing back into the spotlight with its release of vSentry, which augments existing security tools and uses hardware-based sandboxing rather than the traditional software-based approach. The new product could give IT shops a way to prevent security breaches, but some IT pros aren't fully sold on the concept. They point to existing vulnerabilities in the more popular software-based approach, such as with Java and with Google's Chrome browser.
"There is no magical wand to tap over your IT department, or magic crypto fairy dust that will solve the problem of security," said Gary McGraw, chief technology officer at Cigital Inc., an enterprise software security consulting firm in Dulles, Va. "Sandboxing is another weapon in our security arsenal, and IT will take all the weapons it can get."
The next generation of desktop security software
Traditional antivirus software detects known malware from infecting machines, and network firewalls help protect against unwanted packets. Both security tools, however, are based on detection. Unfortunately, modern attack vectors often are undetectable, which leaves many companies vulnerable.
IT shops need to stay vigilant with software patches, include layered security from the application stack to the network infrastructure, and work with third-party application vendors whose products "won't roll over and play dead when attacked," McGraw said.
Bromium's vSentry application uses what the company calls its proprietary microvisor to isolate individual computing tasks in a virtual container as soon as they are created. A microvisor spins up instantly anytime a user clicks on a URL, opens a document or an attachment in an email, or even accesses a file from an external thumb drive.
The idea is that if a user opens a URL containing malware, that piece of malicious code won't have access to anything else on the computer's operating system. System resources not needed to execute the task are kept isolated from the microvisor under the principle of "least privilege." Any attempt by the malicious code to gain access to a part of the OS outside that container causes the Intel-hardware-assisted virtualization technology to stop the task immediately.
"All we've done is decouple protection from detection," said Simon Crosby, Bromium's CTO and co-founder.
The vSentry application executes memory as copy-on-write, so once the specific computing task is closed, the microvisor and malware are erased from the OS, and the computer is returned to the golden image without the end user ever realizing it.
"Sandboxing technologies have certainly been effective against malware, and [vSentry] is an innovative extension of that approach," said Lawrence Pingree, an application security analyst at Gartner Inc., a Stamford, Conn.-based research firm.
Bromium isn't the only company approaching endpoint security with application sandboxing technology at the hardware level. Invincea Inc., a Fairfax, Va.-based software company, provides applications that run in a virtualized environment separate from the operating system. And Microsoft is working on a similar prototype called Project Drawbridge, which also containerizes applications at the process level.
Other endpoint security products that use virtualization have focused on performing behavioral analysis during code execution -- which is how Palo Alto Software Inc.'s WildFire works -- or at the chip level to monitor memory access -- such as McAfee Inc.'s Deepsafe does, Pingree said.
Desktop security software: Better safe than sorry
Traditional approaches to security are very reactive, and that's why the more proactive approach by Bromium and others is so intriguing, Cigital's McGraw said. Instead of the entire system being compromised, the application is sacrificed and dies gracefully in its own pod, he said.
For example, Gunnar Berger, an end-user client analyst at Gartner, said his home computer was recently compromised when he clicked on a link from Twitter that came from someone he trusted. Unfortunately, that person's Twitter account had been hacked, and clicking that one link compromised his entire system. Had Berger been running Twitter inside a hardware application sandbox, the malicious link and hacker would have been trapped inside the isolated container, unable to do any damage to his system. "It's good to see a product look at the security problem from a completely different standpoint," he said of vSentry.
Strengthening antivirus with application sandboxing
In addition, vSentry enables IT to analyze an attack vector's origins within milliseconds of an attack, and it automatically generates signatures for new attacks, which would take weeks for detection-based tools to identify, Bromium CTO Crosby said.
In the case of a zero-day attack, for example, vSentry would contain the attack and feed that information to IT, which then could use it to strengthen existing antivirus-definition protections for other employees, Gartner's Berger said.
Currently, vSentry works only with Windows 7 64-bit running on an Intel chip with the built-in hardware virtualization extension found on an Intel i3, i5 or i7 processor, plus a minimum of 4 GB of RAM. It is currently incompatible with Apple Inc.'s OS X, but Bromium said it is working on a Mac version for release in a few months. The company also is developing a version that could run on mobile devices and the advanced RISC machine, or ARM, architecture.
In addition, vSentry is deployed as a standard medium-scale integration, or MSI, package and configured via policies using Active Directory, with updates managed through Microsoft System Center. The product is licensed annually according to the number of seats, and pricing starts around $300 per user.