Bromium Inc. | Date: 2016-11-21
An isolated environment is instantiated in response to receiving a request to execute a process. One or more events occurring within the isolated environment in which the process executes are identified. Whether the actual behavior of the process executing within the isolated environment deviates from an expected behavior of the execution of the process is determined. Only when it is determined that the process deviates from the expected behavior is behavior data, which describes the actual behavior of the process during execution, stored. A determination is then made as to whether the process is compromised by analyzing the behavior data that describes the actual behavior of the process.
Bromium Inc. | Date: 2015-01-30
Approaches for executing untrusted software on a client without compromising the client using micro-virtualization to execute untrusted software in isolated contexts. A template for instantiating a virtual machine on a client is identified in response to receiving a request to execute an application. After the template is identified, without human intervention, a virtual machine is instantiated, using the template, in which the application is to be executed. The template may be selected from a plurality of templates based on the nature of the request, as each template describe characteristics of a virtual machine suitable for a different type of activity. When the client determines that the application has ceased to execute, the client ceases execution of the virtual machine without human intervention.
Bromium Inc. | Date: 2015-11-30
Approaches for composing the display of a virtualized web browser. Upon a host module, executing in a host operating system, of a virtualized web browser being instructed to display a new web page, policy data is consulted to determine if one or more trigger conditions are satisfied. Upon determining that at least one of the one or more trigger conditions is satisfied, the virtualized web browser, transparently to a user, retrieving and rendering the new web page in a location different than where the previous web page was retrieved and rendered by the virtualized web browser. After the new web page has been retrieved and rendered at the location specified by the policy data, the host module displays the new web page. The policy data may operate to specify the behavior of individual tabs of the virtualized web browser.
Bromium Inc. | Date: 2013-12-24
Approaches for performing memory management by a hypervisor. A host operating system and a hypervisor are executed on a device. The host operating system is not configured to access physical memory addressed above four gigabytes. The hypervisor manages memory for a device, including memory addressed above four gigabytes. When the hypervisor instantiates a virtual machine, the hypervisor may allocate memory pages for the newly instantiated virtual machine by preferentially using any unassigned memory addressed above four gigabytes before using memory allocated from the host (and hence addressed below four gigabytes).
Bromium Inc. | Date: 2016-04-19
Approaches for transferring control to a bit set. Execution of a bit set upon a host operating system is monitored. A determination is made that the execution of the bit set exhibits a suspicious characteristic. In response, the execution of the bit set on the host operating system is ceased. Then, the bit set is copied into an isolated environment and control to the bit set is transferred within the isolated environment. Thereafter, execution analysis upon the bit set is initiated in the isolated environment. The isolated environment may, but need not, reside on a different physical device than upon which executes the host operating system.
Bromium Inc. | Date: 2014-09-05
Approaches for transferring a file using a virtualized application. A virtualized application executes within a virtual machine residing on a physical machine. When the virtualized application is instructed to download a file stored external to the physical machine, the virtualized application displays an interface which enables at least a portion of a file system, maintained by a host OS, to be browsed while preventing files stored within the virtual machine to be browsed. Upon the virtualized application receiving input identifying a target location within the file system, the virtualized application stores the file at the target location. The virtualized application may also upload a file stored on the physical machine using an interface which enables at least a portion of a file system of a host OS to be browsed while preventing files in the virtual machine to be browsed.
Bromium Inc. | Date: 2015-12-28
The execution of a process within a VM may be monitored, and when a trigger event occurs, additional monitoring is initiated, including storing behavior data describing the real-time events taking place inside the VM. This behavior data may then be compared to information about the expected behavior of that type of process in order to determine whether malware has compromised the VM.
Bromium Inc. | Date: 2015-11-30
Updating a central repository with information about malware resident upon a computer system. Upon detecting the malware executing in a virtual machine, a software module, without manual instruction, sends malware manifest data to a central repository over a network. The malware manifest data may comprise a copy of the malware and all versions, including temporary versions, of any files written to, updated by, or accessed by the malware. The central repository may receive, over a network from at least two computer systems, distinct sets of malware manifest data and may subsequently store the sets of malware manifest data.
Agency: Department of Defense | Branch: Air Force | Program: SBIR | Phase: Phase I | Award Amount: 149.97K | Year: 2014
ABSTRACT: Bromium will develop a novel type of client hypervisor that extends the concept of Bromium micro-virtualization (per-task hardware isolation of untrusted tasks) from its current type-2 Microvisor architecture to deliver a"type-1.5 Microvisor". The type-2 Microvisor can protect the host from attacks from the web and documents that originate outside the device. The type-1.5 Microvisor is a late-load hypervisor that can de-privilege the host OS in order to protect high-value tasks from attack by a malicious user or a compromised host OS. The system will comprise: A late-load"type-1.5"micro-Xen hypervisor that can be dynamically instantiated on an end point to provide robust protection of valued content/applications in a high-value trust domain. Each high value application/document will be independently securely executed within a protected micro-VM. These secured micro-VMs will protect the application/content, even in the event that the host OS itself becomes compromised, or in the face of a malicious user at the keyboard. Intel TXT will be used to securely measure the hypervisor at launch and the TPM will be used to attest to a third party e.g. an Enterprise Rights Management (ERM) server, that the system and each domain is protected BENEFIT: The goal of this work is to extend the hardware-isolation properties of micro-virtualization to deal not only with untrusted information, but also to protect valuable information and applications curated within the enterprise. Information flows for a given trust domain that are created within an organization and are securely transmitted between its computer systems, should remain isolated and accessible only within the given trust domain, across the enterprise. There are two primary needs for this: 1. Preserving the privileged nature of information will permit the hardware isolation properties of micro-virtualization to be used in a pro-active way, to prevent valued information from entering untrusted execution contexts or domains. 2. Moreover, when mapped into an enterprise rights management context (such as Microsoft IRM), the enterprise can stipulate policies for the handling of different types of proprietary information on devices. Micro-virtualization provides a robust mechanism for enforcing rights-management. The results of this work that relate to the development of the type-1.5 Xen-based Microvisor will be delivered to the open source community. In addition, the prototype will be further developed and incorporated into the products of Bromium, Inc. for delivery to customers (including the Federal Government) that demand highly secure computing environments that manage information flows from multiple domains of trust, who need to protect these domains from malicious users or from a potentially compromised host OS. The system will be applicable to a broad swath of enterprise desktop environments within the Federal Government and commercial environments.
Bromium Inc. | Date: 2014-03-02
Approaches for ensuring a digital file does not contain malicious code. A digital file in an original format may or may not contain malicious code. An intermediate copy of the digital file in an intermediate format is created from the digital file in the original format. The intermediate format preserves a visual or audio presentation of the digital file without supporting metadata or file format data structures of the original format. A sterilized copy of the digital file is created from the intermediate copy. The sterilized copy is in the original format. The sterilized copy comprises a digital signature indicating that the sterilized copy has been converted from the intermediate format to the original format. Advantageously, the sterilized copy is guaranteed to not possess any malicious code.