Bromium Inc. | Date: 2016-11-21
An isolated environment is instantiated in response to receiving a request to execute a process. One or more events occurring within the isolated environment in which the process executes are identified. Whether the actual behavior of the process executing within the isolated environment deviates from an expected behavior of the execution of the process is determined. Only when it is determined that the process deviates from the expected behavior is behavior data, which describes the actual behavior of the process during execution, stored. A determination is then made as to whether the process is compromised by analyzing the behavior data that describes the actual behavior of the process.
Bromium Inc. | Date: 2017-03-02
A software module executes in a first isolated execution environment. The module determines the first environment has caused data to the written to a first clipboard maintained by the first environment. The module consults policy data to determine whether the data should additionally be written to a second clipboard maintained by a second isolated execution environment. The policy data does not allow one or more types of clipboard objects to be written to the second clipboard even if they were written to the first clipboard at the initiation of or approved by a user to prevent the user from introducing a potentially hazardous type of object into the second clipboard. Upon the module determining that the policy data allows the data to be written to the second clipboard, the software module causes the data to written to the second clipboard.
Bromium Inc. | Date: 2016-07-01
Approaches for providing operating environments selective access to network resources. A guest operating system, executing on a device, may issue a request to a network device for access to a set of network resources. Once the guest operating system authenticates itself to the network device, the network device provides, to the guest operating system, access to the set of network resources. Note that the host operating system, executing on the device, does not have access to the set of network resources. A guest operating system may be provided access to an untrusted network in a manner that denies the host operating system access to the untrusted network. In this way, any malicious code inadvertently introduced into the host operating system cannot access the untrusted network for unscrupulous purposes.
Bromium Inc. | Date: 2015-01-30
Approaches for executing untrusted software on a client without compromising the client using micro-virtualization to execute untrusted software in isolated contexts. A template for instantiating a virtual machine on a client is identified in response to receiving a request to execute an application. After the template is identified, without human intervention, a virtual machine is instantiated, using the template, in which the application is to be executed. The template may be selected from a plurality of templates based on the nature of the request, as each template describe characteristics of a virtual machine suitable for a different type of activity. When the client determines that the application has ceased to execute, the client ceases execution of the virtual machine without human intervention.
Bromium Inc. | Date: 2015-11-30
Approaches for composing the display of a virtualized web browser. Upon a host module, executing in a host operating system, of a virtualized web browser being instructed to display a new web page, policy data is consulted to determine if one or more trigger conditions are satisfied. Upon determining that at least one of the one or more trigger conditions is satisfied, the virtualized web browser, transparently to a user, retrieving and rendering the new web page in a location different than where the previous web page was retrieved and rendered by the virtualized web browser. After the new web page has been retrieved and rendered at the location specified by the policy data, the host module displays the new web page. The policy data may operate to specify the behavior of individual tabs of the virtualized web browser.
Bromium Inc. | Date: 2016-04-19
Approaches for transferring control to a bit set. Execution of a bit set upon a host operating system is monitored. A determination is made that the execution of the bit set exhibits a suspicious characteristic. In response, the execution of the bit set on the host operating system is ceased. Then, the bit set is copied into an isolated environment and control to the bit set is transferred within the isolated environment. Thereafter, execution analysis upon the bit set is initiated in the isolated environment. The isolated environment may, but need not, reside on a different physical device than upon which executes the host operating system.
Bromium Inc. | Date: 2015-12-28
The execution of a process within a VM may be monitored, and when a trigger event occurs, additional monitoring is initiated, including storing behavior data describing the real-time events taking place inside the VM. This behavior data may then be compared to information about the expected behavior of that type of process in order to determine whether malware has compromised the VM.
Bromium Inc. | Date: 2015-11-30
Updating a central repository with information about malware resident upon a computer system. Upon detecting the malware executing in a virtual machine, a software module, without manual instruction, sends malware manifest data to a central repository over a network. The malware manifest data may comprise a copy of the malware and all versions, including temporary versions, of any files written to, updated by, or accessed by the malware. The central repository may receive, over a network from at least two computer systems, distinct sets of malware manifest data and may subsequently store the sets of malware manifest data.
Agency: Department of Defense | Branch: Air Force | Program: SBIR | Phase: Phase I | Award Amount: 149.97K | Year: 2014
ABSTRACT: Bromium will develop a novel type of client hypervisor that extends the concept of Bromium micro-virtualization (per-task hardware isolation of untrusted tasks) from its current type-2 Microvisor architecture to deliver a"type-1.5 Microvisor". The type-2 Microvisor can protect the host from attacks from the web and documents that originate outside the device. The type-1.5 Microvisor is a late-load hypervisor that can de-privilege the host OS in order to protect high-value tasks from attack by a malicious user or a compromised host OS. The system will comprise: A late-load"type-1.5"micro-Xen hypervisor that can be dynamically instantiated on an end point to provide robust protection of valued content/applications in a high-value trust domain. Each high value application/document will be independently securely executed within a protected micro-VM. These secured micro-VMs will protect the application/content, even in the event that the host OS itself becomes compromised, or in the face of a malicious user at the keyboard. Intel TXT will be used to securely measure the hypervisor at launch and the TPM will be used to attest to a third party e.g. an Enterprise Rights Management (ERM) server, that the system and each domain is protected BENEFIT: The goal of this work is to extend the hardware-isolation properties of micro-virtualization to deal not only with untrusted information, but also to protect valuable information and applications curated within the enterprise. Information flows for a given trust domain that are created within an organization and are securely transmitted between its computer systems, should remain isolated and accessible only within the given trust domain, across the enterprise. There are two primary needs for this: 1. Preserving the privileged nature of information will permit the hardware isolation properties of micro-virtualization to be used in a pro-active way, to prevent valued information from entering untrusted execution contexts or domains. 2. Moreover, when mapped into an enterprise rights management context (such as Microsoft IRM), the enterprise can stipulate policies for the handling of different types of proprietary information on devices. Micro-virtualization provides a robust mechanism for enforcing rights-management. The results of this work that relate to the development of the type-1.5 Xen-based Microvisor will be delivered to the open source community. In addition, the prototype will be further developed and incorporated into the products of Bromium, Inc. for delivery to customers (including the Federal Government) that demand highly secure computing environments that manage information flows from multiple domains of trust, who need to protect these domains from malicious users or from a potentially compromised host OS. The system will be applicable to a broad swath of enterprise desktop environments within the Federal Government and commercial environments.
Bromium Inc. | Date: 2014-03-02
Approaches for ensuring a digital file does not contain malicious code. A digital file in an original format may or may not contain malicious code. An intermediate copy of the digital file in an intermediate format is created from the digital file in the original format. The intermediate format preserves a visual or audio presentation of the digital file without supporting metadata or file format data structures of the original format. A sterilized copy of the digital file is created from the intermediate copy. The sterilized copy is in the original format. The sterilized copy comprises a digital signature indicating that the sterilized copy has been converted from the intermediate format to the original format. Advantageously, the sterilized copy is guaranteed to not possess any malicious code.