Could you introduce yourself?

Eyal Dotan: I am the founder and CTO of Trustware, the company behind BufferZone. BufferZone is a family of application-level security products that utilize virtualization software to secure personal computers [editor's note: a freeware version is available for single apps]. Trustware has recently been nominated one of the 10 hot start-ups of 2006 by Microsoft.

In my spare time, I am also in charge of Windows Security studies at EPITECH (European Institute of Technology, France).

What is BufferZone? We'll keep it to "BZ" for the rest of the interview, as we're most interested in the technology behind it.

Eyal Dotan: BZ allows users to run unknown, dangerous programs and malware without harming the system.

The general idea is that programs running in our virtual BZ can see the hard-disk files and registry, but whatever they write back is virtualized: redirected elsewhere ("write" includes: rename, create, delete, or modify). For example, if a program running in BZ modifies the registry, then these changes will only be seen by programs running in BZ. Windows itself will not see any modification.

So, if you run some malware code or a vulnerable software application in the BZ, it will "think" it attacked the system (and will see its own virtual modifications), while in fact the real file system and registry remains unchanged. On the other hand, if you install legitimate software in the BZ, it will work properly and can be used continuously without any change in behavior. BZ's file and registry modifications are persistent; in other words, whatever you install in BZ remains there until you decide to remove it or empty the BZ (which simply means removing the virtual application's "deltas").

How did you have the idea to use application-level virtualization?

Eyal Dotan: I have been involved in malware protection techniques both academically and commercially for the past eight years. During this time, two fundamental observations have become indisputably clear:

• Prescriptive techniques such as black list detection, or signature-based detection paradigms cannot solve the problem of endpoint security;
• Creators of malicious programs have become very sophisticated, making the identification of legitimate programs from malicious programs very difficult to ascertain with very high degrees of certainty.

The idea of I/O virtualization developed (like most great ideas) from a very simple question: "How can I use the same computer for my safe applications and data, and at the same time surf the Internet, download and exchange files, etc. that may contain or harbor malicious code?" Since I was interested in high degrees of PC asset protection, but also in the unfettered use of the computer to access and interact on the Internet using the growing base of communication and collaboration tools available, this lead my thinking to the logical conclusion: don't try to detect malware (as this will invariably result in false positive identifications and/or missing the first occurrence of malicious code), but rather by completely separating trusted data and applications from the untrusted.

The "physical" approach to this would be to use two separate PCs: one for work and private data which is trusted, and one for Internet usage where interactions would be untrusted. Obviously, this is not a very convenient way to utilize your computer or time resources. This led me to the idea of isolating the trusted from the untrusted through the use of virtualization software as the the perfect way to achieve the desired goal.

Upcoming CPUs and OSes will be supporting virtualization technologies. For example we will be able to run multiple OSes at the same time, like we do today with VMWare. Do you think this "multiple OS sessions" approach will improve security?

Eyal Dotan: Multi-core CPUs are really targeted at parallel executions and multiple OSs have been around a very long time (IBM experimented with virtualization technology in the 1960s, resulting in their VM Operating System in the 1970's) to provide resource sharing to multiple applications. Throughout this the problem remains the same: if you separate your files and data into two "computers" (or pseudo-computers), that means the user flow requires tremendous organization. Separating your work "computer" where you receive e-mail, or editing documents from the "computer" where you surf the web, or communicating via instant messaging and exchanging files (P2P) with all the above requires some heavy workflow changes for most users - often well beyond their comprehension. It's almost like having one offline (secure) computer, and one online (unsecure) computer.

So, how do you protect the data using one computer?

Eyal Dotan: By default, we flag Web navigators, P2P, IM, and mail attachments to run resident in BZ. Any child processes and downloads further created by these BZ resident programs also run and install files in the BZ.

This allows you to freely surf and download files from the Internet into BZ without risk of harming your computer through unintended interaction with adware, malware, and the like, and without concern for malicious or junk software that may be left behind.

Yet another aspect of BZ is a mechanism to address data theft protection through the use of confidential folders.

What do you consider a confidential folder?

Eyal Dotan: It's any folder, network path, or device which the user has defined as confidential. By default, we mark the "My Documents" directory as confidential. Processes running in BZ cannot read the actual files located in confidential folders from BZ.

We've put a simple data theft demonstration online, to demonstrate simple data theft.

As simplistic as this demo is, many people are surprised that their anti-virus doesn't catch this.

Could you describe the architecture you designed in more detail?

Eyal Dotan: Virtualization is done through a kernel module. A Windows Service instructs the kernel module on what policies to implement. In the corporate version, policy rules come from a BZ Server. In standalone versions, these policies come from the GUI Administration interface which the user can use to alter the pre-configured settings in the limited number of scenarios where that might be necessary.

How do user privileges interact with BZ policies?

Eyal Dotan: BZ doesn't interfere with user privileges; rather it adds an additional virtualization layer which is transparent to normal user operations. When paths are redirected elsewhere, we copy the existing security attributes.

We copy the Windows security attributes to the BZ virtualization repository. This then allows a user "Write" operations which would be denied against the real Windows resources to be fulfilled through access to the BZ's virtual files-system and registry. "Read" operations are blocked according to Windows' ACLs (this way, a user cannot access another user's files for example).

How does the corporate version distribute and update policies?

Eyal Dotan: We utilized a configurable pull request every "n" minutes which runs across a private protocol known only to BZ. The approach is very straightforward with nothing really exciting to say here.

Trustware is about to release a plug-in for Microsoft's GPO which will allow lightweight and easy control of BZ agents.

Would you like to talk about this plugin?

Eyal Dotan:

The choice of using these tools lies with the user. With the GPO plug-in which integrates into Microsoft's native administration tools, the IT manager is provided with the tools to enforce the wrapping of these dangerous programs inside the BZ.

It also lets the administrator enforce such things as password protection for the BZ agent, protection against unload, and deciding which programs must run in the BZ.

What is the role of the kernel module?

Eyal Dotan: It is a very complex technical component that intercepts and filters I/O to files, the Registry and some critical native Windows APIs. It watches running processes, and takes special actions for those flagged as "BufferZone."

Our internal algorithms decide which of the I/O calls are considered of interest to BZ and then processes or redirected these calls accordingly.

This is similar to systrace...

Eyal Dotan: Are you referring to the hooking mechanism? Well to that extent, it's a very common mechanism on Windows which is also utilized by desktop firewalls and HIPS (Host Intrusion Prevention System) software to hook file activity. Our uniqueness is in what we do to these I/O calls.

Instead of denying them or scanning the associated files content like regular security software, we allow them to execute securely in the BZ. It allows more flexibility (most programs work properly with no need to generate annoying pop-ups to ask user/admin for a complex forbid/deny response) which in turn brings more security (the entire registry and file system are protected, not just some parts of them).

BZ is cognizant of certain operations which must be forbidden in order to ensure the integrity of the system. Some of these operation classes include:

• a BZ program cannot access the Kernel or send e-mail.
• a BZ program cannot inject, hook, modify or kill processes outside of BZ.

Would this approach be portable to other platforms such as MacOS X or GNU/Linux?

Eyal Dotan: Since the approach requires development of kernel-level technology, the actual implementation is OS-dependent. However, the general approach is very much OS-independent as all major commercial operating systems have facilities that would allow our approach to work. That said, Trustware is currently focused on Windows where the vast majority of the issues we are addressing currently reside.

How does it filter access to hardware peripherals such as USB flash drives?

Eyal Dotan: Whenever a drive is mounted, BZ will look at the device type and apply the appropriate policy. A policy can also be defined explicitly by name. An example of this would be:

"\\SERVER" -> BufferZone
"\\SERVER\INTERNAL" -> Trusted
"*.DOC" -> Confidential

So every application that runs via BZ will have a separate registry? What happens if the original registry is updated? Do you merge those changes?

Eyal Dotan: Applications running in BZ don't have a different registry:

• All applications within a given BZ share the same virtual registry and real registry as necessary.
• Remember that BZ registry and files are "copy-on-write" -- meaning that only modified keys are copied into BZ registry.

What happens if two applications need to interact?

Eyal Dotan: When both applications are in BZ there are no issues. If one is inside and one is outside, BZ will prevent inter-process communication in order to ensure no security problems are injected into the trusted system. We create advanced setting for allowing certain trusted programs to communicate with BZ programs.

If an attacker is able to install a rootkit, would he be able to disable BZ too?

Eyal Dotan: It's an appropriate question; we don't have any illusion about Windows users -- most of them run in Administrator mode because that's the most convenient way to run software on Windows.

Rootkits cannot operate from BZ because:

• BZ programs cannot load drivers nor access the kernel (so they can't hook native APIs, etc.)
• BZ programs cannot patch / obtain write access into programs outside of BZ (e.g. the Ring 3 rootkit approach)

Does Windows patches interfere with the kernel module? For example, does MS modify system calls often?

Eyal Dotan: The NT kernel has remained very stable since Windows 2000 (circa 2000). We haven't seen major differences between the native APIs that BZ is concerned with since Windows 2000 SP0. Frankly, if this were not the case, Microsoft itself would have a support nightmare on its hands beyond comprehension.

What about Windows Vista?

Eyal Dotan: From the BZ perspective, Vista's Kernel is quite similar to the XP Kernel. We do not expect big changes. Most of Microsoft's new kernel protections don't really affect the way we interact with the kernel either. Actually, the port to 64-bit is more of a challenge to Windows security tool developers.

How much does application level virtualization affect performance?

Eyal Dotan: This is one of those "it depends on the implementation" answers. With a good use of caching and pre-loading, virtualization can achieve very high performance rates. Furthermore, since the need for file scans, static virus database look-ups, and behavioral analysis monitoring completely eliminated, net gains in the user performance experience are very likely.

Programs running out of BZ are obviously not affected by any performance overhead. As to Instant Messaging and P2P applications, users won't notice performance issues there either, because these programs rarely write to the disk. Web browsers are a bit more disk-intensive (cookies, temporary files, etc). There, the difference between loading a web page within BZ and outside of BZ is quite small -- and since the pattern is to access the same files on a repetitive basis, the difference is actually negligible.

Performance is only an issue when it comes to programs that have disk-intensive activity (lots of file deletions, creations, and/or modifications), and during the very first execution in BZ (where we prepare the virtual environment the first time).

As a comparison with anti-virus software, we don't need to scan every opened file, so our approach is very different. Actually one of our customers, a hardware manufacturer in Israel, chose BZ because it doesn't have the performance overhead anti-viruses have. In their measurement (again, it varies by application usage), BZ resulted in less than a 3% overhead during the maximum peak of their software activity.

Could BZ be used for software such as web servers?

Eyal Dotan: Yes, it could. But for now, we are more focused on the more difficult problems of fully-distributed communication and collaboration issues associated with instant messaging, P2P, web navigation, etc. that are growing in popularity with no effective security mechanisms available today.

Although I admit it must be fun to see servers, and even VNC running in BZ. :-)

What I like most about the concept of security through virtualization is that it is a very simple idea, yet very powerful. Intrusion Protection System products require a list of protected files and registry keys; anti-virus products require a list of known signatures; and heuristics require a list of suspicious behaviors. Virtualization on the other hand, handles the malware problem by wrapping the entire registry and file system with a virtualization layer -- thereby not requiring ANY of these items. Users are not asked complex security questions. It's a quite transparent security method, which is probably the greatest achievement of this technology.