Federico Biancuzzi interviews Eyal Dotan, who has developed application-level virtualization software that protects Windows hosts from malware. They discuss the architecture, advantages of this design, performance, and how this method could be applied to servers running Windows or be ported to other OSes.
Could you introduce yourself?
Eyal Dotan: I am the founder and CTO of Trustware, the company behind BufferZone. BufferZone is a family of application-level security products that utilize virtualization software to secure personal computers [editor's note: a freeware version is available for single apps]. Trustware has recently been nominated one of the 10 hot start-ups of 2006 by Microsoft.
In my spare time, I am also in charge of Windows Security studies at EPITECH (European Institute of Technology, France).
What is BufferZone? We'll keep it to "BZ" for the rest of the interview, as we're most interested in the technology behind it.
Eyal Dotan: BZ allows users to run unknown, dangerous programs and malware without harming the system.
The general idea is that programs running in our virtual BZ can see the hard-disk files and registry, but whatever they write back is virtualized: redirected elsewhere ("write" includes: rename, create, delete, or modify). For example, if a program running in BZ modifies the registry, then these changes will only be seen by programs running in BZ. Windows itself will not see any modification.
So, if you run some malware code or a vulnerable software application in the BZ, it will "think" it attacked the system (and will see its own virtual modifications), while in fact the real file system and registry remains unchanged. On the other hand, if you install legitimate software in the BZ, it will work properly and can be used continuously without any change in behavior. BZ's file and registry modifications are persistent; in other words, whatever you install in BZ remains there until you decide to remove it or empty the BZ (which simply means removing the virtual application's "deltas").
How did you have the idea to use application-level virtualization?
Eyal Dotan: I have been involved in malware protection techniques both academically and commercially for the past eight years. During this time, two fundamental observations have become indisputably clear:
- Prescriptive techniques such as black list detection, or signature-based detection paradigms cannot solve the problem of endpoint security;
- Creators of malicious programs have become very sophisticated, making the identification of legitimate programs from malicious programs very difficult to ascertain with very high degrees of certainty.
The idea of I/O virtualization developed (like most great ideas) from a very simple question: "How can I use the same computer for my safe applications and data, and at the same time surf the Internet, download and exchange files, etc. that may contain or harbor malicious code?" Since I was interested in high degrees of PC asset protection, but also in the unfettered use of the computer to access and interact on the Internet using the growing base of communication and collaboration tools available, this lead my thinking to the logical conclusion: don't try to detect malware (as this will invariably result in false positive identifications and/or missing the first occurrence of malicious code), but rather by completely separating trusted data and applications from the untrusted.
The "physical" approach to this would be to use two separate PCs: one for work and private data which is trusted, and one for Internet usage where interactions would be untrusted. Obviously, this is not a very convenient way to utilize your computer or time resources. This led me to the idea of isolating the trusted from the untrusted through the use of virtualization software as the the perfect way to achieve the desired goal.
Upcoming CPUs and OSes will be supporting virtualization technologies. For example we will be able to run multiple OSes at the same time, like we do today with VMWare. Do you think this "multiple OS sessions" approach will improve security?
Eyal Dotan: Multi-core CPUs are really targeted at parallel executions and multiple OSs have been around a very long time (IBM experimented with virtualization technology in the 1960s, resulting in their VM Operating System in the 1970's) to provide resource sharing to multiple applications. Throughout this the problem remains the same: if you separate your files and data into two "computers" (or pseudo-computers), that means the user flow requires tremendous organization. Separating your work "computer" where you receive e-mail, or editing documents from the "computer" where you surf the web, or communicating via instant messaging and exchanging files (P2P) with all the above requires some heavy workflow changes for most users - often well beyond their comprehension. It's almost like having one offline (secure) computer, and one online (unsecure) computer.
So, how do you protect the data using one computer?
Eyal Dotan: By default, we flag Web navigators, P2P, IM, and mail attachments to run resident in BZ. Any child processes and downloads further created by these BZ resident programs also run and install files in the BZ.
This allows you to freely surf and download files from the Internet into BZ without risk of harming your computer through unintended interaction with adware, malware, and the like, and without concern for malicious or junk software that may be left behind.
Yet another aspect of BZ is a mechanism to address data theft protection through the use of confidential folders.
What do you consider a confidential folder?
Eyal Dotan: It's any folder, network path, or device which the user has defined as confidential. By default, we mark the "My Documents" directory as confidential. Processes running in BZ cannot read the actual files located in confidential folders from BZ.
We've put a simple data theft demonstration online, to demonstrate simple data theft.
As simplistic as this demo is, many people are surprised that their anti-virus doesn't catch this.
Could you describe the architecture you designed in more detail?
Eyal Dotan: Virtualization is done through a kernel module. A Windows Service instructs the kernel module on what policies to implement. In the corporate version, policy rules come from a BZ Server. In standalone versions, these policies come from the GUI Administration interface which the user can use to alter the pre-configured settings in the limited number of scenarios where that might be necessary.