How does it filter access to hardware peripherals such as USB flash drives?

Eyal Dotan: Whenever a drive is mounted, BZ will look at the device type and apply the appropriate policy. A policy can also be defined explicitly by name. An example of this would be:

"\\SERVER" -> BufferZone
"\\SERVER\INTERNAL" -> Trusted
"*.DOC" -> Confidential

So every application that runs via BZ will have a separate registry? What happens if the original registry is updated? Do you merge those changes?

Eyal Dotan: Applications running in BZ don't have a different registry:

• All applications within a given BZ share the same virtual registry and real registry as necessary.
• Remember that BZ registry and files are "copy-on-write" -- meaning that only modified keys are copied into BZ registry.

What happens if two applications need to interact?

Eyal Dotan: When both applications are in BZ there are no issues. If one is inside and one is outside, BZ will prevent inter-process communication in order to ensure no security problems are injected into the trusted system. We create advanced setting for allowing certain trusted programs to communicate with BZ programs.

If an attacker is able to install a rootkit, would he be able to disable BZ too?

Eyal Dotan: It's an appropriate question; we don't have any illusion about Windows users -- most of them run in Administrator mode because that's the most convenient way to run software on Windows.

Rootkits cannot operate from BZ because:

• BZ programs cannot load drivers nor access the kernel (so they can't hook native APIs, etc.)
• BZ programs cannot patch / obtain write access into programs outside of BZ (e.g. the Ring 3 rootkit approach)

Does Windows patches interfere with the kernel module? For example, does MS modify system calls often?

Eyal Dotan: The NT kernel has remained very stable since Windows 2000 (circa 2000). We haven't seen major differences between the native APIs that BZ is concerned with since Windows 2000 SP0. Frankly, if this were not the case, Microsoft itself would have a support nightmare on its hands beyond comprehension.

What about Windows Vista?

Eyal Dotan: From the BZ perspective, Vista's Kernel is quite similar to the XP Kernel. We do not expect big changes. Most of Microsoft's new kernel protections don't really affect the way we interact with the kernel either. Actually, the port to 64-bit is more of a challenge to Windows security tool developers.

How much does application level virtualization affect performance?

Eyal Dotan: This is one of those "it depends on the implementation" answers. With a good use of caching and pre-loading, virtualization can achieve very high performance rates. Furthermore, since the need for file scans, static virus database look-ups, and behavioral analysis monitoring completely eliminated, net gains in the user performance experience are very likely.

Programs running out of BZ are obviously not affected by any performance overhead. As to Instant Messaging and P2P applications, users won't notice performance issues there either, because these programs rarely write to the disk. Web browsers are a bit more disk-intensive (cookies, temporary files, etc). There, the difference between loading a web page within BZ and outside of BZ is quite small -- and since the pattern is to access the same files on a repetitive basis, the difference is actually negligible.

Performance is only an issue when it comes to programs that have disk-intensive activity (lots of file deletions, creations, and/or modifications), and during the very first execution in BZ (where we prepare the virtual environment the first time).

As a comparison with anti-virus software, we don't need to scan every opened file, so our approach is very different. Actually one of our customers, a hardware manufacturer in Israel, chose BZ because it doesn't have the performance overhead anti-viruses have. In their measurement (again, it varies by application usage), BZ resulted in less than a 3% overhead during the maximum peak of their software activity.

Could BZ be used for software such as web servers?

Eyal Dotan: Yes, it could. But for now, we are more focused on the more difficult problems of fully-distributed communication and collaboration issues associated with instant messaging, P2P, web navigation, etc. that are growing in popularity with no effective security mechanisms available today.

Although I admit it must be fun to see servers, and even VNC running in BZ. :-)

What I like most about the concept of security through virtualization is that it is a very simple idea, yet very powerful. Intrusion Protection System products require a list of protected files and registry keys; anti-virus products require a list of known signatures; and heuristics require a list of suspicious behaviors. Virtualization on the other hand, handles the malware problem by wrapping the entire registry and file system with a virtualization layer -- thereby not requiring ANY of these items. Users are not asked complex security questions. It's a quite transparent security method, which is probably the greatest achievement of this technology.