We think it’s important to hold security vendors accountable: Ditch marketing BS in favor of defensible design and rigorous evaluation. Bromium uses virtualization backed security to make endpoints more secure by design. “Maybe” tools like next-gen AV can only hope to stop an unknown attack – but 99% of malware morphs into new, unknown variants in under a minute.
To highlight this we challenged attendees at InfoSec London to bring their own malware to the show. If it bypassed Bromium, they’d win £10K. In two days we safely browsed to over 4,800 sites, and opened more than1,500 documents and attachments. We protected unpatched Bromium-protected endpoints from 189 attacks, of which 10 were unknown to Virus Total. Researchers from an AV vendor even downloaded a custom attack that evades detection – and also failed to breach us.
Other vendors won’t publicly expose their products to unknown malware, because they just don’t know if they work.
Bromium doesn’t demand a leap of faith. Our product increases cost to the attacker by reducing the attack surface of the endpoint. But how can you be sure we’ve done a good job? We think you shouldn’t have to trust us. Each year we commission source code reviews and pen-tests by highly respected research organizations, and encourage our customers to conduct their own. None has ever surfaced any substantive issues.
This year we went a step further and quietly started to work with a few white hats. And though we were surprised when Tavis Ormandy (@taviso) of Google claimed he had identified two bugs that let him escape micro-VM isolation, I was quietly rather pleased. Tavis is one of the most respected ethical pen testers – and we hadn’t even given him our product! He willingly shared his findings and we spent a busy week validating them and discussing solutions with him. He was both gracious and helpful – and always impartial and data driven. The experience reaffirmed our commitment to an open engagement with the white hat community.
We will disclose details of what he found, after a 30 day embargo to allow our customers to patch. But there are some interesting facts we can share:
- Tavis found a bug in an early build of vSentry 3.1 with support for an old version of Chrome that was sent to a customer to evaluate a feature, and mistakenly uploaded. A skilled attacker armed with a chain of additional bugs could exploit our bug to achieve code execution in the host Chrome browser.
- Fortunately, in a typical Bromium production deployment the Bromium Enterprise Controller automatically updates Chrome protection via “App Packs” soon after Google releases a new version. Recent Bromium Chrome App Packs, for example, fix the known bugs you’d need to be able to exploit our bug.
- The same underlying issue was also present in our protection for IE. Again, fortunately, a typical Bromium deployment configuration mitigates this bug.
- We have verified that the machines we used at InfoSec could not have been breached because of the security policies and configuration applied, which were typical of a real-world deployment.
Bromium does not yet have a bug bounty program, and our terms for the challenge were specific to the product version and policies used at InfoSec. But we are nonetheless indebted to Tavis for his important contribution to our product. Bromium will pay him £10K, which he has stated he will donate to Amnesty International. Independently, as an acknowledgement of his sheer professionalism and as testament to his awesome white-hattery, I have personally matched the Bromium award with a donation in Tavis’s honor, as shown below (close to £10K at last week’s exchange rate). We are investigating the best way to properly run a bug bounty program, and won’t pay any further bounties (for any version of our product) until we have one set up.