Microvisor + Hypervisor Makes Your VMs Secure by Design

Author: No Comments Share:

I often get asked whether micro-virtualization can be used with a traditional hypervisor and full-OS “fat” VMs (humor: FAT VMs are another matter).

YES! There are powerful benefits in both client and server scenarios. I’ll focus on the user centric uses that we currently support in vSentry:

  • VDI and DaaS: MakeVDI/DaaS secure without legacy security software that kills scalability andUX.
    • The Microvisor runs nestedin a VDI/DaaS desktop VM, running on top of a “root” hypervisor that virtualizes Intel VT/AMD-V. We’ve optimized micro-Xen to run nested on VMware ESX with virtual hardware 9/10 – the most widely deployed virtual infrastructure for VDI/DaaS under both Citrix XenDesktop and VMware View
    • None of XenServer, Hyper-V (WS12 & Azure), RHEL/KVM, or AWS supports nesting today, though the up-stream work in Xen is done. Props to Canonical for their nesting support in KVM/Ubuntu. Today all nesting is software-based. Hardware nesting via Intel VMCS-Shadow will start to arrive in server CPUs soon.
  • Client-hosted Virtual Desktops: Secure your BYO devices, developer desktops and Windows virtual desktops on a Mac or PC:
    • The Microvisor runs nested within a client-hosted Windows desktop VM (as for VDI/DaaS) on VMware Workstation or (on a Mac) VMware Fusion
    • Alternatively the Microvisor can run side-by-side with VMware Workstation/Fusion, effectively sharing VT/AMD-V. This allows us to secure a user desktop (Windows/OS-X) from attack – so that it can securely host an enterprise delivered VM. For this case we have two goals:
      1. Secure the host OS using micro-virtualization
      2. Also host additional full-OS VM(s) for desktop virtualization or test/dev. (with the option of protecting them too, using micro-virtualization)

This raises a killer question: Could a single hypervisor run OS VMs and micro-VMs?  YES!   Micro-Xen does this today (though not as a supported feature yet).

Fortunately (as a result of our collaboration with Microsoft starting in 2006, at XenSource), micro-Xen can run Windows VMs saved from Hyper-V in VHD format. I use this to demo the Bromium Management Server (BMS) in a WS12/SQL VM on my vSentry protected laptop.  If you’d like a detailed technical description of how this works, let me know.


Previous Article

H1 2014 Endpoint Exploitation Trends

Next Article

How do you spell “Polymorphic”?

You may also like