Federal agencies are beginning to experiment with a new hardware isolation method of detecting malicious code hidden in browsers, browser plugins and widely-deployed productivity applications.
Unlike other sandboxing applications, which run at the kernel level, a number of federal agencies are evaluating a new tool by Cupertino, California-based Bromium Inc. that offers micro-virtualization at the processor level. This so-called hardware isolation emulates a complete system and allows malware to execute without infecting the system. The software then removes the malicious code, stopping zero-day attacks emanating from the most common untrusted tasks and threat vectors, including browsing the Internet, downloading documents, opening email attachments and launching files from authorized removable storage devices.
Last September, the Department of Health and Human Services issued a solicitation for Bromium’s vSentry software, describing it as a unique capability that plugs a significant gap in endpoint security — relying on signature-based antivirus and security software to detect unknown zero-day exploits in some of the most common and widely-deployed software tools.
“The unique micro visor architecture that runs on the CPU rather than the Kernel Level sandboxing offered by other vendors offers a level of protection and analytical capabilities that has been previously unobtainable on a common user’s system,” HHS said in a solicitation posted to the Federal Business Opportunities website.
And now additional agency testing is underway at the Defense Department and the Energy Department’s national laboratories. Sandia National Laboratory is currently pilot testing Bromium’s vSentry and the company’s live attack visualization and analysis tool for forensic analysis of malicious behavior.
The testing and evaluation come as the company released a new report detailing a skyrocketing increase in vulnerabilities in Microsoft’s Internet Explorer, as well as Java, Flash, Adobe Acrobat Reader and office productivity applications.
“Microsoft’s Internet Explorer set a record high for reported vulnerabilities in the first half of 2014,” according to an advance copy of the Bromium report received by FedScoop. Meanwhile, “Adobe Flash is the primary browser plugin being targeted by zero day attacks this year.”
In the first half of 2014, the growth in zero day exploits continued unabated. “Unsurprisingly, all of the zero day attacks targeted end-user applications such as browsers and productivity applications like Microsoft Office,” the Bromium Labs report states. “Typically these attacks are launched leveraging users as bait using classic spear-phishing tactics. The notable aspect for this year thus far in 2014 is that Internet Explorer was the most patched and also one of the most exploited products, surpassing Oracle Java, Adobe Flash and others in the fray. Bromium Labs believes that the browser will likely continue to be the sweet spot for attackers.”
Kelly Collins, vice president of public sector at Bromium, said while some applications have been blacklisted in government because of security concerns, the browser remains the most prolific software application in government and there’s just no way for agencies to keep up with security patches for each and every application plugin.
“Signature-based security cant keep up with that threat model,” Collins said in an interview with FedScoop. She characterized trying to keep old versions of Java patched, as well as browsers, document readers and productivity apps to a “game of whac-a-mole futility.”
According to Collins, the Defense Department has tested Bromium’s ability to detect and isolate 100 percent of the threats that come across the vectors of attack covered by vSentry. The department is currently evaluating the software for approval to run on DOD networks, Collins said.
So far the pilot testing at Sandia has revealed some important lessons for others who might consider deploying the tool. There is a slight performance hit for machines configured with less than 8 gigabytes of memory. There were also several instances of initialization and reinitialization that degraded performance, according to the Sandia NLIT 2014 presentation. But overall, the 30-day pilot involving 107 users resulted in 85 unique feedback items and 32 support requests. There also were several false positives reported by the forensics tool.