Micro-virtualization versus sandboxing

Some companies today rely on sandboxing to defend against cyber attacks. Why do you think this approach is insufficient?

Jochen Koehler, Regional Director DACH at Bromium: At the Sandboxing after all, an application is executed in an isolated virtual environment. To protect the operating system from malware, a sandbox must restrict access to system calls or service interfaces that enable interprocess communication. A sandbox, whether it is set up on the client or on the network, must therefore be programmed to some degree of complexity to emulate the actual system environment; the Google Chrome sandbox, for example, consists of over 1.5 million lines of code. This makes a sandbox itself very vulnerable. In addition, the high complexity leads to large resource requirements, so that extremely powerful computers are necessary.

Resource problems are solvable, though, aren't they?

The actual problem is of course much more fundamental, because sandboxing architectures are purely software-based. This means that if the sandbox software is compromised, the only remaining protection mechanism is the standard operating system security.

So you should keep your hands off sandboxing?

Compared to a pure antivirus application, sandboxing is definitely an advance. But the protection is simply no longer sufficient today. There are now numerous methods for bypassing a sandbox. For example, malicious code contains a time delay so that it cannot be immediately detected by the sandbox. In addition, newer malware can detect isolated, simulated environments in many cases, so it simply does not execute the malicious code here.

How can users solve the problem then?

An alternative is the concept of micro-virtualization. Here, the focus is not on detecting malicious code, but on protecting against the effects of malware. This is realized by isolating all potentially dangerous activities. This provides protection against malware without having to recognize it as such.

But that sounds a lot like sandboxing again.

Only at first glance. In principle, micro-virtualization takes up the sandboxing idea, i.e. the execution of potential malicious code in a virtualized environment. However, a key difference between micro-virtualization and sandboxing is that the latter is a software-based solution, whereas micro-virtualization takes place in the processor and thus in the hardware. Here, malware protection directly at the endpoint is provided by hardware-isolated micro-VMs that encapsulate specific user activities - for example, accessing a web page, downloading a document, opening an email attachment, or accessing data on a USB device. This eliminates the possibility of compromising the endpoint via any of these attack paths.

What does that look like in concrete terms?

In micro-virtualization, a hypervisor trimmed for security and the integrated virtualization features of the current CPU generations are used to implement hardware-isolated micro-VMs for all user activities with data from unknown sources. Each individual task runs in its own micro VM. It is strictly separated from other tasks, from the actual operating system and from the connected network. This means that, unlike sandboxing solutions, micro-virtualization isolates all individual activities from each other, for example different page requests in a browser or opening different documents with Word. This reliably prevents malware from spreading.

Is this the future of cyber defense?

I am convinced that micro-hypervisor technology will soon replace traditional sandboxing. It provides much more reliable endpoint protection by isolating user activity. The innovative approach, after all, is that the goal is not primarily to detect malicious code, but rather to protect against the effects of malware, possibly even unidentified malware. And this is indeed a paradigm shift for IT security. The head start that attackers have always been able to exploit for themselves is thus gone.

Interview: PR-COM Beratungsgesellschaft für strategische Kommunikation mbH