Bromium will develop a novel type of client hypervisor that extends the concept of Bromium micro-virtualization (per-task hardware isolation of untrusted tasks) from its current type-2 Microvisor architecture to deliver a"type-1.5 Microvisor". The type-2 Microvisor can protect the host from attacks from the web and documents that originate outside the device. The type-1.5 Microvisor is a late-load hypervisor that can de-privilege the host OS in order to protect high-value tasks from attack by a malicious user or a compromised host OS. The system will comprise: A late-load"type-1.5"micro-Xen hypervisor that can be dynamically instantiated on an end point to provide robust protection of valued content/applications in a high-value trust domain. Each high value application/document will be independently securely executed within a protected micro-VM. These secured micro-VMs will protect the application/content, even in the event that the host OS itself becomes compromised, or in the face of a malicious user at the keyboard. Intel TXT will be used to securely measure the hypervisor at launch and the TPM will be used to attest to a third party e.g. an Enterprise Rights Management (ERM) server, that the system and each domain is protected
Benefit: The goal of this work is to extend the hardware-isolation properties of micro-virtualization to deal not only with untrusted information, but also to protect valuable information and applications curated within the enterprise. Information flows for a given trust domain that are created within an organization and are securely transmitted between its computer systems, should remain isolated and accessible only within the given trust domain, across the enterprise. There are two primary needs for this: 1. Preserving the privileged nature of information will permit the hardware isolation properties of micro-virtualization to be used in a pro-active way, to prevent valued information from entering untrusted execution contexts or domains. 2. Moreover, when mapped into an enterprise rights management context (such as Microsoft IRM), the enterprise can stipulate policies for the handling of different types of proprietary information on devices. Micro-virtualization provides a robust mechanism for enforcing rights-management. The results of this work that relate to the development of the type-1.5 Xen-based Microvisor will be delivered to the open source community. In addition, the prototype will be further developed and incorporated into the products of Bromium, Inc. for delivery to customers (including the Federal Government) that demand highly secure computing environments that manage information flows from multiple domains of trust, who need to protect these domains from malicious users or from a potentially compromised host OS. The system will be applicable to a broad swath of enterprise desktop environments within the Federal Government and commercial environments.
Keywords: Multi-level secure X
