tag:blogger.com,1999:blog-7347279.post3208201384220189018..comments2023-08-26T05:04:33.009-04:00Comments on anti-virus rants: no, bromium will not kill all malware foreverkurt wismerhttp://www.blogger.com/profile/03810635947269551517noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-7347279.post-37598262510992103972013-05-22T15:50:32.863-04:002013-05-22T15:50:32.863-04:00oh for crying out loud. i'm not comparing brom...oh for crying out loud. i'm not comparing bromium to sandboxie. i'm simply pointing out that i've seen copy-on-write before in other types of products.<br /><br />you folks may have been the first to apply copy-on-write to the particular kind of virtualization you're doing, but the general concept predates you.<br /><br />as for VMs, i think we're going to have to agree to disagree on what constitutes a '<i>virtual</i>' <b>machine</b>.<br /><br />and thanks for the links. i will get to them in good time.kurt wismerhttps://www.blogger.com/profile/03810635947269551517noreply@blogger.comtag:blogger.com,1999:blog-7347279.post-59850963735882979082013-05-22T15:20:13.797-04:002013-05-22T15:20:13.797-04:00Kurt,
You're being pretty hostile, so I'm...Kurt,<br /><br />You're being pretty hostile, so I'm going to make one final attempt to explain the difference between, say, sandboxie and micro-virtualization.<br /><br />I understand the desire to put what we do into the same hat as sandboxie. But we actually do spin up VMs, but they are copy-on-write VMs. Among our innovations is the use of a hypervisor that creates copy-on-write VMs which we call micro-VMs on a user task by user task basis. These VMs don't contain anything until the user begins to be active inside of them. They are hardware isolated - we use VT - to ensure that each micro-virtualized task does not share any priveledged resources or data with any other task, but has everything it needs in order to reach its logical conclusion.<br /><br />As primers, I suggest reading this blog:<br />http://blogs.bromium.com/2013/04/24/micro-virtualization-for-the-security-architect-2-of-2-isolation-%e2%89%a0-protection/<br /><br />As well as my responses here:<br />http://security.stackexchange.com/a/23747<br /><br />Best,<br />TalAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-7347279.post-22466379455768921892013-05-21T00:34:57.381-04:002013-05-21T00:34:57.381-04:00tal, if you want to correct technical inaccuracies...tal, if you want to correct technical inaccuracies then i suggest you talk to jason perlow about the use of process versus task, as that is the word <b>he</b> used.<br /><br />i continued the usage in part because of his article but also because of the ambiguity surrounding the term task - in at least some quarters it is synonymous with process. in others it is frankly rather vague.<br /><br />and where would i have even heard of vsentry focusing on tasks, when mr. perlow used the word process, if i hadn't already looked into the technology? further, where would i have gotten the idea to mention what happens to changes made after the process, or rather task, is finished when mr. perlow does not appear to have referenced your persistence rules in his article?<br /><br />do i not grok the concept of copy-on-write? sandboxie performs copy-on-write. i wouldn't be surprised if other application virtualization products do as well. it's not a complicated concept, nor is least privilege.<br /><br />micro-VMs is something that perhaps deserves to be revisited, if your concerned about technical inaccuracies, since they aren't actually virtual machines (by every description i've read you aren't spinning up new virtual machines for each task). i know it's an easy shortcut to use the term VM whenever you're talking about virtualization, but that doesn't make it so. <br /><br />and that brings us back to choice of words. you cannot communicate technically accurate information without using the right words, so the choice of words matters, even if you find it convenient to ignore it.<br /><br />i'll take your correction under advisement, of course. you virtualize on a task-by-task basis and so are even <b>MORE</b> granular. <br /><br />i don't think that changes much in the context of this discussion, though. you think that so long as the technical details are right (which apparently they weren't by your own metric) that the conclusions of articles like mr. perlow's don't matter. i've been observing the security domain for over 20 years, i've seen how things like that can corrupt a message, and how that corruption can lead people to think and act in ways that are detrimental to their security. those choices of words <b>do</b> matter - except maybe they don't matter to you, since, after all, your interests are not necessarily the same as those of the pool of your potential customers.kurt wismerhttps://www.blogger.com/profile/03810635947269551517noreply@blogger.comtag:blogger.com,1999:blog-7347279.post-57450486035079857932013-05-20T21:01:00.892-04:002013-05-20T21:01:00.892-04:00Hi Kurt,
While I respect your right to write what...Hi Kurt,<br /><br />While I respect your right to write whatever you like on your blog, I would like to note that what I *do* care about, and spend time correcting, are technical inaccuracies, rather than choices of words. In every way, the article you reference was the most technically accurate description of our technology by a journalist. Usually people make a lot of mistakes in describing how we do what we do, and I care about that more than someone's opionions of the implications of our technology to the future of malware.<br /><br />For example, your basic error is misunderstanding the very foundation of our technology. Rather than learn more about us and dig deeper than the article, you have decided that our technology virtualizes processes because you read the word "tasks" and assumed they meant "processes". In fact, when we refer to user tasks, we are talking about user activities.<br /><br />You are correct that isolating processes would obviously create problems, but if you'd grok the underlying technologies behind our product, mainly the notions of copy-on-write micro-VMs and least privilege separation kernels, you'd understand that we isolate user activities, not simply system processes.<br /><br />I'd suggest reading our whitepaper, learning more about us, and then engaging us in meaningful discussion, which I would welcome, rather than an arbitrary flame war over a journalist's choice of words.Anonymousnoreply@blogger.com