Browser Security Technology Uses Virtualization to Protect PCs

Invincea is looking to protect enterprise endpoints from Web-based malware by moving Internet Explorer into a virtual environment.

A security company is going to market with a plan to bring virtualization to the browser to bolster security against Web-based threats.

Arguing that firewalls and antivirus software fail to adequately protect enterprises, Invincea's strategy is to move Internet Explorer "into a virtual environment in a manner that is transparent to users," the company said Sept. 13. Invincea Browser Protection runs the browser "non-natively as a virtual appliance on the user's desktop."

"Most attacks take advantage of browser vulnerabilities to implant software in the OS. In IBP this happens in a virtual OS that is disposed of after use," said Anup Ghosh, chief scientist at Invincea.

Any changes made by malware-including to the file system, system libraries/DLLs, registry and memory-are made in a virtual environment and not the host, Ghosh explained. Users can download files to a specific directory shared with the host OS, he said, and the "directory is non-executable and malware cannot install or run software on the host OS."

Adding to the company's virtualization approach is behavioral malware detection. Arming the browser with low-level sensors, IBP starts in the exact same state down to the bit level on start-up.

"Since the state is the same on each start-unlike your desktop, for instance-our behavioral sensors monitor for changes to this state during operation," Ghosh said. "If, for instance, a heap spray attack against the browser is used to run code in the browser stack that in turn launches a command shell or forks a new process, our sensors detect this abnormal behavior for the browser and will call a foul.

"At this point, the corrupted browser environment is disposed [of] (file system and memory) while a new clean instance of the browser environment is brought back," he continued. "Meanwhile, detailed cyber-forensics about the infection event are recorded and sent to a database including the source of the infection, its system changes it made and where it reached out to on the network."

"Originally funded by the Defense Advanced Research Projects Agency (DARPA) to build a prototype of a virtualized Web browsing solution," the Invincea release said, the company "then developed its patent-pending technology with George Mason University's Center for Secure Information Systems. Today, Invincea is venture-backed" and it released its first version of IBP in April.

"The feedback has been positive and we're ready to go to market now ... We have over a dozen deployments of various sizes currently," Ghosh said.

Right now, IBP supports Windows XP and Vista, with Windows 7 support coming soon.