• United States



How Bitdefender HVI protects virtual browsers

Aug 28, 20177 mins

The Bitdefender Hypervisor Introspection (HVI) tool sits below the hypervisor and prevents any of these tactics such as buffer overflows, heap sprays, code injection and API hooking from executing, protecting the virtual browser from ever becoming compromised.

One of hackers’ preferred methods to compromise systems is through web browsers. Even most phishing e-mails direct users, through their browser, to surf over to a compromised site where malware begins its exploit. There are other methods of attack, but using the browser is one of the most effective because it provides a privileged window into a target system, or into a system that can later be used to launch attacks deeper into a connected network.

Recently, attacks against browsers have gotten even more efficient and insidious, utilizing memory attacks and avoiding the file systems that many antivirus programs monitor. Various associated browser plug-ins and extensions can also be exploited, or could be the basis of the attack itself.

The ubiquitous nature of web browsers, with every conceivable type of device having at least one, makes them especially difficult to manage, and IT teams struggle to ensure that thousands or even millions of systems and devices under their purview have the latest updates and patches. And that may not even slow down an advanced, targeted attack.

The concept of a virtual browser came into fashion a few years ago. The idea was that if organizations are creating virtual machines to become everything from desktop clients to file servers, why not do the same for browsers? If a virtual browser became compromised, then it could simply be destroyed and replaced with a new, clean version.

This was often accomplished by installing agents on client systems or hosting browsers in the cloud. While they met with a degree of success, virtual browsers were often resource intensive, severely limited user choice, and still occasionally provided attackers with a path back into core systems.

How Bitdefender HVI works

The Bitdefender Hypervisor Introspection (HVI) tool aims to fix those problems, providing complete browser security from an on-premises solution. It works by pairing Bitdefender for inspection with Citrix XenApp together with Citrix XenServer. The only caveat is that organizations need to be running Citrix server for it to work, so will need to acquire that component if they don’t already have it. However, if they already have licenses for Citrix, then the network is completely ready for Bitdefender’s HVI.

The configuration of Bitdefender HVI isn’t too complicated from a network perspective. First, all browser functionality is centralized in a XenApp site running on XenServer. User machines are set so that the default browser is the one, or ones, hosted in the XenApp site. So, when a user launches Chrome, for example, they are running it on the server in a virtual instance, but are otherwise not restricted in what they can do. This adds a tiny but mostly unnoticeable delay in browser activity, equating to about .25 of a second. Users won’t notice.

That alone would not be real protection, though, because the virtual browser could still be compromised, only it would place an infected browser running under XenApp instead of on a local machine. That is where Bitdefender HVI comes in. There are in fact, a limited number of ways that attackers can compromise a browser. The most popular are buffer overflows, followed by heap sprays, code injection and API hooking. The attacker uses these to breach the zone between the user space and the kernel, which lets them compromise a system. Bitdefender HVI sits below the hypervisor and prevents any of these tactics from executing, protecting the virtual browser from ever becoming compromised.

Bitdefender HVI only works with Citrix because XenServer includes a unique new security feature called Direct Inspect APIs, which enables third party security companies to leverage memory introspection techniques from a hypervisor layer. That is what Bitdefender does, and is how it easily recognizes any attempt to compromise the user space or elevate privileges into the kernel level. And it does this while remaining separate from the guest operating systems, much like the hypervisor itself, so it can’t be touched or compromised directly by malware.

Testing Bitdefender HVI

To test this out, several virtual instances of Windows were configured. Some had their browsers protected using Bitdefender HVI while others were left as standard installations. For the basis of the attack, a compromised website was created and loaded up with all the tools needed to exploit whatever browser came by to look. For added realism, a small phishing e-mail was sent in with a link to the site.

Bitdefender Split Screen John Breeden/IDG

Here we see the most common way that attacks are launched, with a spear fishing e-mail tempting users to click on a link to a compromised website. The exploit launcher is on the right to show the attack in split screen.

Predictably, on the unprotected machine, the browser was quickly compromised, which in turn was used to launch malware and steal credentials. In less than a minute, full control of the machine was lost to the attackers.

Hacker gains control John Breeden/IDG

Having used a browser exploit, full control is gained by the hacker on the right side of the screen, who is able to add or remove files at will from the server, including the little text note on the left.

Trying again, the same e-mail went to the machine protected by Bitdefender HVI. This time however, the browser exploit was blocked. In fact, nothing bad happened on the test machine at all. However, this did not mean that the attack attempt was unnoticed.

Bitdefender Attack Fail John Breeden/IDG

The same attack technique fails when Bitdefender HVI is in place. The browser exploit is detected and killed remotely, never touching the actual asset.

Bitdefender comes with a console called GravityZone that records everything happening with Bitdefender HVI. An alert was generated by GravityZone, even though the attack was completely unsuccessful. Looking at the log, it was easy to see that the compromised website attempted to execute an API hooking type of attack, which was made against a non-executable zone protected by the direct inspection API feature of Bitdefender. It was denied, but every aspect of the attack attempt was logged.

GravityZone gives quite a lot of information, enough to provide valuable threat intelligence even though the attacks it records are probably going to be unsuccessful. Even so, administrators could use this information to provide supplemental security, such as adjusting firewall rules to block known compromised sites, or warning users about specific phishing e-mail campaigns targeting the organization.

Bitdefender GravityZone John Breeden/IDG

In addition to preventing attacks from executing, the GravityZone administration component of Bitdefender logs all attacks to help defenders learn about the tools, tactics and techniques being used by attackers.

Pricing for Bitdefender HVI is a yearly subscription model based on the number of CPUs used by the infrastructure host. There can be an unlimited number of users. Organizations must also have or acquire the enterprise version of Citrix XenServer that enables the Direct Inspect API process to execute.

Bitdefender HVI is pretty groundbreaking, able to implement remote browser functionality and security without installing anything, even agents, on client systems. It is dependent for now on the Citrix backbone, though once other VM providers see how well Bitdefender can protect vulnerable but critical browsers, it would be surprising if they didn’t also start to implement some form of direct inspect API scanning as well.