The Micro-VM provides only the resources that the task needs, such as a spreadsheet or a Facebook cookie file. "The world that is presented to a Micro-VM is precisely what it needs to know," Crosby said. The untrusted code doesn't have access to any of the other applications or files on the system, nor to the core elements of the OS. If it needs to modify any part of the OS in order to run, the Microvisor copies that component inside the Micro-VM. The OS itself is never changed.

By keeping untrusted code away from the system as a whole, Bromium can shrink the target for attackers to address, Crosby said. This cuts down on the lines of code where they could look for vulnerabilities to exploit. Whereas an OS may be 100 million lines of code, the Bromium Microvisor has only 100,000 lines and the "vulnerability face" between a Micro-VM and the overall system is only 10,000 lines, he said.

Crosby, a former Citrix and XenSource executive, introduced Bromium in stealth mode at last year's Structure conference and used this year's event to lay out some details of its technology. The Silicon Valley company plans to start by offering its technology for client systems in public-sector organizations and other enterprises that are regulated, such as law firms, Crosby said in an interview following his presentation. The technology can run on any x86-based system and could be applied to servers, too, he said. When the ARM chip architecture gains hardware virtualization capability around the end of this year, Bromium might be able to move there, too, according to Crosby. That would open up most of the mobile device world.

The IDG News Service