Quoting from Security Focus dot com
In this three page article, Federico Biancuzzi interviews Eyal Dotan, who has developed application-level virtualization software that protects Windows hosts from malware. They discuss the architecture, advantages of this design, performance, and how this method could be applied to servers running Windows or be ported to other OSes.
Could you introduce yourself?
Eyal Dotan: I am the founder and CTO of Trustware, the company behind BufferZone. BufferZone is a family of application-level security products that utilize virtualization software to secure personal computers [editor's note: a freeware version is available for single apps]. Trustware has recently been nominated one of the 10 hot start-ups of 2006 by Microsoft.
In my spare time, I am also in charge of Windows Security studies at EPITECH (European Institute of Technology, France).
What is BufferZone? We'll keep it to "BZ" for the rest of the interview, as we're most interested in the technology behind it.
Eyal Dotan: BZ allows users to run unknown, dangerous programs and malware without harming the system.
The general idea is that programs running in our virtual BZ can see the hard-disk files and registry, but whatever they write back is virtualized: redirected elsewhere ("write" includes: rename, create, delete, or modify). For example, if a program running in BZ modifies the registry, then these changes will only be seen by programs running in BZ. Windows itself will not see any modification.
So, if you run some malware code or a vulnerable software application in the BZ, it will "think" it attacked the system (and will see its own virtual modifications), while in fact the real file system and registry remains unchanged. On the other hand, if you install legitimate software in the BZ, it will work properly and can be used continuously without any change in behavior. BZ's file and registry modifications are persistent; in other words, whatever you install in BZ remains there until you decide to remove it or empty the BZ (which simply means removing the virtual application's "deltas").
...
Could you describe the architecture you designed in more detail?
Eyal Dotan: Virtualization is done through a kernel module. A Windows Service instructs the kernel module on what policies to implement. In the corporate version, policy rules come from a BZ Server. In standalone versions, these policies come from the GUI Administration interface which the user can use to alter the pre-configured settings in the limited number of scenarios where that might be necessary.
...
Would this approach be portable to other platforms such as MacOS X or GNU/Linux?
Eyal Dotan: Since the approach requires development of kernel-level technology, the actual implementation is OS-dependent. However, the general approach is very much OS-independent as all major commercial operating systems have facilities that would allow our approach to work. That said, Trustware is currently focused on Windows where the vast majority of the issues we are addressing currently reside.
...
So every application that runs via BZ will have a separate registry? What happens if the original registry is updated? Do you merge those changes?
Eyal Dotan: Applications running in BZ don't have a different registry:
- All applications within a given BZ share the same virtual registry and real registry as necessary.
- Remember that BZ registry and files are "copy-on-write" -- meaning that only modified keys are copied into BZ registry.
What happens if two applications need to interact?
Eyal Dotan: When both applications are in BZ there are no issues. If one is inside and one is outside, BZ will prevent inter-process communication in order to ensure no security problems are injected into the trusted system. We create advanced setting for allowing certain trusted programs to communicate with BZ programs.
I invite you to read the entire interview, here.