BedRock Active Security™

BedRock Active Security™ enables deep semantic forensics for guest operating systems, containers and applications and does not require their cooperation. Active Security™ – living within the BedRock HyperVisor™ (BHV™) – protects and enforces the behavior of the guest operating systems and applications even within a contested environment. Extending the network-based paradigm of the Zero Trust initiative to the protocol between applications, operating systems and hardware resources, a new level of least privilege and least functionality is being enabled from within the secure virtualization.

With the power of virtual machine introspection, detailed forensics for guest machines, virtual services and hardware resources are unlocked. Deep semantic information supports fine grained policy lock down and blocks malicious behavior from instruction to application level. It has become possible to implement cyber resilient systems and fail-operational systems without the need to change applications.

Building on top of the Bare Metal Property™ within the BHV™ – which eliminates the lateral movement of threats via VM escapes – BedRock Active Security™ is focusing on actively securing and protecting workloads running on BedRocked™ infrastructure.

CONTACT US ABOUT BEDROCK ACTIVE SECURITY™

If you are interested in partnering with BHV and Active Security for Orchestration, Device Management and Policy Management, please contact us to discuss how to enable and expand your customer base on Bedrocked infrastructure.

Deep Semantic Forensics

Active Security™ is combining Virtual Machine Introspection, introduced by Tal Garfinkel and Mendel Rosenblum, with a detailed semantic understanding of the guest operating systems being virtualized. Active Security™ has an understanding of processes, Kernel Data Structures, Container Runtimes, Memory Layout, Devices and System Call Tables. It can do much more than the usual logging of a system, and it can be enhanced to understand applications and alert when they deviate from their intended behavior. While this is already extremely powerful at the virtual machine level, it becomes even more impactful when combined with deep semantic information across guest machines, containers and devices in the network, all of which can be utilized to power your real-time decision process in a critical and/or data driven environment.

Whitelisting for Applications and Drivers

By understanding the details of how an operating system works, the unmodified guest OS can be enhanced with whitelisting capabilities from within the BedRock Hypervisor™ (BHV™) to ensure that only applications and drivers that should be running on the system are loaded. This key functionality enables you to enhance the basic security of your guest workloads in a brownfield environment without changing or impacting the application or OS logic. Furthermore, the Kernel Hardening technology which Active Security™ leverages can fortify defense mechanisms integrated into the OS such as whitelisting or application entitlement logic; by BedRocking™ your workloads can protect existing attack surfaces within your security infrastructure without changes to the OS.

Kernel Hardening and Integrity Protection

The kernel of every operating system is the number one target for malicious actors since control of it enables widespread and persistent attacks. BedRock Active Security™ is able to protect kernel data structures and memory areas from misuse and modification without the guest OS being aware of the mediation. Furthermore, as a component running within the hardware abstraction layer provided by the BHV™, Active Security™ can leverage CPU-specific features while concealing them from the guest OS, increasing system security. Using these capabilities, Active Security™ can protect the guest OS from malicious actions and build the fundamental base for a cyber resilient system.

While our deep semantic understanding of the OS enables this protection without patching the OS, BedRock Active Security™ is designed with the flexibility in mind to also cooperate with OS level protection mechanisms.

Dynamic Policy for Resources and Services

The BedRock Active Security™ Policy Manager enforces active resilience policies against attacks. Building on the deep semantic information from Virtual Machine Introspection, the Active Security™ Policy Manager can detect certain behaviors and prevent malicious actions from within the hardware abstraction level where Active Security™ is running. Designers and Threat Intelligence staff can now – based on reliable semantic information – design real-time reactions to behavioral misbehavior and make systems resilient against attacks. Furthermore, the Active Security™ Policy Manager can also enforce configuration and Policy on Services such as the Virtual Switch or hardware resources.

Formal Verification

Building a foundation based on formal verification enables us to precisely define with a formal model what a system can do. This is then matched, through proofs, to the actual code implementing the model. If the proof can satisfy the model, the code is formally verified. Formal verification allows us to establish the correctness of a system to the same degree of confidence that you know that 1 + 1 = 2, eliminating human error. In other words, we have mathematical proof of the BedRock Hypervisor’s effectiveness. At BedRock we are building formal verification at scale by investing in automation.

Minimal Attack Surface

The BedRock Hypervisor combines the best concepts from microkernels, capability-based systems, and modular design for superior performance, security, and isolation. Because it enforces the principle of least authority, BedRock is able to guarantee that most attacks are not possible to begin with. Our secure architecture keeps all critical functions, including Active Security and Policy Enforcement, below the OS-reachable attack surface, thereby fully protecting the OS and its applications.

Security

BedRock Security is enabled without a cooperating operating system or application, eliminating the attack surface of the components. Based on formal verification, the capability-based system ensures resources can only be accessed when explicitly enabled. With this level of security embedded into the BedRock Hypervisor, users can run the software stack from the OS and up without modification beyond their life cycle, while still preventing attacks.

Unmodified Guest OS & Applications

The BedRock Hypervisor is designed to run unmodified guest operating systems without the need to recompile the kernel or any application. Powered by formal methods, the Hypervisor cannot be breached, and, therefore, is not part of the attack vector. The fundamental hardware abstraction layer can leverage hardware features while concealing them from the OS, increasing system security.

No Vendor Lock-In

The BedRock Hypervisor includes a business-friendly open source license. This prevents vendor lock-in, provides freedom of choice, and prohibits intellectual property contamination. Rather than create a dependency, BedRock Systems is committed to community-driven projects and collaboration.

BedRock Active Security™

CONTACT US ABOUT BEDROCK ACTIVE SECURITY™

Deep Semantic Forensics

Whitelisting for Applications and Drivers

Kernel Hardening and Integrity Protection

Dynamic Policy for Resources and Services

Formal Verification

Minimal Attack Surface

Security

Unmodified Guest OS & Applications

No Vendor Lock-In

KEY BENEFITS OF BEDROCK’S SECURE TCB

Interact With Us

Contact Us ›

Partners ›

Resources ›

Connect