• Identified lack of security and trust as barriers to the adoption of client/server computing and the delivery of web services and developed a technology and business concept (a “Trusted Virtualization Platform”) to address the problem
• Recruited a team to prototype the product
• Worked closely with early customers such as Credit Suisse
• Licensed Type-1 (“on-the-metal”) hypervisor from Trango
• Demonstrated working prototype on ARM-9 based endpoint prototyping system that used the Qtopia UI

Motegrity was a security startup incubated within Tallwood VC that grew out of an internal initiative in 2006 created by Tallwood’s founder and managing general partner, Dado Banatao, to examine issues facing the delivery of web services to mobile internet endpoints. I identified security problems as a major impediment to delivery of those services, and proposed a software centric (rather than semiconductor centric) solution – and somewhat to my surprise Tallwood agreed to incubate Motegrity.

Security was a huge problem then, and it has become a significantly bigger problem since, with a ~$140B security product market (now 1/3 the size of the total WW semiconductor market) attempting to address $500B in estimated cybercrime damages (as of 2017). There seems to be no end in sight to the increases in cybercrime, with no approaches that fundamentally address security at a systemic level.

Motegrity’s goal was to address a chunk of the problem by creating a trusted environment for client/server computing. Everyone is (or certainly should be) nervous about performing transactions over the web to some server requiring the disclosure of personal information or access to accounts. How do you know your device has not been hacked? How do you know the channel over the internet between your device and the service is secure? How do you know the service or agents you are interacting with in the cloud are secure? Today you don’t know. Motegrity was an attempt to provide security assurances and control to the user for at least the client/server aspect of their daily digital lives. And the security infrastructure necessary to enable this capability would have provided a broader set of security benefits.

Motegrity’s product vision could also be seen as an approach to extending the power and capability of mobile internet endpoints by enabling secure trusted virtualized resources – which led to the platform name TVP (Trusted Virtualization Platform). The process to building a TVP is conceptually fairly straightforward – first the client device must be placed in a secure and trustworthy state, then a virtual machine (VM) on a server is launched by the client that can be verified as trustworthy so that the user can spawn useful agents on that VM. As part of this process both the client and server VM must mutually attest to authenticate each other across an untrustworthy internet communications channel.

The TVP approach leverages the presence of a hardware Root-of-Trust in the system (ideally in both endpoints). The best available Root-of-Trust in 2007 was the Trusted Platform Module (TPM) chip that was just starting to appear in laptops. The system is systematically booted into a trusted state using the TPM to measure the state of the system after each step in the boot-up process and verify its correctness against signatures previously stored in the TPM. The TPM acts as a slave resource to the software starting with the BIOS, and assumes that the BIOS has not been rootkitted and the reference signatures stored in the TPM were measured on the system when it was in a trusted state. [This has since been shown to be a bad assumption BIOS/EUFI hacks are many, and it was thought then the TPM itself was secure, which has since also been shown not to be the case.] Once the system has been booted into a trusted state, a VM can be launched on the server, and ideally that VM is created in a similar manner on a server (at the request of the client), where the server has been booted using a similar trusted boot process. The client and the launched VM then mutually attest each other using a standard multi-step cryptographic authentication protocol.

I built a small team to prototype the system in mid 2007, with Brent Haines and Jithendra Bethur leading the development charge and Rao Cherukuri providing expert advice as a consultant. Ken Baylor, who during that period was CISO for Symantec and CSO for Nuance was actively helping the company and attending customer and investor meetings. Rajesh Gupta, a professor at UCSD and advisor to Tallwood at the time, also assisted in the formation of the effort. We also had a couple of strong contributors agree to be on the Technical Advisory Board, including Chris Swan, Head of Security R&D for Credit Suisse, and Dr Andreas Schmidt, a trusted computing and mobile security expert from the Fraunhoffer Institute.

Once a system is booted however, it is vulnerable to standard low level exploits such as rootkits, and in order to improve security after boot a lightweight Type-1 “on the metal” hypervisor is highly desirable, and Motegrity incorporated such a hypervisor into its model. The hypervisor sits underneath the OS, and provides strong isolation between apps (or VMs) hosted by the OS and provides protection against rootkits or other exploits that can be prevented or mitigated by insulating the OS from direct access to the system hardware. So then the TVP software stack consisted of a lightweight Type-1 “on the metal” hypervisor to provide isolation, with a Linux OS layered on top of that, with multiple VMs then hosted by the OS.

After an extensive survey we selected what we considered to be the best security focused lightweight (entirely cache resident) Type-1 hypervisor available, which was from a small French startup called Trango. We obtained a license from Trango and built a prototype using an Arcom Zues embedded Linux prototyping kit used to prototype mobile products with the Qtopia core windowing system running on Linux. A photo of the prototype hardware used by the team is shown on the left.

Motegrity saw strong interest from customers – such as Credit Suisse – who really cared about mobile device security (at that time the focus was laptops as smartphones were in their infancy). Some examples of customer support for the system can be found in the slide show below. We felt the product value proposition and “consumability” would be increased if Motegrity integrated the hypervisor into the product, and we entertained the idea of potentially “mashing up” Trango and Motegrity to create a more vertically integrated offering. To that end two of Tallwood’s partners, Dado and Luis Arzubit, met the Trango CEO on a trip in Paris in March 2008, where they argued that Trango’s current business model would not support building a big enough company to create a standard around which they could maintain the control they sought. In mid 2008 we began licensing discussions with Trango, as Motegrity’s needs did not fit into the standard licensing model Trango had been using at that time. Trango’s model was a “per CPU chipset” license model, which did not match up with Motegrity’s model of a horizontal platform that would span a wide range of endpoints and CPU chipsets.

Licensing discussions with Trango dragged on and in early November 2008 they ended with the announcement that VMware had acquired Trango to form the basis of their Mobile Virtualization Platfrome (MVP) offering. While disappointing to Motegrity, it was straightforward for us to move to the Xen hypervisor.

Unfortuntately by December of 2008, after unsuccessfully attempting to bring in new investors for an A round, Motegrity shut down. It was not at all helpful that our must enthusiastic early adopters were dragged down by the global financial crisis in the summer and fall of 2008. By this time Motegrity had a demo running on the ARM-9 platform using Trango, and a demo on a Lenovo laptop running the Vista OS on top of Xen hypervisor. Both demos used the TPM as the hardware root-of-trust. The patent that was generated by Motegrity (the cover page of which is in the side show on this website’s home page and can be downloaded from this page) has since been acquired by another company in the security space.

The slider below contains a few slides from Motegrity’s funding pitch. The first slide shows how we used different color schemes in the user interface to signal to the user the trust level of the VM or the application.

I remain passionate about cyber security – in particular that a disruptive bottoms-up systemic approach is needed to address the dire situation in the market.

TAKEAWAYS:

1. Motegrity was a good idea but in the wrong place at the wrong time (too early). It was primarily an execution play – and was ultimately based on the premise of the security of the TPM chip and the BIOS – neither of which has proven top be a good bet. To facilitate market adoption I also believed we needed to integrate the approach with a lightweight Type-1 on-the-metal Hypervisor and we engaged in discussions with Trango to try and achieve that – but Trango was acquired by VMware. However Motegrity instilled in me a passion for seeking solutions to today’s pressing cyber-security crisis.

RESOURCES: