Qualcomm just announced its latest premium mobile processor, the Snapdragon 888. This 5 nm chip, rumored to be made at a Samsung facility, provides multiple levels of improvement in central processing power, high end graphics that approach the capabilities of a gaming console.
There are also camera improvements that threaten stand-alone DSLR, and AI functions that enhance and protect camera still and video images from “Deep Fakes” while also providing big improvements in AI inference workloads. And, of course, it runs on 5G networks, along with supporting faster Wi-Fi 6 and 6E capability.
One feature that stands out for me seems to be buried in most coverage of the 888 processor and has the potential for dramatically changing the way mobile devices work, as well as enhancing security well beyond where we are today.
Qualcomm has added a Type 1 Hypervisor to the Snapdragon 888. Sometimes also referred to a “bare metal hypervisor,” it connects directly to the processor elements and runs below any OS powering a device. This allows for multiple virtual machines to run simultaneously and fully isolated from each other. Indeed, any issue on one virtual machine, like a malicious attack of even a failing app, has no effect on other virtual machines. This has major implications for future mobile devices.
We have been running virtual machines for a long time on data center servers, in the cloud environment, and even on personal computers. One benefit is that VMs allow for more efficient utilization of the hardware by sharing the load on underutilized systems. The more compelling benefit they provide from a security and privacy perspective is that individual workloads can be totally isolated from each other while running. This creates a barrier that prevents a security problem in one workload from affecting all the other workloads, which is not the case in a typical single instance of an OS device. It also prevents a malfunctioning app to bring down the entire device.
Why should we care about such things in a personal mobile device like a smartphone or a tablet? Increasingly these devices are being used for multiple purposes, the most basic example being for both personal- and work-related apps. Separation and protection from cross contamination, is why so many OSes and mobile device management suites include containers to isolate between the two “personalities” (such as Android for Enterprise). But a hack of the base level OS can still produce a cross-contamination effect and breach all contents on the device.
A hypervisor allows distinct isolation by running an instance of the underlying OS for each independent personality. That means that if I am able to contaminate the OS for the personal side of my device, the enterprise side is still isolated and protected. And if I choose to use the device for multiple people in a shared model, each person can essentially have their own virtual device separated from everyone else by running in a VM specific to that user (which is what cloud providers do with shared computing resources).
But hypervisors, along with the increasing capability of the AI engine in the Snapdragon 888, also have the potential to create a more secure ”enclave” where the device can run an individual program, monitor it for malicious executions, and then shut it down without having any effect on the core systems. This is well beyond the capabilities of the current trusted execution environment common in many chips.
Further, the use of AI along with VMs can take us to the next level of “biometric” security by creating a monitoring environment that knows about us through keystrokes, application preferences, usage patterns, profiles, etc., and can then isolate and/or shut down the operation in that virtual machine based on an assessment of the risk. Finally, think of running a browser accessing many potentially harmful web sites running in a unique virtual machine, that even if opening malicious content, can’t do any harm because it is isolated from the rest of the device.
There are other examples of hypervisors running on ARM based processors (such as BlackBerry QNX Hypervisor), but they are add-ons. This is the first time the actual processor vendor has provided such a capability at the base level of the chip. Of course, there are some limitations as to how many simultaneous virtual machines can be run on the device, based on things like total memory available, interconnect speeds, processor loads and more. Of course, the device manufacturer would have to implement this capability. But being able to run virtual machines on a mobile device is a big leap forward in both security and performance.
Bottom Line: I expect this capability to significantly increase the security and privacy of devices going forward, and along with AI algorithms running alongside the workload isolation, to change the way we think of device security and multiple user personas. While this initial hypervisor capability is available on the high-end Snapdragon 888 device, I expect it to eventually make its way into the mid- and lower-tier devices as well, although at potentially reduced functionality due to processor limitations. Still, the ability to add a Type 1 Hypervisor when designing a new device is a breakthrough capability that both the device OEMs, OS providers (including Android) and the individual application vendors will find very compelling.
Jack Gold is founder and principal analyst at J. Gold Associates, LLC., an information technology analyst firm based in Northborough, Massachusetts. He has more than 25 years of experience as an analyst and covers the many aspects of business and consumer computing and emerging technologies. He works with many companies. Follow Jack on Twitter and on LinkedIn.