CN100403212C - System and method for implementing operation system separation - Google Patents
System and method for implementing operation system separation Download PDFInfo
- Publication number
- CN100403212C CN100403212C CNB2005100933870A CN200510093387A CN100403212C CN 100403212 C CN100403212 C CN 100403212C CN B2005100933870 A CNB2005100933870 A CN B2005100933870A CN 200510093387 A CN200510093387 A CN 200510093387A CN 100403212 C CN100403212 C CN 100403212C
- Authority
- CN
- China
- Prior art keywords
- module
- operation system
- child
- disk
- parent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a system for separating the operation system and a relative method, wherein it comprises: a mother operation system module, at least one sub operation system module for containing the modify information of user on the mother operation system module, a system separating module and an external memory access control module for recording the disc spaces of mother/sub operation system module; said system separating module via the user command instructs and/or build sub operation system module, to instruct and/or modify the disc space and disc blank space of mother/sub operation system module, and detect the read/write access of mother/sub operation system modules on the disc. The invention can build different operation systems without occupying more space of disc, to separate the operation system and reduce the system abundance, increase the safety and reliability, to protect the user information at different sub operation system modules.
Description
Technical field
The present invention relates to a kind of system and method for realizing that operating system is isolated, particularly a kind of system and method for realizing the running environment that storage space is isolated fully in the operating system belongs to computer operating system and computer safety field.
Background technology
Computer operating system is a most important system in the computing machine, is used for the supervisory computer hardware device, and provides running environment for various application software.Therefore, the reliability and security of operating system is very important.
Nowadays, the increasing application is deployed in the single operation system environments, causes user computing environment to become very complicated, is difficult to management more and safeguards.What is more important: in today that viral and spyware spread unchecked, so complicated computing environment makes that undoubtedly various computer security technology are filled with flaws, or even performs practically no function.
For the domestic consumer: computing machine role in family life is more and more important, and the user carries out various application on computers, as recreation, and amusement, online is seen a film, and handles image, video, even carry out network electronic trade.These application simply are installed in the single operation system environments, make applied environment become complicated unusually, directly cause system load overweight and unstable, the frequent phenomenons such as machine, loss of data of delaying occur.Realize different application though can a plurality of operating systems be installed in computing machine, this causes the complexity of management and the waste of computational resource again.On the other hand; the domestic consumer generally lacks the knowledge and experience of computer maintenance and secure context; this just makes home computer be exposed in the network with having no protection; often be subjected to virus and hacker's attack; when the user uses when being played games and surfing the Net amusement by the computing machine of virus and spyware infection, will suffer hacker's attack and cause divulging a secret of individual privacy.Even more serious is: if use such environment to remove to carry out network electronic trade, will steal account No. to the hacker and cause opportunity.In addition, use for home computer, a tractor serves several purposes has been a general phenomenon.Present operating system is supported multi-user's function, but this multi-user's function can not be isolated the software environment and the data environment of different user veritably, after a user environment was destroyed, directly consequence was exactly the collapse that causes whole computer operating system environment.Generally speaking, for the domestic consumer, what they needed most will be that application, multi-user isolate mutually more than one, and have the computing machine of discretionary security defence capability, thereby simplify computer maintenance, improve computer security.
For the enterprise computer user: in order to keep the competitive power in market, the IT department of enterprise must accomplish to satisfy to advanced infotech and the growing demand of IT service at any time, the frequency of control computer fault generation, minimizing maintenance cost and influence again simultaneously, and improve constantly the security of company information, thereby realize reducing the TCO of IT infrastructure.This has higher requirement for the manageability and the security of computing machine.In the IT of enterprise environment, the application of disposing in single computer environment becomes increasingly complex, and has directly reduced the stability and the reliability of computing machine, thus the frequency that makes computing machine break down constantly upgrade, give the IT handling cost and caused serious consequence.On the other hand, enterprise need isolate enterprise's IT application and employee's private environment, thereby avoids company information to divulge a secret, and improves the security of the IT system of enterprise.
For the computer user of government:, realize that the isolation of Intranet and outer net is a basic demand of IT application aspect in government department to the special concern of IT safety.At present, government department is by people's two-shipper or use the mode of hardware isolated to realize the isolation of Intranet and outer net, thereby ensures the security of government information system.But which kind of mode all needs higher IT investment, has also increased the difficulty and the complexity of IT management simultaneously, lacks good application scalability.
For the computer in education user: in education sector, in order to satisfy different teaching purposes, the IT keeper needs frequent to distribute new operating system and software for computing machine.In addition, the software systems of computing machine also can be often destroyed, and the IT keeper need repair operating system and applied environment fast in order not influence teaching.This has just greatly increased the complexity and the difficulty of computer management, and the efficient of computer management has been proposed high requirement.
In sum, in IT application, the manageability of computing machine, maintainability, and the safety issue of computing machine has caused huge time cost and financial cost for computing machine consumer and enterprise; The while prior art is aspect solution computer security and reliability, and all there is defective in protection privacy of user aspect.Therefore, need a kind of technical scheme, can will be used for being installed in the operating system environment of mutual isolation, to ensure the security and the reliability of application software without the application software of application purpose.And by the operating system environment protection user data of mutually isolating and the safety of privacy, and this technical scheme exceed take disk space, ensure that the efficient of computing machine does not have bigger change.
Summary of the invention
The objective of the invention is by the single operation system is isolated, create the different operating system environment that applied environment is isolated fully, and required application software is installed in different operating system environments, and makes user's information of different operating system environment be protected; The user can select suitable operating system environment according to the operation purpose, thereby increases the reliability and the security of operating system and application software.
For achieving the above object, the invention provides a kind of system that realizes that operating system is isolated, comprising:
One parent-operation system module, described parent-operation system module comprises the kernel of an operating system, is used to provide the software program of the essential basic function of complete operation system; It is exclusively enjoyed disk space to described parent-operation system module and disc free space carries out read access;
At least one child-operation system module comprises any modification information that the user is made described parent-operation system module; Mutual with described parent-operation system module, the disk space that exclusively enjoys of described parent-operation system module is carried out read access; It is exclusively enjoyed disk space to described child-operation system module and disc free space carries out read;
One system's isolation module, described system isolation module and described parent-operation system module are mutual, be used for according to user instruction guiding and/or set up the child-operation system module, specify and/or revise described mother/child-operation system module exclusively enjoy disk space and disc free space; Described system isolation module is also mutual with described mother/child-operation system module respectively, is used to monitor the read of described mother/child-operation system module to disk;
One external memory access control module, mutual with described system isolation module, write down the disk space that exclusively enjoys of described mother/child-operation system module.
For achieving the above object, the present invention also provides a kind of method that realizes that operating system is isolated, and comprises the steps:
Step 2 is if read access, and system's isolation module returns parent-operation system module and/or current child-operation system module according to the record of external memory access control module and exclusively enjoys data in the disk space;
Therefore, the present invention has the following advantages:
1, use the present invention to realize the system and method that operating system is isolated, can be based on the child-operation system module of the different mutual isolation of single operation system creation under the prerequisite that does not take more disk spaces, the user can select to use flexibly;
2, use the present invention to realize the system and method that operating system is isolated, can application software be installed targetedly according to the establishment purpose of each child-operation system module, reduce the quantity of application software in each operating environment, reduce system redundancy, increase the security and the reliability of system;
3, use the present invention to realize the system and method that operating system is isolated, the unsafe factor of each child-operation system module can not exert an influence to other child-operation system modules, increases the security and the reliability of system;
4, use the present invention to realize the system and method that operating system is isolated, can protect the information of user under the different child-operation system modules.
Below in conjunction with drawings and Examples, technical scheme of the present invention is described in further detail.
Description of drawings
Fig. 1 realizes the structural drawing of the system that operating system is isolated for the present invention;
Fig. 2 realizes the synoptic diagram of external memory access control module in the system that operating system isolates for the present invention;
Fig. 3 realize for the present invention the system that operating system is isolated embodiment 1 based on the system schematic under the traditional computer framework;
Fig. 4 realizes the processing flow chart of the system's isolation module monitoring and the visit of interception magnetic disc i/o of the system that operating system is isolated for the present invention;
Fig. 5 realize for the present invention shown in the embodiment 2 of the system that operating system is isolated based on the system schematic under the virtual machine computer framework;
Fig. 6 realizes the synoptic diagram based on the another embodiment under the virtual machine computer framework in the system that operating system isolates for the present invention;
Fig. 7 realizes disk space distribution schematic diagram in the system that operating system isolates for the present invention.
Embodiment
The present invention realizes the embodiment 1 of the system that operating system is isolated:
Referring to Fig. 1, comprise parent-operation system module 1, child-operation system module 21, child-operation system module 22, system's isolation module 3 and external memory access control module 4.
Parent-operation system module 1 can only comprise an operating system nucleus that is used to finish the most basic function, and so-called operating system nucleus refers to be used to provide the software program of the essential basic function of operating system; This operating system nucleus of finishing the most basic function can be the kernel of Linux or Unix or Windows, is example with Windows in the present embodiment.
Parent-operation system module 1 also can comprise the software program outside kernel and the kernel, promptly comprises the application program outside kernel and the operating system nucleus, and the function that provides the essential basic function of operating system and other users to select is provided.Such as, if the keeper sets Office software being arranged all in all operating environments, just Office software can be installed in the parent-operation system module 1.
The child-operation system module can comprise any modification information that described parent-operation system module 1 is made for one or more.Be example with two in the present embodiment, wherein, child-operation system module 21 shields IE simultaneously for Office software, translation software and software for calculation program to be installed on parent-operation system module 1 basis; Child-operation system module 21 can carry out word processing and data computation, but cannot surf the Net with complete office operation system environments of parent-operation system module 1 common formation; Child-operation system module 22 Games Software and the multimedia software for having installed on parent-operation system module 1 basis constitutes a complete amusement operating system environment with parent-operation system module 1 is common, can play, see video file and online etc.
Child- operation system module 21 and 22 is mutual with parent-operation system module 1 respectively, can carry out read access to the data that exclusively enjoy in the disk space of parent-operation system module 1.Child- operation system module 21 and 22 has the disk space that exclusively enjoys separately respectively, can exclusively enjoy disk space and disc free space carries out read to it.
The read of system's isolation module 3 monitoring parent-operation system modules 1 and child- operation system module 21 or 22 pairs of disks is tackled all write accesss that exclusively enjoy disk space to parent-operation system module 1.
As shown in Figure 2, external memory access control module 4 is arranged in the disk space of harddisk memory, and it is made up of a plurality of file.Wherein, external memory access control module 4 comprises: the disk bitmap file 41 of parent-operation system module 1, the disk bitmap file 4211 of child-operation system module 21, the disk bitmap file 4221 of child-operation system module 22, and the index file 4222 of the index file 4212 of child-operation system module 21 and child-operation system module 22.
As shown in Figure 3, for based on the system schematic under the traditional computer framework, under the traditional computer framework, computer system can only be moved an operating system at every turn, its structure is: the bottom is a computer hardware, comprises CPU, hard disk, internal memory, video card, I/O interface etc.System's isolation module 3 can be arranged on basic input/output module in the computing machine under this framework be among the BIOS or computing machine expansion firmware interface is among the EFI; Also can be arranged among the kernel of parent-operation system module 1 or outside the kernel.
In present embodiment 1, system's isolation module 3 is set in the middle of the kernel of parent-operation system module 1.Before specifying parent-operation system module 1, the user at first need install an operating system (referring to Windows operating system in present embodiment 1) in computing machine, then, the user can carry out necessary configuration to this operating system as required, as installing and the configure hardware driver, windows desktop resolution etc. is adjusted in the configuration network address.Simultaneously some application software can be installed as required, as some antivirus protection software and personal fire wall.Because in each child-operation system module, all need to use these software.In addition, the user need be arranged on system's isolation module 3 among the aforesaid operations system kernel.System's isolation module 3 in the embodiment of the invention 1 is set among the aforesaid operations system kernel as the driver of operating system.After finishing above-mentioned preliminary work, it is parent-operation system module 1 that the user can specify above-mentioned operating system by system's isolation module 3.After having specified parent-operation system module 1, system's isolation module 3 is simultaneously that parent-operation system module 1 is created parent-operation system disk bitmap file 41 in external memory access control module 4.After this, all read to disk will be monitored and tackle to system's isolation module 3, not allow program and data in any program and the system rewriting parent-operation system module 1.
The disk storage bulk state of the parent-operation system disk bitmap file 41 record parent-operation system modules 1 of parent-operation system module 1 is used to identify described parent-operation system module 1 and exclusively enjoys disk space on disk; For instance, if there are the valid data of parent-operation system module 1 on the disk on certain block unit (as being unit with the sector, then being certain sector), then the tick lables in parent-operation system disk bitmap file 41 correspondences is 1, otherwise is labeled as 0.
After the user has specified parent-operation system module 1 by system's isolation module 3, then can create child- operation system module 21 and 22 alternately by system's isolation module 3 and parent-operation system module 1 as required.System's isolation module 3 is created child-operation system bits map file 4211 and 4221 respectively for child- operation system module 21 and 22 simultaneously in external memory access control module 4, create child-operation system index file 4212 and 4222 respectively for child- operation system module 21 and 22 simultaneously in external memory access control module 4.
The disk storage bulk state of child-operation system disk bitmap file 4211 and 4221 record child- operation system modules 21 and 22 is used to identify child- operation system module 21 and 22 and exclusively enjoys disk space on disk; For instance, if there are the valid data of child-operation system module 21 on the disk on certain block unit (as being unit with the sector, then being certain sector), then the tick lables in child-operation system disk bitmap file 4221 correspondences is 1, otherwise is labeled as 0.
Child-operation system index file 4212 and 4222 identifies all by the call address of the data of system's isolation module 3 dumps and memory address after the dump and the corresponding relation of the two.Such as, when the operator drives Cheng Jinhang and rewrites the video card of parent-operation system module 1 in working environment, obviously, system's isolation module 3 will be tackled this operation, and the data of driving the address A0 of journey with video card in the parent-operation system module 1 can not be changed; What the operator in the working environment saw but is that video card drives the reformed effect of journey but simultaneously; This is because driving among the address A1 that exclusively enjoys disk space or blank disc space that journey is stored in this child-operation system module 21 of will rewriting of system's isolation module 3, and record this actual storage address A1 and call the address A0 that journey is driven in this rewriting in the indexed file; Work as computer starting, when loading child-operation system module 21, system's isolation module 3 is checked these index files, and the data read that is about to address A1 is come out, and does not read the data among the A0; Therefore, in the working environment that this child-operation system module 21 constitutes, be that video card in the parent-operation system module 1 drives the effect that journey has been changed.
After the establishment of having finished child- operation system module 21 and 22, the user can select to start any one child-operation system module according to the needs of oneself when computer starting.According to the position difference that system's isolation module 3 is provided with, it also has different with the boot sequence of parent-operation system module 1:
When system's isolation module 3 is arranged on BIOS or EFI, start prior to parent-operation system module 1, boot sequence is: system's isolation module 3 follows computer hardware closely and starts, and which operating system environment system's isolation module 3 indication users select to enter, such as, the operator selects entertainment environment.System's isolation module 3 guiding parent-operation system modules 1 start then, and finish the back in 1 guiding of parent-operation system module and load child-operation system module 22, thereby form the complete amusement operating system environment that gets for the user.
In the time of among system's isolation module 3 is arranged on the kernel of parent-operation system module 1 or outside the kernel, start simultaneously with parent-operation system module 1, boot sequence is: computer hardware starts, parent-operation system module 1 starts simultaneously with system's isolation module 3, and point out the user to select to enter which operating system environment, such as, the operator selects working environment, then system's isolation module 3 Bootstrap Loading child-operation system modules 21 constitute complete office operation system environments.
After computer starting, parent-operation system module 1 and system's isolation module 3 are loaded operation respectively according to above-mentioned different situations.Simultaneously, system's isolation module 3 also can load the child- operation system module 21 or 22 of appointment according to user's selection.After this, the user can carry out install software in the parent-operation system module 1 of current loading and child- operation system module 21 or 22, revise configuration, operations such as editing files.But which kind of situation no matter, system's isolation module 3 is being monitored the read and write access to disk always, as long as the visit that the read-write disk takes place all can be by 3 interceptions of system's isolation module, and handles respectively according to different situations, to realize the isolation of operating system.
System's isolation module 3 is monitored the read and write access of mother/child-operation system module to disk always, as shown in Figure 4, if find it is to read disk access, system's isolation module 3 at first obtains the destination address A0 that reads disk there from reading the disk access caller, then, system's isolation module 3 uses destination address A0 to inquire about the child-operation system module 21 of current operation or 22 child-operation system index file 4212 or 4222, if there is corresponding index address A1 in the A0 position in child-operation system index file 4212 or 4222, then system's isolation module 3 is from disk address A1 position reading of data, and returns to caller.Otherwise 3 of system's isolation modules are from disk address A0 position reading of data, and return to caller.
If system's isolation module 3 finds it is to write disk access, system's isolation module 3 at first obtains the destination address B0 that writes disk there from writing the disk access caller, then, system's isolation module 3 uses destination address B0 to inquire about the child-operation system module 21 of current operation or 22 child-operation system index file 4212 or 4222, if there is corresponding index address B1 in the B0 position in child-operation system index file 4212 or 4222, then system's isolation module 3 writes the B1 position with data, and finishes write access.Otherwise system's isolation module writes disc free space with data, and this writes the address is memory address B2; Simultaneously, this memory address of location records B2 that system's isolation module B0 in the child-operation system index file 4212 or 4222 of child- operation system module 21 or 22 is indicated, and be 1 with the indicated position mark of B2 in the child-operation system disk bitmap file 4211 or 4221 of the child-operation system module 21 of current operation or 22, the data of representing this position are that child- operation system module 21 or 22 owns, after this, system's isolation module 3 finishes write access.
When the user selects to start to arbitrary child-operation system module,, can guarantee that the user can not see the data in the disk space of exclusively enjoying of other child-operation system modules on the disk by the reciprocation of system's isolation module 3 with the external memory access control module.Select startup to enter child-operation system module 21 such as the user, 3 of system's isolation modules call parent-operation system disk bitmap file 41 from the external memory access control module, child-operation system disk bitmap file 4211 and child-operation system index file 4212, therefore, for parent-operation system module 1, it can only see and read the content in the disk space of exclusively enjoying of oneself, for child-operation system module 21, what the disk that it can only see parent-operation system module 1 exclusively enjoyed space and self exclusively enjoys disk space and blank disc space, but can't see other child-operation system modules shared exclusively enjoy disk space, and, by the interception function of system's isolation module 3, what child-operation system module 21 also can not write data parent-operation system module 1 exclusively enjoys the exclusively enjoying in the disk space of disk space and other child-operation system modules.Therefore, adopt above-mentioned principle, can guarantee that parent-operation system module 1 can not be modified, and, realize between each child-operation system module isolating mutually, finally realized the isolation of operating system.
In addition, child- operation system module 21 or 22 exclusively enjoy disk space and can change, for example, group operating system module 21 is carried out write access, when data are write disc free space address A3, system's isolation module 3 just identifies the correspondence position of child-operation system disk bitmap file 4211, and this blank disc space promptly becomes the disk space that exclusively enjoys of this child-operation system module 21.Group operating system module 22 is carried out write access, when data are write disc free space A4, system's isolation module 3 just identifies the correspondence position of child-operation system disk bitmap file 4221, and this blank disc space promptly becomes the disk space that exclusively enjoys of this child-operation system module 22; When group operating system module 21 started, the data of disc free space A4 can not be read, and therefore, were invisible for the data of child-operation system module 21 disc free space A4.
Under the situation of computer disk space permission, the quantity of child-operation system module is unrestricted.
The present invention realizes the embodiment 2 of the system that operating system is isolated:
Referring to shown in Figure 5, be the synoptic diagram of embodiments of the invention 2, realize operating system down for virtual machine architecture and isolate.Under the computer architecture of virtual support machine technology, virtual memory management module (VirtualMemory Manager, be called for short VMM) be part most crucial in the virtual machine technique, run under the every other operating system, for operation operating system is thereon distributed and the coherent system resource.The VMWare software of VMWare company for example, the Virtual PC software of Microsoft, and the Xen software of XenSource company all is the software of virtual support machine technology.Under the effect of VMM, can move two or more operating systems simultaneously in the same computer system, in the present embodiment, be example with a parent-operation system module 1 only, wherein, parent-operation system module 1 has been set up 2 sub-operating system modules 21 and 22 by 3 guiding of system's isolation module again.
System's isolation module 3 is arranged in VMM, starts simultaneously with VMM, and boot sequence is: computer hardware starts; VMM and system's isolation module 3 start; Parent-operation system module 1 starts; Child- operation system module 21 and 22 is according to selecting to start wherein one or more according to the user.
System's isolation module 3 is arranged in VMM, and it can monitor and tackle the read of all mothers/child-operation system module to disk, and with external memory access control module reciprocation, realize the isolation of operating system.
The present invention realizes the embodiment 3 of the system that operating system is isolated:
Referring to shown in Figure 6, realize the synoptic diagram of the another embodiment that operating system is isolated down for virtual machine architecture.Be provided with MOS module or service operations system module 5 (being called secondary operating system module) in the dummy machine system, move simultaneously with parent-operation system module 1 (being also referred to as the master operating system module) or move prior to parent-operation system module 1, the state of monitoring parent-operation system module 1, and provide the disk access interface for mother/child-operation system module.
System's isolation module 3 is arranged among the kernel of secondary operating system module or outside the kernel, boot sequence is: computer hardware starts; VMM starts; Secondary operating system module and system's isolation module start; The parent-operation system module starts; Child- operation system module 21 and 22 selects to start wherein one or more according to the user.
In the embodiments of the invention 2 and 3, parent-operation system module 1 can be for more than one, such as, can in a computer system, Windows kernel and linux kernel be installed simultaneously, they all constitute parent-operation system module 1; Under the computer architecture of non-virtual machine, only move simultaneously a described parent-operation system module, promptly or operation Windows or operation Linux; Move at least one parent-operation system module under the computer architecture of virtual machine simultaneously, promptly Windows kernel and linux kernel can move simultaneously.In addition, under the computer architecture of non-virtual machine, only move simultaneously a described child-operation system module, promptly or operation child-operation system module 21 or operation child-operation system module 22; Under the computer architecture of virtual machine, move at least one sub-operating system module simultaneously, promptly can allow child- operation system module 21 and 22 move simultaneously.
A plurality of parent-operation system modules are provided with independently of one another, specify exclusively enjoying disk space and being recorded in the external memory access control module of each parent-operation system module by system's isolation module.
The present invention realizes the embodiment 4 of the system that operating system is isolated:
Referring to Fig. 7, the disk shared region can be set in disk, the user can specify the child-operation system module whether can visit the disk shared region by system's isolation module, as can specifying the child-operation system module can visit the disk shared region, and specify other child-operation system module cannot visit the disk shared region.Can also set simultaneously and specify the access mode of child-operation system module the disk shared region, as specifying some child-operation system module to use read-only mode to visit the disk shared region, other child-operation system module uses the mode of read/write to visit the disk shared region.In some cases, the user need pass through disk shared region swap data in two or more child-operation system modules.
The present invention realizes the embodiment 5 of the system that operating system is isolated:
Also comprise second generation child-operation system module in the system that realization operating system is isolated, on first generation child-operation system module basis, guide foundation by system's isolation module; Such as, the user can create a plurality of second generation child-operation system modules on the child-operation system module basis of entertainment environment, and respectively different Games Softwares is installed in different second generation child-operation system modules.This moment, one two generation the child-operation system module, generation child-operation system module and parent-operation system module be common to constitute the complete operation system specific to certain game environment.Can not see other recreation therein in game environment.
When a sub-operating system was directed having set up two generations during the child-operation system, it exclusively enjoys disk space and is set to and can not rewrites by system's isolation module immediately.
Promptly isolate because the environment that different child-operation system modules constitute is invisible mutually, therefore, can make up the operating system environment of maintaining secrecy each other.Such as, the domestic consumer can create the child-operation system module based on a parent-operation system module for each kinsfolk in a computing machine, form operating environment separately; The one family member can not have influence on other people data fully when the operating environment work of oneself, cannot arbitrarily visit file and data in other member's operating environments, protection kinsfolk's individual privacy yet.
Perhaps, allow government and enterprise customer, working environment and privately owned environment kept apart fully based on a parent-operation system module, realization at working environment such as Network Isolation, the automatic management of aspects such as network security and control.Can have the very child-operation system module of high security in establishment, be used for carrying out online transaction and online financial transaction, the user needn't conclude the business in other other system environments of low level security, but creates a child-operation system module that is specifically designed to online transaction etc.Embodiments of the invention 8 are specific embodiments of realizing the method for operating system isolation.
The present invention realizes the embodiment 1 of the method that operating system is isolated, and is after the installation of parent-operation system module, the installation system isolation module; System's isolation module is set up disk bitmap file and index file, and in order to the disk read/write is monitored, step is as follows:
Step 11, system's isolation module are created the disk bitmap file of described parent-operation system module in the external memory access control module, identify the disk space that exclusively enjoys of described parent-operation system module, and this disk bitmap file can not be changed;
One or more child-operation system modules are set up in step 12, system's isolation module guiding, and are that each child-operation system module is created disk bitmap file and index file in the external memory access control module; Described disk bitmap file identifies the disk space that exclusively enjoys of described child-operation system module, and described index file identifies all by the call address of the data of described system isolation module dump and memory address after the dump and the corresponding relation of the two; When initial, described disk bitmap file and index file are empty;
Step 13, system's isolation module be according to above-mentioned disk bitmap file sign disc free space, and this disc free space is the disk space beyond the disk space of exclusively enjoying that identifies in the disk bitmap file of the disk bitmap file of described parent-operation system module and child-operation system module.
System's isolation module is monitored the disk read/write, comprises that system's isolation module monitors the read of current child-operation system module to disk; If read access, system's isolation module returns parent-operation system module and/or current child-operation system module according to the record of external memory access control module and exclusively enjoys data in the disk space; If write access, system's isolation module writes exclusively enjoying in disk space or the disc free space of current child-operation system module according to the record of external memory access control module, and revises the record of external memory access control module.Concrete step is as follows: (process flow diagram)
Step 101, system's isolation module are monitored the read of current child-operation system module to disk;
Step 102, system's isolation module are judged as read access or write access; If read access, execution in step 103; Otherwise, execution in step 107;
Step 103, system's isolation module extract the call address A0 of the reading disk data manipulation that the child-operation system module of current operation initiates;
Step 104, system's isolation module are inquired about the index file of current child-operation system module according to call address A0; If record this call address A0 and the memory address A1 corresponding in the index file, execution in step 105 with it; Otherwise, show that data that this operation asks are just in the position of call address execution in step 106;
Step 105, system's isolation module is from memory address A1 position reading of data and return to current child-operation system module, finishes read access;
Step 106, system's isolation module are from the position reading of data of call address and return to current child-operation system module, finish read access.
Step 107, system's isolation module extract the call address B0 that writes the data in magnetic disk operation of the child-operation system module initiation of current operation;
Step 108, system's isolation module are inquired about the index file of current child-operation system module according to call address B0; If record this call address B0 and the memory address B1 corresponding in the index file, execution in step 109 with it; Otherwise execution in step 110;
Step 109, system's isolation module are written to memory address B1 position with these data, finish write access;
Step 110, system's isolation module write disc free space with data, and this writes the address is memory address; Simultaneously, system's isolation module is this this memory address of call address location records in the index file of described child-operation system module, and the correspondence position of this memory address in the child-operation system module disk bitmap file of current operation has been labeled as data mode, finish write access.
Should be noted that at last: above embodiment is only in order to illustrate that technical scheme of the present invention is not intended to limit; Although with reference to preferred embodiment the present invention is had been described in detail, those of ordinary skill in the field are to be understood that: still can make amendment or the part technical characterictic is equal to replacement the specific embodiment of the present invention; And not breaking away from the spirit of technical solution of the present invention, it all should be encompassed in the middle of the technical scheme scope that the present invention asks for protection.
Claims (11)
1. system that realizes that operating system is isolated is characterized in that comprising:
One parent-operation system module, described parent-operation system module comprises the kernel of an operating system, is used to provide the software program of the essential basic function of complete operation system; It is exclusively enjoyed disk space to described parent-operation system module and disc free space carries out read access;
At least one child-operation system module comprises any modification information that the user is made described parent-operation system module; Mutual with described parent-operation system module, the disk space that exclusively enjoys of described parent-operation system module is carried out read access; It is exclusively enjoyed disk space to described child-operation system module and disc free space carries out read;
One system's isolation module, described system isolation module and described parent-operation system module are mutual, be used for according to user instruction guiding and/or set up the child-operation system module, specify and/or revise described mother/child-operation system module exclusively enjoy disk space and disc free space; Described system isolation module is also mutual with described mother/child-operation system module respectively, is used to monitor the read of described mother/child-operation system module to disk;
One external memory access control module, mutual with described system isolation module, write down the disk space that exclusively enjoys of described mother/child-operation system module.
2. the system that realization operating system according to claim 1 is isolated is characterized in that described parent-operation system module is one or more; Described a plurality of parent-operation system module independently is provided with, and specifies exclusively enjoying disk space and being recorded in described external memory access control module of each parent-operation system module by described system isolation module.
3. the system that realization operating system according to claim 1 is isolated is characterized in that described system isolation module is arranged among BIOS or the EFI, starts prior to described parent-operation system module.
4. the system that realization operating system according to claim 1 is isolated is characterized in that described system isolation module is arranged among the kernel of described parent-operation system module and/or outside the kernel, starts simultaneously with described parent-operation system module.
5. the system that realization operating system according to claim 1 is isolated is characterized in that also being provided with the virtual memory management module, and this virtual memory management module is prior to mother/child-operation system module operation; Described system isolation module is arranged in the virtual memory management module, starts simultaneously with the virtual memory management module.
6. the system that realization operating system according to claim 1 is isolated, it is characterized in that described system also is provided with MOS module or service operations system module, this MOS module or service operations system module and mother/child-operation system module moves simultaneously, perhaps, prior to mother/child-operation system module operation, and provide the disk access interface for mother/child-operation system module; Described system isolation module is arranged among the kernel of described MOS module or service operations system module and/or outside the kernel.
7. the system that realization operating system according to claim 1 is isolated is characterized in that described external memory access control module comprises:
Parent-operation system disk bitmap file is used to write down the disk storage bulk state of described parent-operation system module, identifies described parent-operation system module and exclusively enjoy disk space on disk;
Child-operation system disk bitmap file is used to write down the disk storage bulk state of described child-operation system module, identifies described child-operation system module and exclusively enjoy disk space on disk;
Child-operation system index file is used to identify all by the call address of the data of described system isolation module dump and memory address after the dump and the corresponding relation of the two.
8. a method of isolating according to the realization operating system of the system of the arbitrary described realization operating system isolation of claim 1-7 is characterized in that comprising the steps:
Step 1, system's isolation module are monitored the read of current child-operation system module to disk;
Step 2 is if read access, and system's isolation module returns parent-operation system module and/or current child-operation system module according to the record of external memory access control module and exclusively enjoys data in the disk space;
Step 3 is if write access, and system's isolation module writes exclusively enjoying in disk space or the disc free space of current child-operation system module according to the record of external memory access control module, and revises the record of external memory access control module.
9. the method that realization operating system according to claim 8 is isolated is characterized in that also comprising the steps: before the described step 1
Step 11, system's isolation module are created the parent-operation system disk bitmap file that can not change in the external memory access control module, identify described parent-operation system module and exclusively enjoy disk space;
One or more child-operation system modules are set up in step 12, system's isolation module guiding, and are that each child-operation system module is created corresponding child-operation system disk bitmap file and index file in the external memory access control module; Described child-operation system disk bitmap file identifies the disk space that exclusively enjoys of described child-operation system module, and described index file identifies all by the call address of described system isolation module unload database, memory address after the dump and the corresponding relation of the two;
Step 13, system's isolation module be according to described parent-operation system disk bitmap file and described child-operation system disk bitmap file sign disc free space, and this disc free space is the disk space beyond the disk space of exclusively enjoying that identifies in the disk bitmap file of the disk bitmap file of described parent-operation system module and child-operation system module.
10. the method that realization operating system according to claim 8 is isolated is characterized in that described step 2 is specially:
Step 201, system's isolation module extract the call address of the reading disk data manipulation that the child-operation system module of current operation initiates;
Step 202, system's isolation module are inquired about the index file of current child-operation system module according to call address;
If this call address location records has the memory address of this call address correspondence in step 203 index file, described system isolation module is from the memory address locations reading of data and return to current child-operation system module;
If the call address position in step 204 index file be recorded as sky, then represent data that this operation asks just in the position of call address, described system isolation module is from the position reading of data of call address and return to current child-operation system module.
11. the method that realization operating system according to claim 8 is isolated is characterized in that described step 3 is specially:
Step 301, system's isolation module extract the call address that writes the data in magnetic disk operation of the child-operation system module initiation of current operation;
Step 302, system's isolation module are inquired about the index file of current child-operation system module according to call address;
If the location records of this call address has the memory address of this call address correspondence in step 303 index file, system's isolation module is written to memory address locations with these data;
If this call address location records is empty in step 304 index file, then system's isolation module writes disc free space with data, and this writes the address is memory address; Simultaneously, system's isolation module is this this memory address of call address location records in the index file of described child-operation system module, and the correspondence position of this memory address in the child-operation system module disk bitmap file of current operation has been labeled as data mode.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100933870A CN100403212C (en) | 2005-08-23 | 2005-08-23 | System and method for implementing operation system separation |
| PCT/CN2006/001928 WO2007022686A1 (en) | 2005-08-23 | 2006-08-01 | System and method for isolating operating system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100933870A CN100403212C (en) | 2005-08-23 | 2005-08-23 | System and method for implementing operation system separation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1920731A CN1920731A (en) | 2007-02-28 |
| CN100403212C true CN100403212C (en) | 2008-07-16 |
Family
ID=37771220
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100933870A Active CN100403212C (en) | 2005-08-23 | 2005-08-23 | System and method for implementing operation system separation |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN100403212C (en) |
| WO (1) | WO2007022686A1 (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101770390B (en) * | 2008-12-29 | 2013-05-01 | 北京联想软件有限公司 | Display isolation method of computer and operation systems |
| CN104573498A (en) * | 2015-01-16 | 2015-04-29 | 梁庆生 | Method and equipment capable of protecting operating system from Trojan and virus attack |
| CN105205668B (en) * | 2015-09-16 | 2019-10-11 | 宇龙计算机通信科技(深圳)有限公司 | The management method of electronic account, the management system of electronic account and terminal |
| CN106502675A (en) * | 2016-10-27 | 2017-03-15 | 铭软件股份有限公司 | A kind of method for managing the multiple operating system on same computer |
| CN109235719B (en) * | 2018-09-20 | 2021-12-14 | 普天智能照明研究院有限公司 | Operation method of mounting module combination |
| WO2023077519A1 (en) * | 2021-11-08 | 2023-05-11 | 华为技术有限公司 | Storage device supporting multiple operation systems, and configuration method and computer system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1508697A (en) * | 2002-12-16 | 2004-06-30 | 联想(北京)有限公司 | Method and apparatus for realizing protection of computer operation system in hard disk |
| US20040205203A1 (en) * | 2003-03-24 | 2004-10-14 | Marcus Peinado | Enforcing isolation among plural operating systems |
| WO2005027402A1 (en) * | 2003-09-05 | 2005-03-24 | Copeland Scott R | Personal computer internet security system |
| US20050182922A1 (en) * | 2004-02-18 | 2005-08-18 | International Business Machines Corporation | Computer systems with several operating systems coexisting thereon and swapping between these operating systems |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI223774B (en) * | 2003-07-18 | 2004-11-11 | Mitac Technology Corp | Selectable booting operation method by the bios with the multi-partition in the disk |
| US7558911B2 (en) * | 2003-12-18 | 2009-07-07 | Intel Corporation | Maintaining disk cache coherency in multiple operating system environment |
-
2005
- 2005-08-23 CN CNB2005100933870A patent/CN100403212C/en active Active
-
2006
- 2006-08-01 WO PCT/CN2006/001928 patent/WO2007022686A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1508697A (en) * | 2002-12-16 | 2004-06-30 | 联想(北京)有限公司 | Method and apparatus for realizing protection of computer operation system in hard disk |
| US20040205203A1 (en) * | 2003-03-24 | 2004-10-14 | Marcus Peinado | Enforcing isolation among plural operating systems |
| WO2005027402A1 (en) * | 2003-09-05 | 2005-03-24 | Copeland Scott R | Personal computer internet security system |
| US20050182922A1 (en) * | 2004-02-18 | 2005-08-18 | International Business Machines Corporation | Computer systems with several operating systems coexisting thereon and swapping between these operating systems |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1920731A (en) | 2007-02-28 |
| WO2007022686A1 (en) | 2007-03-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9535745B2 (en) | Migrating a virtual machine that owns a resource such as a hardware device | |
| KR102047558B1 (en) | Virtual disk storage techniques | |
| US9075540B2 (en) | Virtualizing storage for WPAR clients | |
| CN101059768B (en) | System and method for implementing operating system standby | |
| US8104083B1 (en) | Virtual machine file system content protection system and method | |
| US8924703B2 (en) | Secure virtualization environment bootable from an external media device | |
| US7356677B1 (en) | Computer system capable of fast switching between multiple operating systems and applications | |
| US9164787B2 (en) | Methods and systems for running multiple operating systems in a single mobile device | |
| US7725305B2 (en) | Partial virtualization on computing device | |
| CN100389408C (en) | Fixed disk data enciphering back-up and restoring method | |
| US7984438B2 (en) | Virtual machine transitioning from emulating mode to enlightened mode | |
| CN100517276C (en) | Data safe memory method and device | |
| CN100403212C (en) | System and method for implementing operation system separation | |
| JPH05289854A (en) | Access device for external storage device | |
| CN110083399A (en) | Small routine operation method, computer equipment and storage medium | |
| US20140082275A1 (en) | Server, host and method for reading base image through storage area network | |
| CN100514305C (en) | System and method for implementing safety control of operation system | |
| CN1340765A (en) | Method for dividing one hard disk into more partitions separated fully | |
| CN101727348A (en) | Method and device for analyzing suspicious codes | |
| CN102063585A (en) | Xen based secure virtual disk access control method | |
| US10824463B1 (en) | Hybrid storage for virtual machines and containers | |
| CN100349143C (en) | Method for making multiple main partitions in IDE hand disks | |
| CN115981795A (en) | Method for realizing system isolation on android device through container |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20200914 Address after: Room 13143, building 21 (22), No. 1692 Xinghu Avenue, Nantong Development Zone, Jiangsu Province 226000 Patentee after: NANTONG JINGXI INFORMATION TECHNOLOGY Co.,Ltd. Address before: 100085, Beijing, Haidian District on the road No. 1, No. 3, block A Patentee before: Star Softcomm Pte. Ltd. |