CN105335212A - Method for controlling cloud computing mandatory access based on distributed implementation - Google Patents
Method for controlling cloud computing mandatory access based on distributed implementation Download PDFInfo
- Publication number
- CN105335212A CN105335212A CN201510691631.7A CN201510691631A CN105335212A CN 105335212 A CN105335212 A CN 105335212A CN 201510691631 A CN201510691631 A CN 201510691631A CN 105335212 A CN105335212 A CN 105335212A
- Authority
- CN
- China
- Prior art keywords
- access control
- module
- virtual machine
- access
- cloud computing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
Abstract
The invention discloses a method for controlling cloud computing mandatory access based on distributed implementation. An implementation process of the method comprises the step of setting two function modules on a computing node, wherein the two function modules are an access control configuration module and an access control execution module; the access control configuration module works in a host operating system of each computing point and is responsible for communicating with a cloud control node safety management module and receiving a command to complete configuration and management on an access control execution mechanism of the computing node; the access control execution module is responsible for specific execution of the access control execution mechanism, works in a Hypervisor layer and is responsible for monitoring the access from a client virtual machine to system resources. Compared with the prior art, the method for controlling the cloud computing mandatory access based on the distributed implementation, disclosed by the invention, has the advantages that a more comprehensive and complete view angle can be obtained for monitoring progress establishment of the virtual machine in the cloud, so that an access control mechanism can be configured to protect the virtual machine at the beginning of the life cycle of the virtual machine, the practicability is high, and the promotion is easy.
Description
Technical field
The present invention relates to field of computer technology, specifically a kind of practical, based on the cloud computing forced access control method of distributed enforcement.
Background technology
Cloud computing is a kind of computation schema of the mass participation based on internet, and its computational resource comprises computing power, storage capacity, interaction capabilities etc., is all dynamic, has been virtualized, and be that the mode of serving provides.Under the cloud computing environment that this is special, how ensureing the safety of the data be stored on cloud, will be the large problem that cloud computing faces.In addition, the another one feature opening of cloud computing is similarly cloud computing and brings challenge safely.Opening is mainly reflected in the opening that the opening of service for user and internal interface externally call.Open lower Authentication mechanism is relatively weak, and this just makes malicious user can enter cloud computing environment by legal approach and carry out attacking to steal the information of needs, and optimum cloud computing environment also may be used for improper purposes by disabled user.Therefore, to improving mobile Internet security technic system, the mobile Internet safety problem under cloud computing application model and key safety technical research, ensure that mobile Internet evolution has great importance safely.
Internet flourish, for the shared of information resources provides more perfect means, enterprise also will stop unauthorized user to the access of enterprise's sensitive information while information resources share.The object of access control is the safety in order to protect enterprise's information of Storage and Processing in infosystem.Access control can be divided into self contained navigation and the large class of forced symmetric centralization two.
Self contained navigation, refers to that the access object (file, tables of data etc.) being had the right to create self by user conducts interviews, and can will authorize other users to the access right of these objects and regain its access rights from the user of granted rights.
Forced symmetric centralization, refer to the mandatory control of the object that user creates being unified by system (the security of system person by arranging specially), determine which user can carry out the access of what OS Type to which object according to the rule of regulation, even founder user, after establishment object, also may have no right to access this object.
Access control model is a kind of angle from access control, describes security system, sets up the method for security model.The access control model of current comparative maturity mainly contains: object-based access control, task-based access control, access control based roles.
The different many tenants shared computation resources being exactly opening and bringing that cloud computing Intel Virtualization Technology is maximum from traditional virtualization, whole virtual platform or guest virtual machine are subject to malicious user and will significantly improve from the possibility of internaling attack.At present, the virtual major security threat faced of cloud computing has virtual machine escape etc.In traditional virtual technology, escape for virtual machine and mostly adopt the mode of monitoring to find and stop dangerous generation.The Hypervisor layer that a kind of thinking of monitoring mechanism is provided by virtual machine environment is monitored it outside environment residing for guest virtual machine.This kind of mechanism can effectively be protected safety component to exempt from and distort, and the impact of this mode on monitoring environment is less simultaneously, facilitates transparent realization, the compatibility of system also has superiority.
But cloud computing and conventional individual virtualized environment framework is different, control is shifted to control joint Controller by Hypervisor.Traditional virtual machine monitoring Mechanism Design is in computing node Hypervisor, be difficult to effectively be connected with Virtual Machine Manager control flow on cloud Controlling vertex, there will be theft-resistant link chain fracture and the safety of the whole life cycle of virtual machine cannot be ensured, can not play a role in cloud computing scene well.Based on this; a kind of operating system security based on U-Key is now provided to reinforce the cloud computing forced access control method based on distributed enforcement of software; the method adopts new cloud computing virtual machine monitoring mechanism; this mechanism one centralized management; the monitoring mechanism of distributed enforcement, in Controlling vertex increase to the management of computing node monitoring mechanism and configuration, and gets involved virtual machine creating flow process; there is provided protection to the whole life cycle of virtual machine, and the concrete execution of access control is still on computing node.
Summary of the invention
Technical assignment of the present invention is for above weak point, provide a kind of practical, based on the cloud computing forced access control method of distributed enforcement.
Based on a cloud computing forced access control method for distributed enforcement, its specific implementation process is: on computing node, arranges two functional modules, i.e. access control configuration module and access control execution module; Wherein:
Access control configuration module is operated in the host operating system of each computing node, is responsible for communicating with cloud Controlling vertex safety management module, receives the configuration and management of having ordered the access control execution mechanism of this computing node;
Access control execution module is responsible for the concrete execution of access control mechanisms, operates in Hypervisor layer, and access control execution module is responsible for monitoring the access of guest virtual machine to system resource.
The specific works process of described access control configuration module is:
Receive order and data that Controlling vertex safety management module sends, comprise the interpolation of policy data and more newer command, user virtual machine label;
After communication module receives these orders, process is carried out to these data and calling interface deployment Hypervisor;
Order complete after, communication module obtains result that execution module returns or data, then packs result or data, is sent to the administration module of Controlling vertex.
The course of work of access control execution module is, on computing node, forced symmetric centralization is carried out to the access of resources of virtual machine by Hook Function, when the virtual machine of computing node needs to conduct interviews to any system resource, access control execution module intercepts and captures this request of access, and the security strategy loaded according to configuration module afterwards judges whether to allow this access.
A kind of cloud computing forced access control method based on distributed enforcement of the present invention, has the following advantages:
A kind of cloud computing forced access control method based on distributed enforcement of the present invention, based on centralized management, distributed enforcement, performs at computing node virtualization layer, directly monitors virtual machine to the access of virtual resource; But cloud management node is present in the management work of access control, so just can has more comprehensively complete visual angle monitoring virtual machine visioning procedure in cloud, thus can start to protect it with regard to configuration access controlling mechanism in virtual machine life cycle; In Hypervisor, virtual machine adds Hook Function in the accessing operation process of virtual resource, and when virtual machine needs to conduct interviews to virtual resource, Hook Function can intercept and capture this request of access, and judges whether virtual machine has access rights; The object of access control mechanisms finds malicious user behavior, realizes the protection to virtual resource; Information tomography problem when monitoring mechanism operates in computing node when forcing access mechanism to solve general virtual machine monitoring mechanism to be used in cloud environment based on the cloud computing of distributed enforcement and between Controlling vertex, practical, be easy to promote.
Accompanying drawing explanation
Accompanying drawing 1 is access control configuration module workflow diagram.
Accompanying drawing 2 is access control execution module flowchart.
Embodiment
Below in conjunction with the drawings and specific embodiments, the invention will be further described.
The invention provides a kind of cloud computing forced access control method based on distributed enforcement, as shown in accompanying drawing 1, Fig. 2, its specific implementation process is: on computing node, arranges two functional modules, i.e. access control configuration module and access control execution module; Wherein:
Access control configuration module is operated in the host operating system Dom0 of each computing node, be responsible for communicating with cloud Controlling vertex safety management module, receive the configuration and management of having ordered the access control execution mechanism of this computing node, this module of access control configuration module is by one of critical component realizing access control in cloud computing environment, serve Link role, access control configuration module flow process as shown in Figure 1.
The specific works process of described access control configuration module is:
Receive order and data that Controlling vertex safety management module sends, comprise the interpolation of policy data and more newer command, user virtual machine label;
After communication module receives these orders, process is carried out to these data and calling interface deployment Hypervisor;
Order complete after, communication module obtains result that execution module returns or data, then packs result or data, is sent to the administration module of Controlling vertex.
Access control execution module is responsible for the concrete execution of access control mechanisms, operates in Hypervisor layer, and access control execution module is responsible for monitoring the access of guest virtual machine to system resource.
The course of work of access control execution module is, on computing node, forced symmetric centralization is carried out to the access of resources of virtual machine by Hook Function, when the virtual machine of computing node needs to conduct interviews to any system resource, access control execution module intercepts and captures this request of access, the security strategy loaded according to configuration module afterwards judges whether to allow this access, and access control workflow as shown in Figure 2.
Above-mentioned embodiment is only concrete case of the present invention; scope of patent protection of the present invention includes but not limited to above-mentioned embodiment; claims of any a kind of cloud computing forced access control method based on distributed enforcement according to the invention and the those of ordinary skill of any described technical field to its suitable change done or replacement, all should fall into scope of patent protection of the present invention.
Claims (3)
1. based on a cloud computing forced access control method for distributed enforcement, it is characterized in that, its specific implementation process is:
On computing node, two functional modules are set, i.e. access control configuration module and access control execution module; Wherein:
Access control configuration module is operated in the host operating system of each computing node, is responsible for communicating with cloud Controlling vertex safety management module, receives the configuration and management of having ordered the access control execution mechanism of this computing node;
Access control execution module is responsible for the concrete execution of access control mechanisms, operates in Hypervisor layer, and access control execution module is responsible for monitoring the access of guest virtual machine to system resource.
2. a kind of cloud computing forced access control method based on distributed enforcement according to claim 1, it is characterized in that, the specific works process of described access control configuration module is:
Receive order and data that Controlling vertex safety management module sends, comprise the interpolation of policy data and more newer command, user virtual machine label;
After communication module receives these orders, process is carried out to these data and calling interface deployment Hypervisor;
Order complete after, communication module obtains result that execution module returns or data, then packs result or data, is sent to the administration module of Controlling vertex.
3. a kind of cloud computing forced access control method based on distributed enforcement according to claim 1, it is characterized in that, the course of work of described access control execution module is, on computing node, forced symmetric centralization is carried out to the access of resources of virtual machine by Hook Function, when the virtual machine of computing node needs to conduct interviews to any system resource, access control execution module intercepts and captures this request of access, and the security strategy loaded according to configuration module afterwards judges whether to allow this access.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510691631.7A CN105335212A (en) | 2015-10-23 | 2015-10-23 | Method for controlling cloud computing mandatory access based on distributed implementation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510691631.7A CN105335212A (en) | 2015-10-23 | 2015-10-23 | Method for controlling cloud computing mandatory access based on distributed implementation |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105335212A true CN105335212A (en) | 2016-02-17 |
Family
ID=55285771
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510691631.7A Pending CN105335212A (en) | 2015-10-23 | 2015-10-23 | Method for controlling cloud computing mandatory access based on distributed implementation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105335212A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107111511A (en) * | 2016-03-25 | 2017-08-29 | 深圳前海达闼云端智能科技有限公司 | Access control method, device and system |
| CN107547258A (en) * | 2017-07-18 | 2018-01-05 | 新华三云计算技术有限公司 | The implementation method and device of a kind of network strategy |
| CN108833332A (en) * | 2018-04-11 | 2018-11-16 | 广东省卫生厅政务服务中心 | Multi-tenant access control method based on hypervisor |
| CN109902497A (en) * | 2019-02-26 | 2019-06-18 | 南威软件股份有限公司 | A kind of access authority management method and system towards big data cluster |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101452397A (en) * | 2008-11-27 | 2009-06-10 | 上海交通大学 | Forced access control method and apparatus in virtual environment |
| CN103997502A (en) * | 2014-06-05 | 2014-08-20 | 浪潮电子信息产业股份有限公司 | Safety enhanced model designing method based on cloud computing data center |
| CN104573553A (en) * | 2014-12-30 | 2015-04-29 | 中国航天科工集团第二研究院七O六所 | Xen-oriented memory sharing security isolation method for virtual machines |
-
2015
- 2015-10-23 CN CN201510691631.7A patent/CN105335212A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101452397A (en) * | 2008-11-27 | 2009-06-10 | 上海交通大学 | Forced access control method and apparatus in virtual environment |
| CN103997502A (en) * | 2014-06-05 | 2014-08-20 | 浪潮电子信息产业股份有限公司 | Safety enhanced model designing method based on cloud computing data center |
| CN104573553A (en) * | 2014-12-30 | 2015-04-29 | 中国航天科工集团第二研究院七O六所 | Xen-oriented memory sharing security isolation method for virtual machines |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107111511A (en) * | 2016-03-25 | 2017-08-29 | 深圳前海达闼云端智能科技有限公司 | Access control method, device and system |
| CN107547258A (en) * | 2017-07-18 | 2018-01-05 | 新华三云计算技术有限公司 | The implementation method and device of a kind of network strategy |
| CN107547258B (en) * | 2017-07-18 | 2021-02-05 | 新华三云计算技术有限公司 | Method and device for realizing network policy |
| CN108833332A (en) * | 2018-04-11 | 2018-11-16 | 广东省卫生厅政务服务中心 | Multi-tenant access control method based on hypervisor |
| CN109902497A (en) * | 2019-02-26 | 2019-06-18 | 南威软件股份有限公司 | A kind of access authority management method and system towards big data cluster |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109918916B (en) | Dual-system trusted computing system and method | |
| JP6772270B2 (en) | Dual memory introspection to secure multiple network endpoints | |
| CN102262557B (en) | Method for constructing virtual machine monitor by bus architecture and performance service framework | |
| CN103870749B (en) | A kind of safety monitoring system and method for realizing dummy machine system | |
| US9971623B2 (en) | Isolation method for management virtual machine and apparatus | |
| US8490150B2 (en) | System, method, and software for enforcing access control policy rules on utility computing virtualization in cloud computing systems | |
| CN111158906B (en) | Active immunity credible cloud system | |
| CN102244684B (en) | EFI (Extensible Firmware Interface) trusted Cloud chain guiding method based on USBKey | |
| CN105335212A (en) | Method for controlling cloud computing mandatory access based on distributed implementation | |
| CN105956465A (en) | VTPM-based method for constructing virtual trusted platform | |
| DE112020000792T5 (en) | TRUSTED EXECUTION ENVIRONMENT ACCELERATED BY GRAPHICS PROCESSING UNIT | |
| Afoulki et al. | A security-aware scheduler for virtual machines on iaas clouds | |
| EP2862119B1 (en) | Network based management of protected data sets | |
| Sammy et al. | Energy efficient security preserving vm live migration in data centers for cloud computing | |
| US20190004917A1 (en) | Kernel-based power consumption and isolation and defense against emerging power attacks | |
| CN108388793B (en) | Virtual machine escape protection method based on active defense | |
| Wenhao et al. | Vulnerability analysis and security research of docker container | |
| CN103500304A (en) | Virtual machine personalized security monitoring system and method based on Xen | |
| JP2015524128A5 (en) | ||
| CN105303102A (en) | Secure access method for virtual machine and virtual machine system | |
| CN106445641B (en) | Data migration method between secure virtual platforms on discrete computing nodes | |
| CN111143030B (en) | Migration method of cloud environment trusted virtual machine | |
| CN110851885B (en) | Safety protection architecture system of embedded system | |
| CN102521547B (en) | Protecting system for access control system in virtual domain | |
| CN104102524A (en) | Method for realizing virtual secure element (VSE) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160217 |