WO2016112605A1

WO2016112605A1 - Four-layer computing virtualization method and device

Info

Publication number: WO2016112605A1
Application number: PCT/CN2015/078634
Authority: WO
Inventors: 张维加
Original assignee: 张维加
Priority date: 2015-01-13
Filing date: 2015-05-10
Publication date: 2016-07-21
Also published as: CN105844165A

Abstract

A four-layer computing virtualization method and device. Four independent virtualization layers, which are respectively a mobile system layer, a virtual volume encryption layer, a virtual application layer and a cache layer, are virtualized to achieve cross-device mobile computing. A read only mirror system is loaded into a Ramdisk and started for running to obtain a system layer that can be restored quickly upon shutdown; operation is not performed on a physical disk, but instead is implemented by creating a virtual volume, verifying keys, loading the virtual volume as a virtual disk and controlling access of the virtual volume; programs are not installed in the system layer, and a virtual application is implemented by entering the virtual disk through a virtual application environment and extracting a Library and a registry required by the programs. The virtual application layer is nested inside the virtual volume encryption layer, and the virtual volume encryption layer and the mobile system layer directly exist in a network or mobile storage device and are stored separately without mutual containing. The programs inside the virtual application layer have been subjected to virtualization redirection and thus are extracted to a disk virtualized from memory as a cache for accelerated running.

Description

Method and device for four-layer computing virtualization

Technical field

The invention belongs to the technical field of cross-device computer system and security virtualization, and can be used for protecting equipment and information security and realizing rapid cross-device use of applications, protecting information security of mobile devices, and realizing application service through network (Software) As a service, abbreviated SaaS), and permission control for virtualized applications.

Background technique

Mobile devices and mobile storage devices have rapidly gained popularity in recent years, but there are several serious problems, mainly security issues, slow speed issues, and how to implement cloud applications across devices, especially how to implement private clouds.

Background 1. The first is security issues and the resulting application deployment concerns.

In recent years, with the continuous development of information technology, various types of computers have emerged in an endless stream, and the application fields of computers have also penetrated into all levels of society. According to Professor John Hopcroft, professor of computer science at Cornell University in the United States, there are two obvious trends in the current computer field, namely the massive use of smart mobile devices and the development of cloud computing. However, along with these two trends, the user terminal has highlighted two corresponding problems, and a reliable solution is urgently needed. Mobile storage devices, especially mobile hard disks and USB flash drives, have been widely used due to their low price and ease of use. Confidential data in the intranet is stored on the computer in the form of electronic documents. While facilitating the acquisition, sharing and dissemination of information by internal personnel, there is also the risk that important information will be leaked through internal channels.

Users of mobile storage media often overlook the anti-virus work of mobile devices, which also has a certain degree of impact on the security of mobile storage media. In actual use, the mobile storage medium will inevitably infect some external computer viruses. If the virus cannot be detected and killed in time and effectively, and the infected file is easily opened in the unit, it is easy to spread the virus inside the unit. In the network, it affects the application operation of the computer in the unit.

In order to combat leaks and infections, for mobile storage media, electronic file security is currently implemented using technologies such as kernel encryption, identity authentication, access control, and security auditing:

1. Encryption technology ensures that only those who have the key can operate on the file. In order to improve the technical content of products, some manufacturers have developed mobile storage devices with security measures such as fingerprint identification and encrypted partitioning. If they are accidentally lost, ordinary people may not be able to directly access the data, but for professionals, these data security measures It is easy to be broken. With the development of password cracking technology, whether you use Word, WPS and other password functions to set passwords, or use encryption software to encrypt files, folders or even entire files, it is possible to crack passwords, but the length of time .

The two basic elements of encryption technology are encryption algorithms and encryption keys. Encryption can be divided into symmetric encryption and asymmetric encryption according to whether the sender/receiver encryption key/decryption key are the same. Symmetric encryption Confidential, it means that the sender and receiver use the same key to encrypt and decrypt the data. The security of symmetric encryption depends on the security of the key. As long as the key is secure, even if the opponent knows that the ciphertext and encryption algorithm can obtain the plaintext without the key. It is worth noting that there are two criteria for the security of encryption. It is generally considered that as long as the time taken to crack the key exceeds the validity period of the encrypted information itself or the cost of cracking the ciphertext exceeds the value of the secret text, then The encryption algorithm can be considered safe.

2. Access control. Generally, it needs to be combined with identity authentication. The basic idea of the access control mechanism is to give the file and management personnel the corresponding authority. Only the permission to operate the file can operate the file. Access control technology is an indispensable part of information security technology. The basic idea of access control technology is to control user access to resources according to the permissions owned by users. Access control technology can be roughly divided into a flat structure and a hierarchical structure. The characteristics of the flat structure are that the user rights and resources are directly related. The characteristics of the hierarchical structure are that the user rights and resources do not directly cope with each other.

3. Security audit. Only the recording of the operation process of the electronic file can ensure that the responsible person is dealt with after the electronic file leakage event, thereby reducing the probability of the leakage accident. However, the management of mobile storage devices lacks effective management oversight mechanisms and confidentiality mechanisms.

However, the security of these mobile devices will bring higher costs and trouble for the convenient use of mobile devices.

These security issues also hinder the development of applications and computing on mobile devices. In many scenarios, there is an urgent need for mobile program operations and work development, but due to serious security issues, they have to give up. A typical case is that Windows to Go is banned in many commercial companies.

Background 2. The problem of slow speed.

The slow speed here mainly refers to the problem that the mobile device is slow after carrying the virtualization work. The mobile device itself is not fast, and the speed of the connection interface with the computer is also normal. Virtualization will cause further slowdown in speed, which will inevitably have a big impact on the user experience.

Traditional virtual machines have a high demand for the performance of the host computer, so that it is not enough to start running on some old computers. Because traditional virtual machines need to occupy at least one CPU, part of the exclusive memory, to virtualize a complete computer, and need to install a complete operating system in it, and then install the operating program on it, which consumes hardware resources. very slow!

And when you start the virtual machine before running the application, you need to start a very long virtual machine boot time, waiting for a long time.

Moreover, each application runs with the hardware of the virtual machine, and for a virtual machine running on a higher configuration of dual-core 2G memory, the hardware setting is generally not higher than half of the host computer, that is, single core. 1G memory (otherwise the host computer will get stuck), then you can imagine that on such a poor performance virtual machine, What program is enough to run? What speed will these programs be?

This is why traditional virtual machines are only used for industrial control debugging.

For example, Microsoft's Windows 8 Enterprise Edition features Windows to Go, which allows enterprise-class users to create USB-based systems, but the speed of the device is so high that the cost of implementation is actually high.

Background 3. Implement cloud applications across devices, especially how to implement private clouds.

As early as 1997, Professor of Southern California University Ramnath K. Chellappa proposed the first academic definition of cloud computing. He believed that "cloud" is a computing model, and the boundary of calculation is determined by economic rationality, not by The level of technology is determined.

Cloud computing is the product of the integration of traditional computer technology and network technology such as grid computing, distributed computing, virtualization, parallel computing, utility computing, load balancing, and network storage. The purpose of cloud computing is to integrate multiple low-cost computing entities into a powerful "cost-effective" computer application system through the network, and distribute this powerful computing power to advanced business models such as SaaS, PaaS, IaaS, and MSP. In the hands of end users. This feature is often referred to as the use of IT infrastructure like hydropower.

The first is cloud storage. Apple iCloud, Google, Amazon Cloud Drive, Windows Live SkyDrive and Dropbox have introduced large-capacity storage space. Although compared to the local storage space of the current T, and the local or USB transmission speed of the local G every second, the size of the cloud storage area G and the network transmission speed calculated in M per second are still insufficient. Or this may be due to the inevitable result of the development speed of the hardware storage and transmission interface is faster than the development speed of the network environment, but it is undeniable that cloud storage is much more convenient in file interaction and fault maintenance than using local storage. , so it is an effective and reliable supplement to local storage.

The second phase of cloud computing has entered one of the latest topics, the cloud application phase. In recent years, a number of well-known VMware, ChromeOS, VMforce and other cloud computing applications have made great contributions to the development of cloud applications.

However, the shortcomings of cloud applications are still very obvious. An example is as follows.

First of all, the extremely high server resource requirements and technical requirements, so centralized control in the hands of a few large companies. For example, Google's ChromeBook and so on. The average SME does not have the ability to achieve. This also makes cloud applications costly and is currently not universal.

Second, it depends on the high speed of the LAN. Unlike LANs, the speed of a typical wide-area LAN can support online play, online editing of documents, and even online mini-games, but it is impossible to do more practical work and entertainment. The speed of the network cannot support playing large 3D games online or performing Matlab work program operations. It is true that the speed of the network will develop, but it is undeniable that the complexity and computational complexity of programs and games grows faster.

Third, applications have significant limitations and compatibility. The current Google ChromeBook is like a networked DOS (DiskOperation System), which starts fast enough, but has too many limitations and supports too few things. Google said, "All Chrome OS applications use Web technology." Therefore, applications that Chrome OS can support must be web-based. This means that the user is essentially a browser. Microsoft's RemoteApp and Critex-led remote XenApp models have significant compatibility issues.

Fourth, all the user data is stored on the network, and how to obtain effective security is a big question. Suppose a user can believe that Google can provide a secure enough environment, but what should be done if some privacy is not placed online.

Fifth, how to achieve security isolation between different users, how to control permissions for users with low privilege and low trust. These are simply not possible on traditional mobile devices or traditional virtual machines.

Not only the authority and isolation of users, but also the variety of applications in the cloud, how to ensure the security isolation between various applications, and timely prevent illegal access including cloud and cloud, to ensure various heterogeneous The security of the application is also a problem. Security issues are often the most common obstacle when organizations consider deploying cloud applications. According to IDC's survey, 90% of companies believe that security is the biggest obstacle to deploying the cloud. The cloud mode must first provide users with a secure service. This means that the platform on which the application resides must first be a secure platform and a platform that can be trusted, and the user will choose to transfer the application to the cloud.

Therefore, the background problem is that cloud applications must lower the cost and technical threshold and solve the problem of security isolation. Otherwise, small and medium-sized companies and individuals cannot implement cloud services. To reduce costs, you must change the calculation mode, otherwise the servant resources will limit the load of the service. To lower the technology threshold, you must be able to implement a personal cloud. Personal cloud computing is an extension of cloud computing in the personal field. It is Internet-centric personal information processing, which organizes, stores, distributes and re-processes various personal information through the Internet. Like all "clouds," a personal cloud consists of servers, terminals, applications, and personal information. Personal cloud computing has the same characteristics as general cloud computing, such as sharing, random access, and extensibility. At the same time, it also has different characteristics from the general cloud computing, which is determined by the characteristics of personal information. Personal information is private and requires a high level of security. Individuals have a large amount of multimedia information such as pictures and videos, which requires a large amount of storage and can be expanded, but the computing power is not strong. Market research firm Gartner predicts that "Personal Cloud" will replace PC in 2014 and become the core of digital life for netizens, truly entering the era of application-driven.

The summary of the above three background issues is summarized into six specific problems existing in mobile devices, computing virtualization and cloud applications:

1. Data security issues for mobile devices;

2. Application deployment of mobile devices;

3. Traditional virtualization takes up hardware resources;

4. Traditional virtualization has a long startup time and slow running speed;

5. There is no security isolation between users, and users with different trust levels need permission control grading;

6. Lack of isolation between different applications, need to avoid possible operations and attacks on the system;

Of course, in a specific application, in a specific market, it is generally not possible to encounter all of the above problems at the same time, but to encounter one of the problems becomes a key headache. However, these problems are actually structural flaws. If there is a structural reconstruction solution that can solve the above problems at the same time, it constitutes a universal and common basic structure, which can be widely applied to mobile storage devices. Portable computing with SaaS.

Summary of the invention

In order to solve the above security protection and permission control problems, and realize high performance, high speed, low cost mobile application deployment and cloud application equipment, the present invention proposes a method for implementing computational virtualization using a four-layer structure, which is established. Four independent virtualization layers, namely the mobile system layer, the virtual volume encryption layer, the virtual application layer, and the cache layer, obtain a fast and shutdown system layer by loading the read-only mirror system into the Ramdisk to start the operation. After the physical disk is created by creating a virtual volume, verifying the key and loading it into a virtual disk and controlling its access, the program is not installed at the system layer, but by virtualizing the application environment to the inside of the virtual disk and extracting the program. Need the Library and the registry to implement the virtual application. The virtual application layer is nested in the virtual volume encryption layer. The virtual volume encryption layer and the mobile system layer exist directly on the network or the mobile storage device. The two are stored separately and are not included. For programs in the virtual application layer, since the virtualized redirection has been performed, the disk that is extracted from the runtime to the memory virtualization is accelerated as a cache. See Figure 1.

For the sake of portability and security against attacks, the device does not install an operating system. Instead, take a separate system layer of the mobile, provide only the system kernel environment, do not install the application, restore it after shutdown or exit. The mobile system layer can be implemented by a read-only mirror system. The runtime is loaded into Ramdisk. The virtual volume encryption layer is implemented by creating a virtual volume and controlling its access. When the system accesses the encryption layer, the volume file is mapped to a disk partition in the system. The application layer is implemented by virtual machine or virtualized application environment and extracting the library runtime and registry required by the program, so that the programs deployed at the application layer can be used across systems. It can also be implemented via USB boot.

And the device does not directly use the physical disk, but through the virtual disk, the computing and application are based on the virtual disk. All I/O operations flowing into and out of the virtual disk are controlled by the client.

The virtual volume (virtual disk) encryption layer adopts a multi-user different permission key. Each user has a client's account and password. The client applies different passwords and permissions for different users. The rights include access to different files. Permissions, IP bindings, usage counts, modification permissions, copy permissions, usage expiration dates, etc. Moreover, the virtual volume encryption layer can have multiple modes for different needs, and the virtual volume encryption layer is required for high performance requirements and general security protection requirements. The single-pass authentication mode is used to verify the key when the user accesses the virtual volume. After passing the file, the volume file is directly mapped to the disk partition in the system, and the read-write authentication is no longer performed. For high security protection needs, performance is sacrificed properly. The virtual volume encryption layer uses the read-write authentication mode. When the user reads the data file from the virtual disk partition, the data is decrypted when passing the virtual disk driver, and the file is in clear text. The form is submitted to the user; when the user writes the file, the virtual disk driver encrypts the data and passes it to the device driver, and the final data is stored in ciphertext as a virtual volume on the physical disk.

In addition to not installing a physical disk or installing an operating system, the device's application deployment is also based on a virtual application layer. Different from the virtual machine, this virtual application layer is not virtual hardware, and no virtual system. The application virtual mode is to run the application across the device by virtualizing the application environment, redirecting the registry and the library file. The virtual application layer relies on the mobile system layer to provide the system, and relies on the virtual disk layer to authenticate and decrypt the loaded virtual disk as a carrier, and the application layer stores the inside of the virtual volume.

This virtual mode is based on the application, and the internal call relationship of the application is self-contained. Therefore, for the virtual application layer program, in order to obtain a faster speed effect, it is convenient to use part of the memory virtualization to accelerate the disk for caching. Different from the cache in the general computing device, the user does not need to accumulate the data and the frequency of use. Since the application has been completely virtualized, the runtime can directly extract the application to the memory ramdisk or to the high-speed flash memory. Direct fast cache.

The solution is actually a set of technical solutions that can be applied to various occasions. For example, the storage device used may be any mobile device, or may have a USB interface, so that it can be connected to the computer by USB protocol, or can have a wireless network card, so as to be able to connect with the computer by wireless protocol, such as home network storage.

Beneficial effect and inventiveness

The main advantage of the solution of the present invention is that a low-cost, low-threshold virtualized application device with good performance, convenient use, comprehensive security permissions, and high privacy can work across devices.

Low cost, highly portable: no server required. A storage device can be implemented by the solution.

Low threshold: no additional technical equipment is required.

Good performance and fast speed: First, the system kernel runs from memory, and the speed is fast. Secondly, the virtual machine architecture is not used, the hardware configuration and resources such as the CPU processor are not pre-empted, and the application program can also enjoy the complete operation. The host computer hardware configuration; finally, due to the extraction of a separate application layer, cache acceleration, the virtualized application can be run faster.

Security permissions are comprehensive: Since the application layer is placed inside the virtual volume encryption layer, all permission controls can be implemented through the virtual volume encryption layer. For example, different passwords and permissions are applied for different users, and the permissions include access rights to different files, IP binding, usage times, modification rights, copy rights, usage expiration dates, and the like.

Highly confidential: the system layer is a read-only image. It is loaded into memory and runs without any trace after shutdown. The application layer runs in the virtual volume encryption layer. All running traces are in the virtual volume encryption layer. After leaving and exiting, there is no trace left. On the host.

Easy to use: The device has three working modes: first, direct access to the system layer, suitable for system recovery and emergency use; second, accessing the system layer, accessing the encryption layer from the system layer, if necessary, accessing the application layer, suitable for mobile work Third, do not access the system layer, connect to other computers, such as through the network to other computers, access the encryption layer from the HOST computer system, identity authentication and then access according to the permissions of the corresponding identity Application layer, suitable for software service, and enterprise cloud.

The inventiveness of the invention:

Several prior art techniques have been used in the invention, but not a simple combination of these techniques, both in the creation of layers and in the creation and modification of prior art applications. The four levels have a nested combination of structures, such as the virtual application layer is in the virtual volume encryption layer, and the virtual volume encryption layer is stored separately from the mobile system layer.

There are also changes and changes in technology. First, for example, the virtual application layer is not a clone of virtual machine technology, but a redesigned virtualization structure. It has no virtual hardware, no virtual system layer, but a mobile image system. The virtual disk layer has been replaced, and the virtual application support capability is better after replacement, which is better than the virtual machine. The speed is also faster. First, the system kernel runs from memory, which is fast; secondly, it does not pre-empt hardware configuration and resources such as CPU processor, and does not require the virtual machine to wait for boot. The application can also enjoy the complete host computer hardware configuration. Finally, because Extracting separate application layers for cache acceleration allows you to run virtualized applications faster. In the past, the industry generally believed that virtual machines slow down the running speed of programs. This view also hindered the development of mobile application devices. In the present invention, the four-layer virtualization method is used instead of the virtual machine to support the speed problem.

As described in the actual case below, the virtual computing method achieves smooth and fast operation on some old machines with insufficient hardware resources running traditional virtual machines, such as the 256MB memory Pentium Tualatin machine. The effect that I dare not expect.

In addition, this solution unexpectedly solves the problem of porting programs and SaaS based on the network. Migration problem: In the traditional virtual machine technology, the application needs to be copied into the virtual machine and installed into the virtual machine, and has a dependency relationship with the virtual machine, which is not easy to be transplanted, and is free from this in the virtual application layer of the solution. Dependency. The problem of providing SaaS based on the network: Even in today's high-speed network, the virtual machine is still unable to load and run through the network, and the virtual application in this solution is self-contained, and the user can access the virtual volume encryption layer through the Internet. Log in to the client through the network and load the virtual application. And this kind of SaaS does not damage the server-side system, similar to the P2P distribution application.

For example, the virtual disk layer is not a clone of the original virtual disk technology, in order to achieve permission control and at the same time let The virtual application runs freely and has been redesigned to greatly improve security control capabilities and application operational capabilities. The virtual volume itself is encrypted, and it is not decrypted after the identity authentication, but only manages the I/O through the client control. It still cannot directly access the client. After the client checks the identity by the key, the virtual disk is opened, but the virtual disk is not decrypted. For the disk, the user must perform all file operations and application startup operations through the client, and set the I/O permission limit on the client, such as giving different permissions to different users, such as copying, not deleting, etc., to implement the permission control.

For example, even if the cache layer closest to the traditional technology changes, the cache layer in this solution is essentially copy and redirection, and the part of the virtual application layer that is being used to virtualize the self-contained application. Common file extraction is transferred to the memory virtual disk and redirected to increase the speed of the application, in units of applications.

In the following detailed description, a more detailed explanation will be made.

detailed description

Various forms of four-layer virtualization devices can be created based on the methods described herein, and only one example is described herein. The hardware itself is based on a flash disk with a USB interface and a Wifi network card that can be connected to a typical computer or mobile device via USB or wireless sharing. The four-layer virtualization implementation is divided into a boot partition (USB-HDD partition) and a writable storage partition (generally removable disk type) by mass production work on the flash memory, and the boot partition is started. Stores a mirror-ready system file, such as an ISO image file. The runtime loads the mirror system into the memory Ramdisk, and stores a virtual volume in the storage partition. The virtual machine is installed in the virtual volume (or established). The virtualized program runtime environment and extract the Library runtime and registry required by the application). Outside the virtual volume is the normal storage space. The virtual volume folder stores an authenticated client. When the user runs the client and is authenticated by the key, the virtual volume is loaded as a disk Y shared on the network, but does not support direct access. Need to be accessed via a resource manager within the client that is specifically made for this virtual volume. The resource manager in the client can open the virtual machine program, as well as the control panel program for the installation and management of the virtualized application, which is responsible for the installation, uninstallation, management, directory indexing, and operation of the application. These virtualized applications can be run directly by simply clicking from the control panel, because the registry and environment files and library files needed for their operation are already stored in the virtual volume, pointing directly when the program is called. Files to these virtual volumes.

The sample device also supports a fast running mode, which can be selected by the user. The implementation mode is as follows: after the control panel is started, the memory virtualization operation is performed at the same time, and a part of the memory is divided into a virtual disk Ramdisk. When the program is run from the control panel, since the program has been virtualized, it contains the registry and environment files and library files needed for its operation, so it can be extracted into the above-mentioned memory virtual disk. This one-step loading will cause the application to start on the sample device to be slow, but will run very fast after being loaded into the memory virtual disk. Memory is volatile, so Save the cached content in the ramdisk to the image file before the computer is shut down, place it in the storage partition, and load it the next time it is booted.

In addition to the ability to set whether the virtual application is running in cache mode, you can also set which cache mode to run in the control panel. In addition to the above modes, there is a flash acceleration mode. Separate a portion of the flash memory into a .dat-terminated packet. If you set it to run in flash-accelerated cache mode in the previous step, the application running from the virtual application layer will be redirected to the .dat data according to the mode cache. package. However, due to the characteristics of the flash memory and the interface speed limit, this mode generally does not extract the entire application after opening, but redirects small files and random files.

When the sample device is connected to the computer via USB, the computer can boot the mirrored operating system in the sample device to Ramdisk via USB. Of course, this system layer is completely read-only, but this does not affect our daily work. Because the virtual volume file layer and the application layer have been split, the mirror system runs in memory not only completely read-only, it does not infect viruses or leave traces, and the memory speed is fast. The mirroring system accesses the storage partition of the sample device, and can access the client program of the virtual volume encryption layer, run the client program, authenticate the password, obtain the authority of the corresponding key user, and load the virtual volume encryption layer into the network disk Y. . The network disk Y is not allowed to be directly accessed by the resource manager. The user accesses the resources through the client, and opens the application layer's control panel program, from which the program list is viewed, and the application is run. All the work that the local operating system can do can be done in the layered mode of the sample device, except that all changes to the application and workspace, such as saving data, setting preferences, installing new programs, etc. The application layer is completed, and the file operations are completed at the virtual volume encryption layer, leaving no trace on the machine after the shutdown is exited. Of course, you can also use the USB to connect to the computer directly and log in to the encryption layer to use the application layer. This mode is mainly used to complete some customer service work, mobile engineers, maintenance anti-virus work, business machine operations and carrying work space, as shown in Figure 2.

When the sample device is connected to a nearby computer with an encrypted Wifi share, the computer can discover the sample device in the network device, present as a computer folder on the network, enter the network folder, and access the virtual volume encryption. The client program of the layer, run the client program, authenticate the password, obtain the permissions of the corresponding key user, and load the virtual volume encryption layer into the network disk Y. The network disk Y is not allowed to be directly accessed by the resource manager. The user accesses the resources through the client, and opens the application layer's control panel program, from which the program list is viewed, and the application is run. Multiple users can access and use different permissions. For example, some users cannot copy specific files, some users cannot see specific programs, and some users have restrictions on the length of use of users, etc., which is suitable for business units. Control the program and documents of this unit in a unified and centralized manner. For a home user, or a private user, it can also be used to have all of its devices use applications, games, etc. in a secure isolated and securely controlled environment, as shown in Figure 3.

Description of the specification

Figure 1. Schematic diagram of the hierarchical structure.

Figure 2. Schematic diagram of the sample device.

Figure 3. Schematic diagram of the virtualized program operation in mode 2 of the sample device.

Claims

A method of implementing computational virtualization using a four-layer structure, which establishes four independent virtualization layers, namely a mirroring system layer, a virtual volume encryption layer, a virtual application layer, and a cache layer, through independent four layers. Encrypted and flexible virtualization that implements nested design: the mirroring system layer contains at least one mirrored operating system or USB OTG system, including the system kernel environment, but not installed to the device, but directly on the storage device. It can be booted by USB boot or network boot, etc. It can be booted by USB or loaded into the memory virtual Ramdisk disk when not using the host computer system, providing a basic system kernel environment, and the virtual volume encryption layer contains encrypted virtual The disk also exists directly on the storage device, but is independent of the system file, and the virtual volume encryption layer needs to check the key load. After loading, the virtual disk is generated as the working partition in the computing device, and the virtual application layer is stored in the virtual volume encryption. In the layer, but not through the virtual machine, does not contain virtual hardware and systems, etc. It is to run applications across devices via virtualized application environments, libraries and registry redirection method, when a virtual application to run, the establishment of buffer layer is mapped to the host computer's memory cache or high-speed peripherals.
A method as claimed in claim 1, wherein the mobile system layer is implemented by a read-only mirroring system, and the runtime is loaded into a Ramdisk operation, and the virtual volume encryption layer is created by creating a virtual volume and verifying the key. The virtual disk controls its access implementation, and the virtual encrypted volume layer manages the I/O only through the client control. After the client checks the identity by the key, the virtual disk is opened, but the virtual disk is not decrypted, and the user must perform the client through the client. All file operations and application startup operations, and setting I/O permission restrictions on the client, such as giving different users different permissions to implement permission control, the system accesses the encryption layer to map the virtual volume file into a disk partition in the system, the application layer The overall deployment in the virtual disk layer is achieved by virtualizing the application environment and extracting the library runtime and registry required by the program, so that programs deployed at the application layer can be used across devices.
A method as claimed in claim 1, characterized in that the cache layer is implemented by applying a readyboost in an external storage device or a storage device in which the virtual volume encryption layer is located.
A method as claimed in claim 1, characterized in that the virtual volume encryption layer adopts a single authentication mode, and the user verifies the key when accessing the virtual volume, and directly maps the volume file into a disk partition in the system after passing. For each read and write certification.
A method as claimed in claim 1, wherein the virtual volume encryption layer adopts a read-write authentication mode each time, and when the user reads the data file from the virtual disk partition, the data is decrypted when passing through the virtual disk driver. Submit the file to the user in clear text; virtual magnetic when the user writes to the file The disk driver encrypts the data and passes it to the device driver. The final data is stored in ciphertext as a virtual volume on the physical disk.
A method as claimed in claim 1, characterized in that the virtual volume encryption layer adopts a multi-user different authority key mode to apply different passwords and rights for different users, the rights including access rights to different files, IP Binding, usage times, modification permissions, copy permissions, usage expiration dates, etc.
Apparatus for manufacturing according to the method of claim 1 comprising at least one boot partition (network boot or CDROM or USB-HDD partition, etc.) and at least one writable storage partition (removable disk type) Or local disk type), and store the mirror read-only system file, such as the ISO image file, in the boot partition, run the image system into memory and run it, and store one or more virtual files in the storage partition. Volume, install the program virtual machine in the virtual volume (or establish a virtualized program runtime environment and extract the Library runtime and registry required by the application).
A device manufactured according to the method of claim 1, wherein the cache layer of the device extracts the entire running virtual application into the ramdisk by creating a memory virtual disk ramdisk in the host computer, and encrypts the virtual volume. Set the image file in the storage device where the layer is located. Save the contents of the ramdisk to the image file before the computer is shut down, and reload it the next time it runs.
An apparatus manufactured according to the method described in claim 1, wherein the device has a USB interface, can be connected to a computer by a USB protocol, and after being connected to the computer by USB, the system of the computer is used instead of the mirror system layer of the computer. The system kernel, with the device's virtual volume as the disk, loads the virtual disk and the virtualized application in it after verifying the key.
An apparatus manufactured according to the method described in claim 1, wherein the device has a wireless network card, is connectable to a computer by a wireless protocol, and after being wirelessly connected to the computer, replaces the mirror system layer of the computer with the system of the computer. The system kernel, with the device's virtual volume as the disk, loads the virtual disk and the virtualized application in it after verifying the key.