CN101101575A - Data safe memory method and device - Google Patents

Data safe memory method and device Download PDF

Info

Publication number
CN101101575A
CN101101575A CN 200610095768 CN200610095768A CN101101575A CN 101101575 A CN101101575 A CN 101101575A CN 200610095768 CN200610095768 CN 200610095768 CN 200610095768 A CN200610095768 A CN 200610095768A CN 101101575 A CN101101575 A CN 101101575A
Authority
CN
China
Prior art keywords
data
temporary storage
protected
storage cell
virtual unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 200610095768
Other languages
Chinese (zh)
Other versions
CN100517276C (en
Inventor
王碧波
刘春梅
刘永锋
刘建成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Beijing Ltd
Original Assignee
Lenovo Beijing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo Beijing Ltd filed Critical Lenovo Beijing Ltd
Priority to CN 200610095768 priority Critical patent/CN100517276C/en
Publication of CN101101575A publication Critical patent/CN101101575A/en
Application granted granted Critical
Publication of CN100517276C publication Critical patent/CN100517276C/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

In the method, a front-end virtual device is setup in user system under virtualized technique. A back end service program is setup in manager of virtual machine, or in management or service operation system independent on user operation system. Through temporary storage unit, the front-end virtual device and the back end service program access data, and the accessed data are hidden hard disc area invisible to user system finally. The invention also discloses equipment of data secure storage based on virtualized technique. The equipment includes the front-end virtual device, the back end service program, and shared memory. The invention discloses a set of scheme with high security and reliability for storing data in security. Through accessing protected data indirectly, the invention raises security and reliability of computer system for reading and storing protected data.

Description

A kind of method and device of data security storage
Technical field
The present invention relates to computer system local data secure memory techniques, be meant a kind of method and device of storing based on the data security of Intel Virtualization Technology especially.
Background technology
At present, the method that solves computer system local data safe storage mainly is divided into encrypts and data hidden two classes, the invention belongs to the data hidden class.
Traditional data-hiding method is divided into two kinds of file hiding and subzone hidings.But these two kinds of hidden methods all are only at user's a hidden method, and data are in fact still stored and are to be found easily in the hard disk areas that BIOS and operating system can visit.
Current comparatively general data security storage means has following 3 kinds:
HPA (Host Protection Area) method---make the high end regions of hard disk invisible by the hard disk instruction to BIOS and operating system.During access data, to the regional release of this section, after the release success, the user can directly carry out data access in this zone by the hard disk instruction.
Dual operating systems (OS, Operating System) partition method---utilize Intel Virtualization Technology, move two separate operating systems simultaneously.Wherein, an operating system is used for daily use, and another operating system is used to realize the data security storage.
Adopt that firmware (Firmware) manages hard disk areas method---this method can not be seen hiding hard disk areas by virtual machine manager (VMM, Virtual Machine Manager) limited subscriber operating system.Have only Firmware to pass through virtual machine manager and could realize visit hidden data area.
Employing firmware (Firmware) is as follows to the data access implementation step of the method that hard disk areas manages:
1. application program is sent the reading and writing data request to driver, and driver passes to Firmware with request;
2.Firmware according to the data in the request visit protected field that receives;
3.Firmware data message in the protected field is offered device drives;
4. device drives shows that the protected field data message is to the user;
5. the user reads and writes the data in the protected field in the mode of visit normal region, and read-write operation is read and write the protected field by Firmware by equipment manager;
6. after user's operation is finished, send read-write and finish message, message is passed to Firmware by driver to driver;
7.Firmware stop to visit the protected field after receiving message.
Existing several data security storage means is all perfect not enough, is difficult to satisfy the needs of the data security storage that constantly develops.BIOS and operating system can't be visited the hard disk areas that locks for the HPA method, but the software that is independent of BIOS still can be found this zone, as software DM.In addition, when the user access data, the HPA zone must be in released state, and this moment, the HPA zone was no longer hiding, and the data that are stored in this hidden area will be exposed to the user fully.For the dual operating systems partition method,, often cause the waste of resource because operating system of operation if additionally increase an operating system, only is used for the safe storage of data to the consume significant of hard disk, internal memory, cpu resource.In addition, when the operating system that is used for the data security storage was moved other security application simultaneously, other security application may cause dangerous, unsettled influence to data storage.For example the application program of secure payment is placed on same place with the relevant data of payment,, then may has influence on the data of being protected and destroyed this safety of data if application program goes wrong.The method that adopts firmware (Firmware) that hard disk areas is managed has only Firmware to pass through directly visit protected field of VMM; when Firmware successful access protected field; the protected field no longer is protected; the user to the read-write of protected field with the same to the read-write in non-protection area territory; in this case; in case the user carries out maloperation to the data in the protection zone, then can't repair the data change that causes because of maloperation.
Summary of the invention
In view of this, the object of the present invention is to provide a kind of method of data security storage, improve security and reliability that computer system reads and stores protected data.
Based on above-mentioned purpose, the invention provides a kind of method of data security storage, comprising:
The front end virtual unit is set in custom system,, and front end virtual unit and all addressable temporary storage cell of back-end services program is set at custom system peripheral hardware postpone end service routine;
In the time need storing, after the front end virtual unit receives storage request to data, the reading and writing data of request storage in described temporary storage cell, and is sent notice to described back-end services program to the protected data in the protected field;
The back-end services program is read the data in the temporary storage cell and is saved in the pre-configured protected field;
In the time need reading, after the front end virtual unit receives the request that protected data is read, send the request of reading that includes the requested date index information to described back-end services program to the protected data in the protected field;
The back-end services program is found out requested data according to the index information in the described request from described protected field, and reads in the described temporary storage cell, and the forward end virtual unit sends notice;
The front end virtual unit is read requested date from described temporary storage cell and is offered the user.
This method further comprises: user cipher is set;
The described user of receiving further points out the user to input password to after the storage request of protected data or reading request, judges whether the password of input is correct, if then continue subsequent step; Otherwise the prompting user makes mistakes.
This method further comprises: the data to required safe storage are provided with level of security;
Described receiving after the protected data storage request further points out the user that protected data is provided with level of security;
Described receive the request that protected data is read after, judge further whether this requested operation has exceeded the level of security that this protected data is provided with, if then do not carry out the operation that exceeds level of security; Otherwise, continue subsequent step.
This method further comprises: data channel I, data channel II, control channel 1, control channel 2 are set;
The reading and writing data that described front end virtual unit will be asked storage by data channel I sends notice by control channel 1 to described back-end services program in described temporary storage cell; Described back-end services program is read the data in the temporary storage cell and be saved in the pre-configured protected field by control channel 2 control data passage II.Described front end virtual unit sends the request of reading that includes the requested date index information by control channel 1 to described back-end services program; described back-end services program reads requested data in the described temporary storage cell by control channel 2 control data passage II from the protected field; send notice by control channel 1 to described front end virtual unit, described front end virtual unit is read requested date by data channel I from described temporary storage cell and is offered the user.
The described control channel 1 of this method adopts Event Channel or interrupts or the Hypercall technology; Order or function calling method in the described control channel 2 employing programs.
The described requested date index information of this method further comprises call number, title, date created, the date saved of requested date.
Based on above-mentioned purpose, the present invention also provides a kind of device of data security storage, comprising:
Front end virtual unit, back-end services program module and temporary storage cell; Wherein
The front end virtual unit, be arranged in the custom system, be used to obtain and respond the access request of user, the protected data that the user need preserve is read and write described temporary storage cell, the protected data that the user need read is read from temporary storage cell protected data;
The back-end services program module, be arranged at outside the custom system, the protected data that is used for that the user need be preserved is read from described temporary storage cell and is saved in the pre-configured protected field, and the protected data that the user need be read reads in the temporary storage cell from described protected field; And
Temporary storage cell is used for temporary protected data.
This installs described back-end services program module and is set in the virtual machine manager or in management outside being independent of custom system or the service operations system.
This installs described temporary storage cell and can be set in the virtual machine manager; The perhaps a part of region of memory outside the custom system virtual memory zone in physical memory.
This device further comprises: control channel 1 and control channel 2, data channel I and data channel II.
Described data channel I is used for the data double-way of data from the front end virtual unit to temporary storage cell transmitted between front end virtual unit and temporary storage cell; Described data channel II is between temporary storage cell and protected field, and the data double-way that is used for from the temporary storage cell to the protected field transmits; Control channel 1 is used for the transmission of control messages between front end virtual unit and the back-end services program module between described front end virtual unit and described back-end services program module; Control channel 2 is used for the control of back-end services program module to the protected field data access between back-end services program module and data channel 2.
This installs described control channel 1 and adopts Event Channel or interruption or Hypercall technology; Order or function calling method in the described control channel 2 employing programs.
This installs described protected field is the hard disk areas that a part of custom system of marking in the system physical hard disk haves no right to visit.
From above as can be seen, the method and the device of data security storage provided by the invention: the custom system under Intel Virtualization Technology is set a front end virtual unit, in virtual machine manager or MOS, set a back-end services program, region of memory beyond virtual system of front end virtual unit and back-end services procedure sharing carries out data access, and the data of institute's access finally are hidden in the sightless hard disk areas of custom system.The effect of front end virtual unit is to carry out obtaining and respond the user's data access request alternately with the user.The effect of back-end services program is a data access request of obtaining and respond the front end virtual unit.
The present invention has following advantage compared with prior art:
The storage data area has been hidden into outside the virtual hard disk, and which kind of instrument the user uses can only see virtual hard disk in virtual system, can't find the data of being stored at all, thereby the safety that has realized the local hard drive data is hidden.Protected field in the physical hard disk is exclusively used in storage, has avoided because the potential safety hazard that the operation of other application program causes.
In any case, have only the front end virtual unit to realize visit to the protected field data jointly by the back-end services program, the front end virtual unit can not directly be visited the protected field separately, therefore has good security.In addition, virtual machine manager is guaranteed that the front end virtual unit is not unloaded, is not used by the disabled user of long-range connection, and takes precautions against local disabled user by password authentication.Intel Virtualization Technology uses the shared drive of front end virtual unit and back-end services program to come Data transmission, if the user only need check data, does not need reading of data from the protected field, thereby significantly reduces outside influence to data in the protected field.By checking with reading of data is provided with different level of securitys,, the information that the user shows the front end virtual unit can not destroy data in the protected field even carrying out maloperation yet; In addition, the real visit of user be data in the shared drive, for this reason, reduced access times, thereby strengthened safety of data in the protected field the protected field.
Application program in the virtual machine is that dynamic random generates by the shared drive in the process of front end virtual unit access storage areas territory, promptly the pairing physical memory of this shared drive zone is at random, certain piece fixed area in the not corresponding physical memory, thereby strengthened security.
From resource consumption, do not need the extra safe storage that an operating system is used for data that increases, there is not additive decrementation to resources such as hard disk and internal memories, reduced the scheduling burden of CPU.
Description of drawings
Fig. 1 divides synoptic diagram for the hard disk functional area under the Intel Virtualization Technology of the present invention;
Fig. 2 is the system architecture diagram of the present invention's realization based on the data security storage of Intel Virtualization Technology;
Fig. 3 is the system construction drawing of realizing in first preferred embodiment of the present invention based on the data security storage of Intel Virtualization Technology;
Fig. 4 is the system construction drawing of realizing in second preferred embodiment of the present invention based on the data security storage of Intel Virtualization Technology.
Embodiment
The present invention is further described in more detail below in conjunction with drawings and the specific embodiments.
Use Intel Virtualization Technology, allow custom system operate on the virtual hard disk, and with data storage in physical hard disk in the protected field outside the virtual hard disk.A physical hard disk is carried out functional area divide as shown in Figure 1, physical hard disk 101 is divided into three functional areas among the present invention: protected field 111, the virtual hard disk zone 112 of custom system and the hard disk areas 113 that virtual machine manager takies.Be illustrated as the area dividing of physical hard disk in the custom system, also can divide according to the same manner for a plurality of custom systems.Protected field among Fig. 1 is arranged in the hard disk areas outside the physical hard disk virtual hard disk space.For the user, give oneself virtual hard disk space of distribution because can only see virtual machine manager, thus can't discover the existence of protected field at all, thus can't visit and destroy hiding protected data.
Fig. 2 is based on the system architecture diagram of the data security storage of Intel Virtualization Technology, comprises custom system 201, virtual machine manager (VMM, Virtual Machine Manger) 202, hardware platform 203.Custom system comprises: custom system operating system 211, virtual hard disk 212, virtual memory 213 and front end virtual unit 214.In virtual machine manager, comprise temporary storage cell 221 and back-end services program 222.Hardware platform comprises: physical hard disk 231 and physical memory 232.Wherein front end virtual unit 214 and back-end services program 222 are the present invention's new functional module of adding on existing Intel Virtualization Technology framework.Temporary storage cell 221 and back-end services program shown in Figure 2 also can be arranged on other positions.
In general, when the user capture protected field, the protected field is the easiest to be found and to attack.In order to guarantee the safety of protected data access procedure, in custom system, set a front end virtual unit, the back-end services program of setting up a special use in virtual machine manager is monitored the data access request of front end virtual unit.When not carrying out the secure data access, front end virtual unit and back-end services program are isolated fully.When carrying out the secure data access, the front end virtual unit is by control channel, data channel and temporary storage cell, with the common access that realizes data in the protected field of back-end services program.Wherein, control channel is divided into control channel 1 and control channel 2.Control channel 1 realizes the transmission of control messages between front end virtual unit and the back-end services program, and for example adopting, technology such as Event Channel, interruption, Hypercall realize; Control channel 2 realizes the control of back-end services programs to the protected field data access, adopts methods such as order in the back-end services program for example and function call to realize; Data channel is divided into data channel I and data channel II, and data channel I realizes the data double-way of data from the front end virtual unit of custom system to temporary storage cell transmitted; Data channel II realizes that the data double-way from the temporary storage cell to the protected field transmits.
Fig. 3 is the system construction drawing of first preferred embodiment of the present invention: promptly realize the data security storage based on Intel Virtualization Technology in the virtualization architecture that does not comprise management or service operations system, comprising custom system 301, virtual machine manager (VMM, Virtual Machine Manger) 302, hardware platform 303.Custom system 301 comprises: custom system operating system 311, virtual hard disk 312 and front end virtual unit 313.In virtual machine manager 302, comprise back-end services program 321.Hardware platform 303 comprises: physical hard disk 331 and physical memory 332; Wherein, physical hard disk 331 is divided into virtual hard disk 3311 and the protected field 3312 of virtual machine VM; Physical memory is divided into virtual memory 3321 and the shared drive 3322 of virtual machine VM.In the present embodiment, back-end services program 321 realizes the access to the protected field data in virtual machine manager 302.
Fig. 4 is the system construction drawing of second preferred embodiment of the present invention: promptly realize the data security storage based on Intel Virtualization Technology in the virtualization architecture that comprises management or service operations system, comprising custom system 401, MOS (OS) 402, virtual machine manager (VMM, Virtual MachineManger) 403, hardware platform 404.Custom system 401 comprises: custom system operating system 411, virtual hard disk 412 and front end virtual unit 413.Comprise back-end services program 421 in the MOS 402.Hardware platform 404 comprises: physical hard disk 441 and physical memory 442; Wherein, physical hard disk 441 is divided into VM virtual hard disk 4411 and protected field 4412; Physical memory is divided into VM internal memory 4421 and shared drive 4422.In the present embodiment, have a MOS 402 of moving simultaneously with custom system, back-end services program 421 realizes the access to the protected field data in this MOS 402.
In Fig. 3 and two specific embodiments shown in Figure 4, difference is: the back-end services program 321 among Fig. 3 is in virtual machine manager VMM 302; And the back-end services program 421 among Fig. 4 is in MOS 402.Shared drive among Fig. 3 and Fig. 4 be among Fig. 2 temporary storage cell one
Front end virtual unit among Fig. 2,3 and 4 is made of jointly interruption processing module, visit shared drive module, user interactions control module and 4 modules of information logging modle.Wherein, interruption processing module is used to distribute an interruption; Visit shared drive module is used to realize front end virtual unit visit shared drive; The user interactions control module is used to realize that the front end virtual unit is undertaken alternately by modes such as device drives and user; The information logging modle is used to store the index information of data in the protected field.4 intermodule processes of cooperatively interacting in the front end virtual unit are: when the user will be deposit data during to the protected field; at first starting user interactions control module and front end virtual unit carries out alternately; distribute an interruption to respond the back-end services program by the interruption processing module in the front end virtual unit; front end virtual unit initiated access shared drive module simultaneously makes front end virtual unit and back-end services program deposit data in the shared drive in jointly; by control channel 2 file or folder in the shared drive being saved in the protected field by data channel II by the back-end services program then returns a data call number and relevant information simultaneously and gives the front end virtual unit; at this moment, front end virtual unit log-on message logging modle is preserved the data directory that returns number and relevant information.
Concrete implementation step is as follows:
Data storage procedure:
1. the user selects to be saved in the file or folder of protected field by the front end virtual unit;
2. the prompting user inputs password, whether virtual machine manager check input password is correct, if password is correct, the prompting user is provided with corresponding level of security to checking and reading of the file or folder that will preserve, can not write or readable mode such as write as readable, otherwise show mistake;
3. the front end virtual unit duplicates file or folder or move in the shared drive by data channel I, simultaneously by control channel 1 notice back-end services program; Control channel 1 adopts technology such as Event Channel, interruption, Hypercall to realize, as Event Channel is a kind of event notification mechanism among the virtualization architecture Xen, be used to realize the effect of similar hardware interrupts, specific implementation is: each passage is corresponding with a bit, when event occurs on one of them passage, the bit corresponding with this passage was 1 from 0 saltus step;
4. the back-end services program is saved in the protected field to the file or folder in the shared drive by data channel II by control channel 2, returns a unique file or folder call number by the back-end services program by control channel 1 simultaneously and gives the front end virtual unit; Control channel 2 adopts methods such as order or function call to realize;
5. the front end virtual unit is preserved the file or folder information of being stored, as information such as file or folder call number, title, date created, dates saved;
6. whether front end virtual unit inquiry user needs to delete source document or the file in user's virtual hard disk, then deletes source document or file if desired.
Data read process:
1. the order of user's input reference front end virtual unit;
2. custom system prompting user inputs password, and virtual machine manager is tested to the password of keyboard input, if cryptographic check is correct, then continue to carry out subsequent step, otherwise demonstration makes mistakes;
3. the front end virtual unit is opened a window and will be preserved the information of file or folder and be shown to the user, and this function class is similar to the recycle bin in the Windows operating system;
4. the user selects viewing files or file, perhaps selects file or folder is shifted out and deposit user's virtual hard disk from the front end virtual unit, and this moment, the user can only check and read operation according to the level of security that file or folder has configured; If user's requested operation has exceeded the authority of rank regulation, then point out user's operating mistake, will not carry out the request that exceeds level-right that the user proposes;
The front end virtual unit by control channel 1 to the back-end service routine send file or folder and read request, simultaneously the call number of whether deleting source document in the protected field or file and user-selected file or folder correspondence as parameter together as asking transmission;
6. the back-end services program reads out call number corresponding file or file by control channel 2 in the protected field, puts into shared drive and notifies the front end virtual unit through data channel II;
7. the front end virtual unit is asked display file or file content according to the user, perhaps file or folder is saved on the custom system virtual hard disk;
8. whether front end virtual unit inquiry user needs to delete source document or file, if desired, deletes this source document or file;
9. whether front end virtual unit inquiry user needs to continue to read other file or folder from the protected field, if do not need, closes window.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (12)

1. the method for a data security storage is characterized in that, comprising:
The front end virtual unit is set in custom system,, and front end virtual unit and all addressable temporary storage cell of back-end services program is set at custom system peripheral hardware postpone end service routine;
In the time need storing, after the front end virtual unit receives storage request to data, the reading and writing data of request storage in described temporary storage cell, and is sent notice to described back-end services program to the protected data in the protected field;
The back-end services program is read the data in the temporary storage cell and is saved in the pre-configured protected field;
In the time need reading, after the front end virtual unit receives the request that protected data is read, send the request of reading that includes the requested date index information to described back-end services program to the protected data in the protected field;
The back-end services program is found out requested data according to the index information in the described request from described protected field, and reads in the described temporary storage cell, and the forward end virtual unit sends notice;
The front end virtual unit is read requested date from described temporary storage cell and is offered the user.
2. method according to claim 1 is characterized in that this method further comprises: user cipher is set;
The described user of receiving further points out the user to input password to after the storage request of protected data or reading request, judges whether the password of input is correct, if then continue subsequent step; Otherwise the prompting user makes mistakes.
3. method according to claim 1 and 2 is characterized in that, this method further comprises: the data to required safe storage are provided with level of security;
Described receiving after the protected data storage request further points out the user that protected data is provided with level of security;
Described receive the request that protected data is read after, judge further whether this requested operation has exceeded the level of security that this protected data is provided with, if then do not carry out the operation that exceeds level of security; Otherwise, continue subsequent step.
4. method according to claim 1 is characterized in that, this method further comprises: be provided with according to passage I, data channel II, control channel 1, control channel 2;
The reading and writing data that described front end virtual unit will be asked storage by data channel I sends notice by control channel 1 to described back-end services program in described temporary storage cell; Described back-end services program is read the data in the temporary storage cell and be saved in the pre-configured protected field by control channel 2 control data passage II.Described front end virtual unit sends the request of reading that includes the requested date index information by control channel 1 to described back-end services program; described back-end services program reads requested data in the described temporary storage cell by control channel 2 control data passage II from the protected field; send notice by control channel 1 to described front end virtual unit, described front end virtual unit is read requested date by data channel I from described temporary storage cell and is offered the user.
5. method according to claim 4 is characterized in that, described control channel 1 adopts EventChannel or interrupts or the Hypercall technology; Order or function calling method in the described control channel 2 employing programs.
6. method according to claim 1 is characterized in that, described requested date index information further comprises call number, title, date created, the date saved of requested date.
7. the device of a data security storage is characterized in that, comprising: front end virtual unit, back-end services program module and temporary storage cell; Wherein
The front end virtual unit, be arranged in the custom system, be used to obtain and respond the access request of user, the protected data that the user need preserve is read and write described temporary storage cell, the protected data that the user need read is read from temporary storage cell protected data;
The back-end services program module, be arranged at outside the custom system, the protected data that is used for that the user need be preserved is read from described temporary storage cell and is saved in the pre-configured protected field, and the protected data that the user need be read reads in the temporary storage cell from described protected field; And
Temporary storage cell is used for temporary protected data.
8. device according to claim 7 is characterized in that, described back-end services program module is set in the virtual machine manager or in management outside being independent of custom system or the service operations system.
9. device according to claim 7 is characterized in that described temporary storage cell can be set in the virtual machine manager; The perhaps a part of region of memory outside the custom system virtual memory zone in physical memory.
10. device according to claim 7 is characterized in that, described device further comprises: control channel 1 and control channel 2, data channel I and data channel II.
Described data channel I is used for the data double-way of data from the front end virtual unit to temporary storage cell transmitted between front end virtual unit and temporary storage cell; Described data channel II is between temporary storage cell and protected field, and the data double-way that is used for from the temporary storage cell to the protected field transmits; Control channel 1 is used for the transmission of control messages between front end virtual unit and the back-end services program module between described front end virtual unit and described back-end services program module; Control channel 2 is used for the control of back-end services program module to the protected field data access between back-end services program module and data channel 2.
11. device according to claim 10 is characterized in that, described control channel 1 adopts Event Channel or interrupts or the Hypercall technology; Order or function calling method in the described control channel 2 employing programs.
12. device according to claim 7 is characterized in that, described protected field is the hard disk areas that a part of custom system of marking in the system physical hard disk haves no right to visit.
CN 200610095768 2006-07-04 2006-07-04 Data safe memory method and device Active CN100517276C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200610095768 CN100517276C (en) 2006-07-04 2006-07-04 Data safe memory method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200610095768 CN100517276C (en) 2006-07-04 2006-07-04 Data safe memory method and device

Publications (2)

Publication Number Publication Date
CN101101575A true CN101101575A (en) 2008-01-09
CN100517276C CN100517276C (en) 2009-07-22

Family

ID=39035852

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200610095768 Active CN100517276C (en) 2006-07-04 2006-07-04 Data safe memory method and device

Country Status (1)

Country Link
CN (1) CN100517276C (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102202062A (en) * 2011-06-03 2011-09-28 苏州九州安华信息安全技术有限公司 Method and apparatus for realizing access control
CN102509048A (en) * 2011-11-14 2012-06-20 西安电子科技大学 Method for preventing illegal transferring of interruption procedures of operating system
CN101566971B (en) * 2008-03-07 2012-08-08 和泽电子股份有限公司 Content protection system in storage media and method of same
WO2013181960A1 (en) * 2012-06-08 2013-12-12 深圳市朗科科技股份有限公司 Secure storage method, terminal and system based on virtualization
CN103502993A (en) * 2012-02-22 2014-01-08 松下电器产业株式会社 Virtual computer system, confidential information protection method, and confidential information protection program
WO2014166418A1 (en) * 2013-04-12 2014-10-16 中国银联股份有限公司 Method for implementing virtual secure element (vse)
CN105045727A (en) * 2015-08-14 2015-11-11 华为技术有限公司 Method and equipment for accessing shared memories
CN106293678A (en) * 2015-06-09 2017-01-04 北京京东尚科信息技术有限公司 A kind of method and system of the variable managing application service
CN106682499A (en) * 2016-11-16 2017-05-17 无锡港湾网络科技有限公司 Disaster prevention system data secure-storage method
CN106844006A (en) * 2016-12-29 2017-06-13 北京瑞星信息技术股份有限公司 Based on data prevention method and system under virtualized environment
CN108376226A (en) * 2017-01-18 2018-08-07 丰田自动车株式会社 Unauthorized determines that system and unauthorized determine method

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103886264A (en) * 2014-03-03 2014-06-25 深圳市江波龙电子有限公司 Method and device for protecting data in hidden area of storage device

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101566971B (en) * 2008-03-07 2012-08-08 和泽电子股份有限公司 Content protection system in storage media and method of same
CN102202062B (en) * 2011-06-03 2013-12-25 苏州九州安华信息安全技术有限公司 Method and apparatus for realizing access control
CN102202062A (en) * 2011-06-03 2011-09-28 苏州九州安华信息安全技术有限公司 Method and apparatus for realizing access control
CN102509048A (en) * 2011-11-14 2012-06-20 西安电子科技大学 Method for preventing illegal transferring of interruption procedures of operating system
US9460276B2 (en) 2012-02-22 2016-10-04 Panasonic Intellectual Property Corporation Of America Virtual machine system, confidential information protection method, and confidential information protection program
CN103502993A (en) * 2012-02-22 2014-01-08 松下电器产业株式会社 Virtual computer system, confidential information protection method, and confidential information protection program
WO2013181960A1 (en) * 2012-06-08 2013-12-12 深圳市朗科科技股份有限公司 Secure storage method, terminal and system based on virtualization
US10678577B2 (en) 2013-04-12 2020-06-09 China Unionpay Co., Ltd. Method for implementing virtual secure element
WO2014166418A1 (en) * 2013-04-12 2014-10-16 中国银联股份有限公司 Method for implementing virtual secure element (vse)
CN106293678A (en) * 2015-06-09 2017-01-04 北京京东尚科信息技术有限公司 A kind of method and system of the variable managing application service
CN106293678B (en) * 2015-06-09 2020-11-24 北京京东尚科信息技术有限公司 Method and system for managing variables of application service
CN105045727A (en) * 2015-08-14 2015-11-11 华为技术有限公司 Method and equipment for accessing shared memories
CN105045727B (en) * 2015-08-14 2018-06-26 华为技术有限公司 A kind of method and apparatus for accessing shared drive
CN106682499A (en) * 2016-11-16 2017-05-17 无锡港湾网络科技有限公司 Disaster prevention system data secure-storage method
CN106844006A (en) * 2016-12-29 2017-06-13 北京瑞星信息技术股份有限公司 Based on data prevention method and system under virtualized environment
CN106844006B (en) * 2016-12-29 2019-11-12 北京瑞星网安技术股份有限公司 Based on the data prevention method and system under virtualized environment
CN108376226A (en) * 2017-01-18 2018-08-07 丰田自动车株式会社 Unauthorized determines that system and unauthorized determine method
CN108376226B (en) * 2017-01-18 2022-04-01 丰田自动车株式会社 Unauthorized determination system and unauthorized determination method

Also Published As

Publication number Publication date
CN100517276C (en) 2009-07-22

Similar Documents

Publication Publication Date Title
CN100517276C (en) Data safe memory method and device
JP6055988B1 (en) Computer program, secret management method and system
US7596695B2 (en) Application-based data encryption system and method thereof
US10372628B2 (en) Cross-domain security in cryptographically partitioned cloud
CN1937628B (en) Method and system for managing data processing target entity
KR101323858B1 (en) Apparatus and method for controlling memory access in virtualized system
CN101430700B (en) File management device and storage device
US8750519B2 (en) Data protection system, data protection method, and memory card
CN106063218A (en) Method, apparatus and system for encryption/decryption in virtualization system
CN103353931A (en) Security-enhanced computer systems and methods
CN104484625B (en) A kind of computer and its implementation with dual operating systems
CN101145173A (en) System and method for securely saving and restoring a context of a secure program loader
US7818567B2 (en) Method for protecting security accounts manager (SAM) files within windows operating systems
CN109086620B (en) Physical isolation dual-system construction method based on mobile storage medium
CN101877246A (en) U disk encryption method
CN101499027A (en) Intelligent memory system based on independent kernel and distributed architecture
KR20140051350A (en) Digital signing authority dependent platform secret
CN101263463A (en) Transactional sealed storage
CN110543775B (en) Data security protection method and system based on super-fusion concept
US7765407B2 (en) Method and apparatus for providing centralized user authorization to allow secure sign-on to a computer system
CN109214204A (en) Data processing method and storage equipment
CN105279453A (en) Separate storage management-supporting file partition hiding system and method thereof
JP2009223787A (en) Information processor and processing method, and program
US8086873B2 (en) Method for controlling file access on computer systems
CN108491249B (en) Kernel module isolation method and system based on module weight

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant