CN101101575A - Data safe memory method and device - Google Patents
Data safe memory method and device Download PDFInfo
- Publication number
- CN101101575A CN101101575A CN 200610095768 CN200610095768A CN101101575A CN 101101575 A CN101101575 A CN 101101575A CN 200610095768 CN200610095768 CN 200610095768 CN 200610095768 A CN200610095768 A CN 200610095768A CN 101101575 A CN101101575 A CN 101101575A
- Authority
- CN
- China
- Prior art keywords
- data
- temporary storage
- protected
- storage cell
- virtual unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
In the method, a front-end virtual device is setup in user system under virtualized technique. A back end service program is setup in manager of virtual machine, or in management or service operation system independent on user operation system. Through temporary storage unit, the front-end virtual device and the back end service program access data, and the accessed data are hidden hard disc area invisible to user system finally. The invention also discloses equipment of data secure storage based on virtualized technique. The equipment includes the front-end virtual device, the back end service program, and shared memory. The invention discloses a set of scheme with high security and reliability for storing data in security. Through accessing protected data indirectly, the invention raises security and reliability of computer system for reading and storing protected data.
Description
Technical field
The present invention relates to computer system local data secure memory techniques, be meant a kind of method and device of storing based on the data security of Intel Virtualization Technology especially.
Background technology
At present, the method that solves computer system local data safe storage mainly is divided into encrypts and data hidden two classes, the invention belongs to the data hidden class.
Traditional data-hiding method is divided into two kinds of file hiding and subzone hidings.But these two kinds of hidden methods all are only at user's a hidden method, and data are in fact still stored and are to be found easily in the hard disk areas that BIOS and operating system can visit.
Current comparatively general data security storage means has following 3 kinds:
HPA (Host Protection Area) method---make the high end regions of hard disk invisible by the hard disk instruction to BIOS and operating system.During access data, to the regional release of this section, after the release success, the user can directly carry out data access in this zone by the hard disk instruction.
Dual operating systems (OS, Operating System) partition method---utilize Intel Virtualization Technology, move two separate operating systems simultaneously.Wherein, an operating system is used for daily use, and another operating system is used to realize the data security storage.
Adopt that firmware (Firmware) manages hard disk areas method---this method can not be seen hiding hard disk areas by virtual machine manager (VMM, Virtual Machine Manager) limited subscriber operating system.Have only Firmware to pass through virtual machine manager and could realize visit hidden data area.
Employing firmware (Firmware) is as follows to the data access implementation step of the method that hard disk areas manages:
1. application program is sent the reading and writing data request to driver, and driver passes to Firmware with request;
2.Firmware according to the data in the request visit protected field that receives;
3.Firmware data message in the protected field is offered device drives;
4. device drives shows that the protected field data message is to the user;
5. the user reads and writes the data in the protected field in the mode of visit normal region, and read-write operation is read and write the protected field by Firmware by equipment manager;
6. after user's operation is finished, send read-write and finish message, message is passed to Firmware by driver to driver;
7.Firmware stop to visit the protected field after receiving message.
Existing several data security storage means is all perfect not enough, is difficult to satisfy the needs of the data security storage that constantly develops.BIOS and operating system can't be visited the hard disk areas that locks for the HPA method, but the software that is independent of BIOS still can be found this zone, as software DM.In addition, when the user access data, the HPA zone must be in released state, and this moment, the HPA zone was no longer hiding, and the data that are stored in this hidden area will be exposed to the user fully.For the dual operating systems partition method,, often cause the waste of resource because operating system of operation if additionally increase an operating system, only is used for the safe storage of data to the consume significant of hard disk, internal memory, cpu resource.In addition, when the operating system that is used for the data security storage was moved other security application simultaneously, other security application may cause dangerous, unsettled influence to data storage.For example the application program of secure payment is placed on same place with the relevant data of payment,, then may has influence on the data of being protected and destroyed this safety of data if application program goes wrong.The method that adopts firmware (Firmware) that hard disk areas is managed has only Firmware to pass through directly visit protected field of VMM; when Firmware successful access protected field; the protected field no longer is protected; the user to the read-write of protected field with the same to the read-write in non-protection area territory; in this case; in case the user carries out maloperation to the data in the protection zone, then can't repair the data change that causes because of maloperation.
Summary of the invention
In view of this, the object of the present invention is to provide a kind of method of data security storage, improve security and reliability that computer system reads and stores protected data.
Based on above-mentioned purpose, the invention provides a kind of method of data security storage, comprising:
The front end virtual unit is set in custom system,, and front end virtual unit and all addressable temporary storage cell of back-end services program is set at custom system peripheral hardware postpone end service routine;
In the time need storing, after the front end virtual unit receives storage request to data, the reading and writing data of request storage in described temporary storage cell, and is sent notice to described back-end services program to the protected data in the protected field;
The back-end services program is read the data in the temporary storage cell and is saved in the pre-configured protected field;
In the time need reading, after the front end virtual unit receives the request that protected data is read, send the request of reading that includes the requested date index information to described back-end services program to the protected data in the protected field;
The back-end services program is found out requested data according to the index information in the described request from described protected field, and reads in the described temporary storage cell, and the forward end virtual unit sends notice;
The front end virtual unit is read requested date from described temporary storage cell and is offered the user.
This method further comprises: user cipher is set;
The described user of receiving further points out the user to input password to after the storage request of protected data or reading request, judges whether the password of input is correct, if then continue subsequent step; Otherwise the prompting user makes mistakes.
This method further comprises: the data to required safe storage are provided with level of security;
Described receiving after the protected data storage request further points out the user that protected data is provided with level of security;
Described receive the request that protected data is read after, judge further whether this requested operation has exceeded the level of security that this protected data is provided with, if then do not carry out the operation that exceeds level of security; Otherwise, continue subsequent step.
This method further comprises: data channel I, data channel II, control channel 1, control channel 2 are set;
The reading and writing data that described front end virtual unit will be asked storage by data channel I sends notice by control channel 1 to described back-end services program in described temporary storage cell; Described back-end services program is read the data in the temporary storage cell and be saved in the pre-configured protected field by control channel 2 control data passage II.Described front end virtual unit sends the request of reading that includes the requested date index information by control channel 1 to described back-end services program; described back-end services program reads requested data in the described temporary storage cell by control channel 2 control data passage II from the protected field; send notice by control channel 1 to described front end virtual unit, described front end virtual unit is read requested date by data channel I from described temporary storage cell and is offered the user.
The described control channel 1 of this method adopts Event Channel or interrupts or the Hypercall technology; Order or function calling method in the described control channel 2 employing programs.
The described requested date index information of this method further comprises call number, title, date created, the date saved of requested date.
Based on above-mentioned purpose, the present invention also provides a kind of device of data security storage, comprising:
Front end virtual unit, back-end services program module and temporary storage cell; Wherein
The front end virtual unit, be arranged in the custom system, be used to obtain and respond the access request of user, the protected data that the user need preserve is read and write described temporary storage cell, the protected data that the user need read is read from temporary storage cell protected data;
The back-end services program module, be arranged at outside the custom system, the protected data that is used for that the user need be preserved is read from described temporary storage cell and is saved in the pre-configured protected field, and the protected data that the user need be read reads in the temporary storage cell from described protected field; And
Temporary storage cell is used for temporary protected data.
This installs described back-end services program module and is set in the virtual machine manager or in management outside being independent of custom system or the service operations system.
This installs described temporary storage cell and can be set in the virtual machine manager; The perhaps a part of region of memory outside the custom system virtual memory zone in physical memory.
This device further comprises: control channel 1 and control channel 2, data channel I and data channel II.
Described data channel I is used for the data double-way of data from the front end virtual unit to temporary storage cell transmitted between front end virtual unit and temporary storage cell; Described data channel II is between temporary storage cell and protected field, and the data double-way that is used for from the temporary storage cell to the protected field transmits; Control channel 1 is used for the transmission of control messages between front end virtual unit and the back-end services program module between described front end virtual unit and described back-end services program module; Control channel 2 is used for the control of back-end services program module to the protected field data access between back-end services program module and data channel 2.
This installs described control channel 1 and adopts Event Channel or interruption or Hypercall technology; Order or function calling method in the described control channel 2 employing programs.
This installs described protected field is the hard disk areas that a part of custom system of marking in the system physical hard disk haves no right to visit.
From above as can be seen, the method and the device of data security storage provided by the invention: the custom system under Intel Virtualization Technology is set a front end virtual unit, in virtual machine manager or MOS, set a back-end services program, region of memory beyond virtual system of front end virtual unit and back-end services procedure sharing carries out data access, and the data of institute's access finally are hidden in the sightless hard disk areas of custom system.The effect of front end virtual unit is to carry out obtaining and respond the user's data access request alternately with the user.The effect of back-end services program is a data access request of obtaining and respond the front end virtual unit.
The present invention has following advantage compared with prior art:
The storage data area has been hidden into outside the virtual hard disk, and which kind of instrument the user uses can only see virtual hard disk in virtual system, can't find the data of being stored at all, thereby the safety that has realized the local hard drive data is hidden.Protected field in the physical hard disk is exclusively used in storage, has avoided because the potential safety hazard that the operation of other application program causes.
In any case, have only the front end virtual unit to realize visit to the protected field data jointly by the back-end services program, the front end virtual unit can not directly be visited the protected field separately, therefore has good security.In addition, virtual machine manager is guaranteed that the front end virtual unit is not unloaded, is not used by the disabled user of long-range connection, and takes precautions against local disabled user by password authentication.Intel Virtualization Technology uses the shared drive of front end virtual unit and back-end services program to come Data transmission, if the user only need check data, does not need reading of data from the protected field, thereby significantly reduces outside influence to data in the protected field.By checking with reading of data is provided with different level of securitys,, the information that the user shows the front end virtual unit can not destroy data in the protected field even carrying out maloperation yet; In addition, the real visit of user be data in the shared drive, for this reason, reduced access times, thereby strengthened safety of data in the protected field the protected field.
Application program in the virtual machine is that dynamic random generates by the shared drive in the process of front end virtual unit access storage areas territory, promptly the pairing physical memory of this shared drive zone is at random, certain piece fixed area in the not corresponding physical memory, thereby strengthened security.
From resource consumption, do not need the extra safe storage that an operating system is used for data that increases, there is not additive decrementation to resources such as hard disk and internal memories, reduced the scheduling burden of CPU.
Description of drawings
Fig. 1 divides synoptic diagram for the hard disk functional area under the Intel Virtualization Technology of the present invention;
Fig. 2 is the system architecture diagram of the present invention's realization based on the data security storage of Intel Virtualization Technology;
Fig. 3 is the system construction drawing of realizing in first preferred embodiment of the present invention based on the data security storage of Intel Virtualization Technology;
Fig. 4 is the system construction drawing of realizing in second preferred embodiment of the present invention based on the data security storage of Intel Virtualization Technology.
Embodiment
The present invention is further described in more detail below in conjunction with drawings and the specific embodiments.
Use Intel Virtualization Technology, allow custom system operate on the virtual hard disk, and with data storage in physical hard disk in the protected field outside the virtual hard disk.A physical hard disk is carried out functional area divide as shown in Figure 1, physical hard disk 101 is divided into three functional areas among the present invention: protected field 111, the virtual hard disk zone 112 of custom system and the hard disk areas 113 that virtual machine manager takies.Be illustrated as the area dividing of physical hard disk in the custom system, also can divide according to the same manner for a plurality of custom systems.Protected field among Fig. 1 is arranged in the hard disk areas outside the physical hard disk virtual hard disk space.For the user, give oneself virtual hard disk space of distribution because can only see virtual machine manager, thus can't discover the existence of protected field at all, thus can't visit and destroy hiding protected data.
Fig. 2 is based on the system architecture diagram of the data security storage of Intel Virtualization Technology, comprises custom system 201, virtual machine manager (VMM, Virtual Machine Manger) 202, hardware platform 203.Custom system comprises: custom system operating system 211, virtual hard disk 212, virtual memory 213 and front end virtual unit 214.In virtual machine manager, comprise temporary storage cell 221 and back-end services program 222.Hardware platform comprises: physical hard disk 231 and physical memory 232.Wherein front end virtual unit 214 and back-end services program 222 are the present invention's new functional module of adding on existing Intel Virtualization Technology framework.Temporary storage cell 221 and back-end services program shown in Figure 2 also can be arranged on other positions.
In general, when the user capture protected field, the protected field is the easiest to be found and to attack.In order to guarantee the safety of protected data access procedure, in custom system, set a front end virtual unit, the back-end services program of setting up a special use in virtual machine manager is monitored the data access request of front end virtual unit.When not carrying out the secure data access, front end virtual unit and back-end services program are isolated fully.When carrying out the secure data access, the front end virtual unit is by control channel, data channel and temporary storage cell, with the common access that realizes data in the protected field of back-end services program.Wherein, control channel is divided into control channel 1 and control channel 2.Control channel 1 realizes the transmission of control messages between front end virtual unit and the back-end services program, and for example adopting, technology such as Event Channel, interruption, Hypercall realize; Control channel 2 realizes the control of back-end services programs to the protected field data access, adopts methods such as order in the back-end services program for example and function call to realize; Data channel is divided into data channel I and data channel II, and data channel I realizes the data double-way of data from the front end virtual unit of custom system to temporary storage cell transmitted; Data channel II realizes that the data double-way from the temporary storage cell to the protected field transmits.
Fig. 3 is the system construction drawing of first preferred embodiment of the present invention: promptly realize the data security storage based on Intel Virtualization Technology in the virtualization architecture that does not comprise management or service operations system, comprising custom system 301, virtual machine manager (VMM, Virtual Machine Manger) 302, hardware platform 303.Custom system 301 comprises: custom system operating system 311, virtual hard disk 312 and front end virtual unit 313.In virtual machine manager 302, comprise back-end services program 321.Hardware platform 303 comprises: physical hard disk 331 and physical memory 332; Wherein, physical hard disk 331 is divided into virtual hard disk 3311 and the protected field 3312 of virtual machine VM; Physical memory is divided into virtual memory 3321 and the shared drive 3322 of virtual machine VM.In the present embodiment, back-end services program 321 realizes the access to the protected field data in virtual machine manager 302.
Fig. 4 is the system construction drawing of second preferred embodiment of the present invention: promptly realize the data security storage based on Intel Virtualization Technology in the virtualization architecture that comprises management or service operations system, comprising custom system 401, MOS (OS) 402, virtual machine manager (VMM, Virtual MachineManger) 403, hardware platform 404.Custom system 401 comprises: custom system operating system 411, virtual hard disk 412 and front end virtual unit 413.Comprise back-end services program 421 in the MOS 402.Hardware platform 404 comprises: physical hard disk 441 and physical memory 442; Wherein, physical hard disk 441 is divided into VM virtual hard disk 4411 and protected field 4412; Physical memory is divided into VM internal memory 4421 and shared drive 4422.In the present embodiment, have a MOS 402 of moving simultaneously with custom system, back-end services program 421 realizes the access to the protected field data in this MOS 402.
In Fig. 3 and two specific embodiments shown in Figure 4, difference is: the back-end services program 321 among Fig. 3 is in virtual machine manager VMM 302; And the back-end services program 421 among Fig. 4 is in MOS 402.Shared drive among Fig. 3 and Fig. 4 be among Fig. 2 temporary storage cell one
Front end virtual unit among Fig. 2,3 and 4 is made of jointly interruption processing module, visit shared drive module, user interactions control module and 4 modules of information logging modle.Wherein, interruption processing module is used to distribute an interruption; Visit shared drive module is used to realize front end virtual unit visit shared drive; The user interactions control module is used to realize that the front end virtual unit is undertaken alternately by modes such as device drives and user; The information logging modle is used to store the index information of data in the protected field.4 intermodule processes of cooperatively interacting in the front end virtual unit are: when the user will be deposit data during to the protected field; at first starting user interactions control module and front end virtual unit carries out alternately; distribute an interruption to respond the back-end services program by the interruption processing module in the front end virtual unit; front end virtual unit initiated access shared drive module simultaneously makes front end virtual unit and back-end services program deposit data in the shared drive in jointly; by control channel 2 file or folder in the shared drive being saved in the protected field by data channel II by the back-end services program then returns a data call number and relevant information simultaneously and gives the front end virtual unit; at this moment, front end virtual unit log-on message logging modle is preserved the data directory that returns number and relevant information.
Concrete implementation step is as follows:
Data storage procedure:
1. the user selects to be saved in the file or folder of protected field by the front end virtual unit;
2. the prompting user inputs password, whether virtual machine manager check input password is correct, if password is correct, the prompting user is provided with corresponding level of security to checking and reading of the file or folder that will preserve, can not write or readable mode such as write as readable, otherwise show mistake;
3. the front end virtual unit duplicates file or folder or move in the shared drive by data channel I, simultaneously by control channel 1 notice back-end services program; Control channel 1 adopts technology such as Event Channel, interruption, Hypercall to realize, as Event Channel is a kind of event notification mechanism among the virtualization architecture Xen, be used to realize the effect of similar hardware interrupts, specific implementation is: each passage is corresponding with a bit, when event occurs on one of them passage, the bit corresponding with this passage was 1 from 0 saltus step;
4. the back-end services program is saved in the protected field to the file or folder in the shared drive by data channel II by control channel 2, returns a unique file or folder call number by the back-end services program by control channel 1 simultaneously and gives the front end virtual unit; Control channel 2 adopts methods such as order or function call to realize;
5. the front end virtual unit is preserved the file or folder information of being stored, as information such as file or folder call number, title, date created, dates saved;
6. whether front end virtual unit inquiry user needs to delete source document or the file in user's virtual hard disk, then deletes source document or file if desired.
Data read process:
1. the order of user's input reference front end virtual unit;
2. custom system prompting user inputs password, and virtual machine manager is tested to the password of keyboard input, if cryptographic check is correct, then continue to carry out subsequent step, otherwise demonstration makes mistakes;
3. the front end virtual unit is opened a window and will be preserved the information of file or folder and be shown to the user, and this function class is similar to the recycle bin in the Windows operating system;
4. the user selects viewing files or file, perhaps selects file or folder is shifted out and deposit user's virtual hard disk from the front end virtual unit, and this moment, the user can only check and read operation according to the level of security that file or folder has configured; If user's requested operation has exceeded the authority of rank regulation, then point out user's operating mistake, will not carry out the request that exceeds level-right that the user proposes;
The front end virtual unit by control channel 1 to the back-end service routine send file or folder and read request, simultaneously the call number of whether deleting source document in the protected field or file and user-selected file or folder correspondence as parameter together as asking transmission;
6. the back-end services program reads out call number corresponding file or file by control channel 2 in the protected field, puts into shared drive and notifies the front end virtual unit through data channel II;
7. the front end virtual unit is asked display file or file content according to the user, perhaps file or folder is saved on the custom system virtual hard disk;
8. whether front end virtual unit inquiry user needs to delete source document or file, if desired, deletes this source document or file;
9. whether front end virtual unit inquiry user needs to continue to read other file or folder from the protected field, if do not need, closes window.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (12)
1. the method for a data security storage is characterized in that, comprising:
The front end virtual unit is set in custom system,, and front end virtual unit and all addressable temporary storage cell of back-end services program is set at custom system peripheral hardware postpone end service routine;
In the time need storing, after the front end virtual unit receives storage request to data, the reading and writing data of request storage in described temporary storage cell, and is sent notice to described back-end services program to the protected data in the protected field;
The back-end services program is read the data in the temporary storage cell and is saved in the pre-configured protected field;
In the time need reading, after the front end virtual unit receives the request that protected data is read, send the request of reading that includes the requested date index information to described back-end services program to the protected data in the protected field;
The back-end services program is found out requested data according to the index information in the described request from described protected field, and reads in the described temporary storage cell, and the forward end virtual unit sends notice;
The front end virtual unit is read requested date from described temporary storage cell and is offered the user.
2. method according to claim 1 is characterized in that this method further comprises: user cipher is set;
The described user of receiving further points out the user to input password to after the storage request of protected data or reading request, judges whether the password of input is correct, if then continue subsequent step; Otherwise the prompting user makes mistakes.
3. method according to claim 1 and 2 is characterized in that, this method further comprises: the data to required safe storage are provided with level of security;
Described receiving after the protected data storage request further points out the user that protected data is provided with level of security;
Described receive the request that protected data is read after, judge further whether this requested operation has exceeded the level of security that this protected data is provided with, if then do not carry out the operation that exceeds level of security; Otherwise, continue subsequent step.
4. method according to claim 1 is characterized in that, this method further comprises: be provided with according to passage I, data channel II, control channel 1, control channel 2;
The reading and writing data that described front end virtual unit will be asked storage by data channel I sends notice by control channel 1 to described back-end services program in described temporary storage cell; Described back-end services program is read the data in the temporary storage cell and be saved in the pre-configured protected field by control channel 2 control data passage II.Described front end virtual unit sends the request of reading that includes the requested date index information by control channel 1 to described back-end services program; described back-end services program reads requested data in the described temporary storage cell by control channel 2 control data passage II from the protected field; send notice by control channel 1 to described front end virtual unit, described front end virtual unit is read requested date by data channel I from described temporary storage cell and is offered the user.
5. method according to claim 4 is characterized in that, described control channel 1 adopts EventChannel or interrupts or the Hypercall technology; Order or function calling method in the described control channel 2 employing programs.
6. method according to claim 1 is characterized in that, described requested date index information further comprises call number, title, date created, the date saved of requested date.
7. the device of a data security storage is characterized in that, comprising: front end virtual unit, back-end services program module and temporary storage cell; Wherein
The front end virtual unit, be arranged in the custom system, be used to obtain and respond the access request of user, the protected data that the user need preserve is read and write described temporary storage cell, the protected data that the user need read is read from temporary storage cell protected data;
The back-end services program module, be arranged at outside the custom system, the protected data that is used for that the user need be preserved is read from described temporary storage cell and is saved in the pre-configured protected field, and the protected data that the user need be read reads in the temporary storage cell from described protected field; And
Temporary storage cell is used for temporary protected data.
8. device according to claim 7 is characterized in that, described back-end services program module is set in the virtual machine manager or in management outside being independent of custom system or the service operations system.
9. device according to claim 7 is characterized in that described temporary storage cell can be set in the virtual machine manager; The perhaps a part of region of memory outside the custom system virtual memory zone in physical memory.
10. device according to claim 7 is characterized in that, described device further comprises: control channel 1 and control channel 2, data channel I and data channel II.
Described data channel I is used for the data double-way of data from the front end virtual unit to temporary storage cell transmitted between front end virtual unit and temporary storage cell; Described data channel II is between temporary storage cell and protected field, and the data double-way that is used for from the temporary storage cell to the protected field transmits; Control channel 1 is used for the transmission of control messages between front end virtual unit and the back-end services program module between described front end virtual unit and described back-end services program module; Control channel 2 is used for the control of back-end services program module to the protected field data access between back-end services program module and data channel 2.
11. device according to claim 10 is characterized in that, described control channel 1 adopts Event Channel or interrupts or the Hypercall technology; Order or function calling method in the described control channel 2 employing programs.
12. device according to claim 7 is characterized in that, described protected field is the hard disk areas that a part of custom system of marking in the system physical hard disk haves no right to visit.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 200610095768 CN100517276C (en) | 2006-07-04 | 2006-07-04 | Data safe memory method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 200610095768 CN100517276C (en) | 2006-07-04 | 2006-07-04 | Data safe memory method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101101575A true CN101101575A (en) | 2008-01-09 |
CN100517276C CN100517276C (en) | 2009-07-22 |
Family
ID=39035852
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN 200610095768 Active CN100517276C (en) | 2006-07-04 | 2006-07-04 | Data safe memory method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN100517276C (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102202062A (en) * | 2011-06-03 | 2011-09-28 | 苏州九州安华信息安全技术有限公司 | Method and apparatus for realizing access control |
CN102509048A (en) * | 2011-11-14 | 2012-06-20 | 西安电子科技大学 | Method for preventing illegal transferring of interruption procedures of operating system |
CN101566971B (en) * | 2008-03-07 | 2012-08-08 | 和泽电子股份有限公司 | Content protection system in storage media and method of same |
WO2013181960A1 (en) * | 2012-06-08 | 2013-12-12 | 深圳市朗科科技股份有限公司 | Secure storage method, terminal and system based on virtualization |
CN103502993A (en) * | 2012-02-22 | 2014-01-08 | 松下电器产业株式会社 | Virtual computer system, confidential information protection method, and confidential information protection program |
WO2014166418A1 (en) * | 2013-04-12 | 2014-10-16 | 中国银联股份有限公司 | Method for implementing virtual secure element (vse) |
CN105045727A (en) * | 2015-08-14 | 2015-11-11 | 华为技术有限公司 | Method and equipment for accessing shared memories |
CN106293678A (en) * | 2015-06-09 | 2017-01-04 | 北京京东尚科信息技术有限公司 | A kind of method and system of the variable managing application service |
CN106682499A (en) * | 2016-11-16 | 2017-05-17 | 无锡港湾网络科技有限公司 | Disaster prevention system data secure-storage method |
CN106844006A (en) * | 2016-12-29 | 2017-06-13 | 北京瑞星信息技术股份有限公司 | Based on data prevention method and system under virtualized environment |
CN108376226A (en) * | 2017-01-18 | 2018-08-07 | 丰田自动车株式会社 | Unauthorized determines that system and unauthorized determine method |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103886264A (en) * | 2014-03-03 | 2014-06-25 | 深圳市江波龙电子有限公司 | Method and device for protecting data in hidden area of storage device |
-
2006
- 2006-07-04 CN CN 200610095768 patent/CN100517276C/en active Active
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101566971B (en) * | 2008-03-07 | 2012-08-08 | 和泽电子股份有限公司 | Content protection system in storage media and method of same |
CN102202062B (en) * | 2011-06-03 | 2013-12-25 | 苏州九州安华信息安全技术有限公司 | Method and apparatus for realizing access control |
CN102202062A (en) * | 2011-06-03 | 2011-09-28 | 苏州九州安华信息安全技术有限公司 | Method and apparatus for realizing access control |
CN102509048A (en) * | 2011-11-14 | 2012-06-20 | 西安电子科技大学 | Method for preventing illegal transferring of interruption procedures of operating system |
US9460276B2 (en) | 2012-02-22 | 2016-10-04 | Panasonic Intellectual Property Corporation Of America | Virtual machine system, confidential information protection method, and confidential information protection program |
CN103502993A (en) * | 2012-02-22 | 2014-01-08 | 松下电器产业株式会社 | Virtual computer system, confidential information protection method, and confidential information protection program |
WO2013181960A1 (en) * | 2012-06-08 | 2013-12-12 | 深圳市朗科科技股份有限公司 | Secure storage method, terminal and system based on virtualization |
US10678577B2 (en) | 2013-04-12 | 2020-06-09 | China Unionpay Co., Ltd. | Method for implementing virtual secure element |
WO2014166418A1 (en) * | 2013-04-12 | 2014-10-16 | 中国银联股份有限公司 | Method for implementing virtual secure element (vse) |
CN106293678A (en) * | 2015-06-09 | 2017-01-04 | 北京京东尚科信息技术有限公司 | A kind of method and system of the variable managing application service |
CN106293678B (en) * | 2015-06-09 | 2020-11-24 | 北京京东尚科信息技术有限公司 | Method and system for managing variables of application service |
CN105045727A (en) * | 2015-08-14 | 2015-11-11 | 华为技术有限公司 | Method and equipment for accessing shared memories |
CN105045727B (en) * | 2015-08-14 | 2018-06-26 | 华为技术有限公司 | A kind of method and apparatus for accessing shared drive |
CN106682499A (en) * | 2016-11-16 | 2017-05-17 | 无锡港湾网络科技有限公司 | Disaster prevention system data secure-storage method |
CN106844006A (en) * | 2016-12-29 | 2017-06-13 | 北京瑞星信息技术股份有限公司 | Based on data prevention method and system under virtualized environment |
CN106844006B (en) * | 2016-12-29 | 2019-11-12 | 北京瑞星网安技术股份有限公司 | Based on the data prevention method and system under virtualized environment |
CN108376226A (en) * | 2017-01-18 | 2018-08-07 | 丰田自动车株式会社 | Unauthorized determines that system and unauthorized determine method |
CN108376226B (en) * | 2017-01-18 | 2022-04-01 | 丰田自动车株式会社 | Unauthorized determination system and unauthorized determination method |
Also Published As
Publication number | Publication date |
---|---|
CN100517276C (en) | 2009-07-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN100517276C (en) | Data safe memory method and device | |
JP6055988B1 (en) | Computer program, secret management method and system | |
US7596695B2 (en) | Application-based data encryption system and method thereof | |
US10372628B2 (en) | Cross-domain security in cryptographically partitioned cloud | |
CN1937628B (en) | Method and system for managing data processing target entity | |
KR101323858B1 (en) | Apparatus and method for controlling memory access in virtualized system | |
CN101430700B (en) | File management device and storage device | |
US8750519B2 (en) | Data protection system, data protection method, and memory card | |
CN106063218A (en) | Method, apparatus and system for encryption/decryption in virtualization system | |
CN103353931A (en) | Security-enhanced computer systems and methods | |
CN104484625B (en) | A kind of computer and its implementation with dual operating systems | |
CN101145173A (en) | System and method for securely saving and restoring a context of a secure program loader | |
US7818567B2 (en) | Method for protecting security accounts manager (SAM) files within windows operating systems | |
CN109086620B (en) | Physical isolation dual-system construction method based on mobile storage medium | |
CN101877246A (en) | U disk encryption method | |
CN101499027A (en) | Intelligent memory system based on independent kernel and distributed architecture | |
KR20140051350A (en) | Digital signing authority dependent platform secret | |
CN101263463A (en) | Transactional sealed storage | |
CN110543775B (en) | Data security protection method and system based on super-fusion concept | |
US7765407B2 (en) | Method and apparatus for providing centralized user authorization to allow secure sign-on to a computer system | |
CN109214204A (en) | Data processing method and storage equipment | |
CN105279453A (en) | Separate storage management-supporting file partition hiding system and method thereof | |
JP2009223787A (en) | Information processor and processing method, and program | |
US8086873B2 (en) | Method for controlling file access on computer systems | |
CN108491249B (en) | Kernel module isolation method and system based on module weight |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |