CN101290586B - Dummy machine concealed flow control method based on priority china wall policy - Google Patents

Abstract

The invention discloses a virtual machine access control method based on the Prioritized Chinese Wall strategy. The method is mainly used for controlling invisible flows in virtual machine systems. On the virtual machine isolation particle size of resources, aiming at the safety and communication demands of load, the method allocates a Chinese Wall type label for the loads of virtual machines. When the virtual machines are started or shifted in, the invisible flows among the virtual machines are scheduled, managed and controlled according to controllable resources, and a configurable resource scheduling mode is provided for users. The method provides invisible flow control for the high-safety application on the virtual machine systems. Compared with the prior coercive control strategy, the method is flexible, configurable and easy to manage.

Description

Dummy machine concealed flow control method based on preferential Chinese Wall strategy

Technical field

The invention belongs to the pressure access control technology in Computer Systems Organization field, be specifically related to a kind of dummy machine concealed flow control method based on preferential Chinese Wall strategy.(PrioritizedChinese Wall, PCW) strategy is meant the strategy process that is used for the stealthy current control of dummy machine system to preferential Chinese Wall.

Background technology

Current, on the one hand, the resource extent of computing system is constantly expanded, and processing power strengthens fast, and the resource kind becomes increasingly abundant; On the other hand, computing system is increasingly sophisticated, the software support environment type is many, and version is many, the administration configuration difficulty, it is convenient inadequately to use, the high-performance calculation resource is difficult to effective utilization, especially is difficult to adapt to flexile application demand, at the isomerism problem of current hardware and system software, and be the high-performance calculation Developing Trend in Technology of representative with the multinuclear, virtual machine technique has become the focus of current information technology.Virtual computing system has been showed novel computer reason and pattern, has very widely and uses, and its development and application bring profound influence for the every field of human lives and production.

Dummy machine system provides a virtual interface to hardware resource, the resource that allows operation systems share to be isolated by safety.Between different virtual machines, be universal demand very, but the communication between virtual machine may cause the information leakage between the virtual machine by carrying out the information transmission.At this problem, pressure access control system based on virtual machine just is suggested, realize to force access strategy can provide than the stronger isolation mech isolation test of virtual machine itself in dummy machine system and have more flexibility, its guarantees the comprehensive control to system information flows.

Implement to force the dummy machine system of access strategy, can manage the information flow that transmits by the overt channel of authorizing, but can not control the information flow of the potential risk of transmitting by stealthy passage.On a dummy machine system, two virtual machines (VM) though the disclosed information transmission that is under an embargo may exist by stealthy channel transferring information.Stealthy passage is difficult to identify, also can not eliminate completely, and we can force access strategy by the stealth stream between controlled resource scheduling management control virtual machine by using in dummy machine system

But existing pressure access strategy is handled stealthy stream, can make system that too many restriction is arranged and lacks dirigibility and be difficult in enforcement.As using this set of division communication in advance of Caernarvon model based on access profile, under some distributed environments, it almost is impossible that definite in advance each communication is gathered; Chinese Wall strategy based on the stream constraint then needs each node can only move the single virtual machine, and the Chinese Wall strategy that strong excessively constraint condition makes does not have the meaning of enforcement.

Dummy machine system be meant by software simulation have the complete hardware system function, operate in a complete computer in the complete isolation environment.Stealthy stream is meant the information flow that transmits by stealthy passage, and stealthy passage is meant by access shared resources or observes the access time sequence of operation and carry out the information transmission that security strategy is forbidden.Use traditional pressure access strategy between virtual machine, to control stealthy stream,, and can not in system, implement because its restrictive condition is too strong.

Summary of the invention

The object of the present invention is to provide a kind of dummy machine concealed flow control method based on preferential Chinese Wall strategy, thereby this method can provide a configurable scheduling mode to come the management and running resources of virtual machine to control stealthy passage to the user, can keep dirigibility again and be convenient to implementing.

Dummy machine concealed flow control method based on preferential Chinese Wall strategy provided by the invention, be provided with historical Chinese Wall type array HCWTA in the secure virtual machine monitor, this array makes in to be assigned with on the record node history run record and the present running status of label virtual machine;

The secure virtual machine monitor is monitored the startup of the arbitrary virtual machine VM of this intranodal A and is closed closed procedure according to the label of virtual machine according to process (A) with (B) respectively in the single node system, and it is T1 that the corresponding own level of security of this virtual machine VMA distributes the Chinese Wall type label;

In distributed system, the secure virtual machine monitor of each node according to process (C) and (E) is monitored the arbitrary virtual machine VM of this intranodal B and is started, closes closed procedure; Monitor migration and the communication request that arbitrary virtual machine VMC sends on other nodes according to process (D), suppose that it is T2 and T3 that the corresponding own level of security with VMC of virtual machine VM B distributes the Chinese Wall type label;

Process (A): the secure virtual machine monitor has the start-up course of the virtual machine VM A of T1 label according to following step monitoring:

(A1) detection history Chinese Wall type array HCWTA judges whether HCWTA is empty: if HCWTA forwards step (A4) to for empty; If HCWTA is not empty, then enter step (A2);

(A2) traversal HCWTA judges whether the pairing label T1 of virtual machine VM A belongs to HCWTA: if T1 ∈ HCWTA forwards (A5) to; If $\mathrm{<figure-callout\; id="1"\; label="T"\; filenames="S2008100479468E00061.png"\; state="\{\{state\}\}">T</figure-callout>}1\&NotElement;\mathrm{HCWTA},$ Then forward (A3) to;

(A3) traversal HCWTA, judge virtual machine VM A label T1 whether with this node on HCWTA in label conflict mutually, promptly judge T1 whether belong to ∪ CIS (xi) | xi ∈ HCWTA}: as if T1 ∈ ∪ CIS (xi) | xi ∈ HCWTA} forwards step (A6) to; If $\mathrm{<figure-callout\; id="1"\; label="T"\; filenames="S2008100479468E00061.png"\; state="\{\{state\}\}">T</figure-callout>}1\&NotElement;\&cup;\left\{\mathrm{CIS}\left(\mathrm{xi}\right)\right|\mathrm{xi}\&Element;\mathrm{HCWTA}\},$ Then forward step (A4) to;

(A4) virtual machine VM A allow to start, and the label T1 of virtual machine VM A is joined HCWTA, and wherein: HCWTA={T1} forwards step (A7) to;

(A5) virtual machine VM A allows to start, and does not revise HCWTA, forwards step (A7) to;

(A6) have type T and the pairing type comflict of virtual machine VM A in HCWTA, virtual machine VM A does not allow to start;

(A7) end of output information finishes;

Process (B): the secure virtual machine monitor is monitored the pass closed procedure of virtual machine VM A according to following step:

(B1) beginning if virtual machine VM A is not last virtual machine that is moving of this node, does not change HCWTA after then closing virtual machine VM A, forwards step (B3) to;

(B2), empty HCWTA after then closing virtual machine VM A if virtual machine VM A is last virtual machine that is moving of this node;

(B3) end of output information finishes;

Process (C): the secure virtual machine monitor on the node N1 is monitored the start-up course of arbitrary virtual machine VM B on this node in this node according to following step, the Chinese Wall type label of virtual machine VM B correspondence is T2, and the historical Chinese Wall type array of node N1 is HCWTA1;

(C1) beginning detects HCWTA1, judges whether HCWTA1 is empty: if HCWTA1 forwards step (C5) to for empty; If HCWTA1 is not empty, then forward step (C2) to;

(C2) according to the HCWTA1 of HCWTT renewal local node in the global safety server, HCWTA corresponding with HCWTA1 in the global safety server is locked;

(C3) traversal HCWTA1 judges whether T2 belongs to HCWTA1: if T2 ∈ HCWTA1 forwards step (C6) to; If $\mathrm{<figure-callout\; id="2"\; label="T"\; filenames="S2008100479468E00061.png"\; state="\{\{state\}\}">T</figure-callout>}2\&NotElement;\mathrm{<figure-callout\; id="1"\; label="HCWTA"\; filenames="S2008100479468E00061.png"\; state="\{\{state\}\}">HCWTA</figure-callout>}1,$ Forward step (C4) to;

(C4) traversal HCWTA1, judge virtual machine VM B label T2 whether with HCWTA1 in label conflict mutually, promptly judge T2 whether belong to ∪ CIS (x) | x ∈ HCWTA1}: if T2 ∈ ∪ CIS (x) | x ∈ HCWTA1}, have label T and the pairing type comflict of virtual machine VM B in HCWTA, then virtual machine VM B does not allow to start and forwards step (C8) to; If $\mathrm{<figure-callout\; id="2"\; label="T"\; filenames="S2008100479468E00061.png"\; state="\{\{state\}\}">T</figure-callout>}2\&NotElement;\&cup;\left\{\mathrm{CIS}\left(x\right)\right|x\&Element;\mathrm{HCWTA}1\},$ Then forward step (C7) to;

(C5) allow virtual machine VM B to move at N1, the pairing label T2 of virtual machine VM B is joined among this node HCWTA1, and the global safety server increases new array HCWTA1 in historical Chinese Wall type list HCWTT synchronously, upgrade HCWTA1, forward step (C9) to;

(C6) then this virtual machine VM B allows to start at node N1, does not revise HCWTA1, upgrades HCWTT record running status, forwards step (C8) to;

(C7) label of the new virtual machine that starts does not conflict mutually with the label of the virtual machine that is moving, allow virtual machine VM B to start at node N1, the pairing label T2 of virtual machine VM B is joined among the local HCWTA1, synchronous global safety server, upgrade HCWTA corresponding among the HCWTT, forward step (C8) to;

(C8) to HCWTA release corresponding in the global safety server with HCWTA1;

(C9) end of output information finishes;

Process (D): the secure virtual machine monitor on each node is according to the communication or the process of virtual machine (vm) migration request between virtual machine on each node in the following step supervisory system:

Suppose: node N1 goes up virtual machine VM B, and its corresponding Chinese Wall type label is T2, and affiliated historical Chinese Wall type array is HCWTA1; Node N2 goes up virtual machine VM C, and its corresponding Chinese Wall type label is T3, and affiliated historical Chinese Wall type array is HCWTA2; Request is communication requests between virtual machine VM B and the virtual machine VM C, is perhaps initiated to move to from node N1 the migration request of node N2 by virtual machine VM B;

(D1) beginning is upgraded HCWTA1 and HCWTA2 according to HCWTT in the global safety server, and HCWTA corresponding with HCWTA1 and HCWTA2 in the global safety server is locked;

(D2) detect HCWTA1, HCWTA2, relatively HCWTA1 and HCWTA2: if HCWTA1=HCWTA2 forwards step (D4) to; If HCWTA1 ≠ HCWTA2 then forwards step (D3) to;

(D3) travel through HCWTA1 and HCWTA2 respectively, judge among the HCWTA1 arbitrary label T whether belong to ∪ CIS (x) | whether x ∈ HCWTA2} promptly exists T ∈ HCWTA1, T ' HCWTA2 and T ∈ CIS (T '): if $\&ForAll;T\&Element;\mathrm{HCWTA}1,$ $T\&NotElement;\&cup;\left\{\mathrm{CIS}\left(x\right)\right|x\&Element;\mathrm{HCWTA}2\},$ Forward (D5) to; If there is a T ∈ HCWTA1, T ∈ ∪ CIS (x) | x ∈ HCWTA2}, do not allow virtual machine VM B and virtual machine VM C communicate by letter or virtual machine VM B by the migration request of node N1 to N2, forward step (D6) to;

(D4) allow virtual machine VM B and virtual machine VM C communicate by letter or virtual machine VM B by the migration request of node N1 to N2, forward step (D6) to;

(D5) allow virtual machine VM B and virtual machine VM C communicate by letter or virtual machine VM B by the migration request of node N1 to N2, the HCWTA1 and the HCWTA2 that upgrade in the global safety server are HCWTA1U HCWTA2, the historical Chinese Wall type array of upgrading N1 and N2 node is HCWTA1U HCWTA2, forwards step (D6) to;

(D6) to HCWTA1 corresponding in the global safety server and HCWTA2 release with node;

(D7) end of output information finishes;

Process (E): the secure virtual machine monitor on the node N1 is according to the pass closed procedure of virtual machine on each node in the following step supervisory system:

(E1) beginning judges whether virtual machine VM B is last last virtual machine that is moving of node N1: if virtual machine VM B is not to forward step (E3) to;

(E2) whether decision node N1 is that communication logic concentrates last moving the node of virtual machine under it: if N1 is not to forward (E4) to; If N1 is then to forward step (E5) to;

(E3) close virtual machine VM B, do not change the HCWTA on this node, forward step (E6) to;

(E4) close virtual machine VM B, empty local HCWTA1, forward step (E6) to;

(E5) close virtual machine VM B, empty local HCWTA1, empty in the global safety server corresponding HCWTA1 in the HCWTT simultaneously;

(E6) end of output information finishes.

Implement the control routine that the inventive method does not need to remodify software virtual machine fine granularity resource at dummy machine system, this method is to isolate on the granularity at the virtual machine of resource, flow by the stealth between controlled resource scheduling management control virtual machine, and provide a scheduling of resource mode that can dispose to the user.Particularly, the inventive method has the following advantages:

When 1) having solved Mandatory Access Control Model and be used for stealthy current control, the problem that can't in dummy machine system, implement.Initiated resource control mode, provide enforceable concealed flow control method at the dummy machine system of high demand for security by configuration;

2) this method does not need to determine in advance the communication set, and the communication set is dynamically set up according to the business demand of virtual machine running load, has dirigibility and bigger range of application;

3) this method has reduced the strong excessively constraint condition of implementing in system, has better expansibility, makes this method be easier to management and implement.

Description of drawings

Fig. 1 divides synoptic diagram for the system communication logical set;

Fig. 2 is that PCW judges virtual machine activation request process flow diagram under the single node environment;

Fig. 3 is that PCW judges virtual machine activation request process flow diagram under the distributed environment;

Fig. 4 is that PCW judges communication or virtual machine (vm) migration request process flow diagram between virtual machine under the distributed environment;

Fig. 5 is the instance system structural representation;

Fig. 6 moves the effect synoptic diagram that shows based on preferential Chinese Wall strategy for example.

Embodiment

This method does not have specific (special) requirements to hardware environment, and software environment is single dummy machine system or distributed virtual machine system.

The method principle: stealthy passage is difficult to identify, also can not eliminate completely, we flow by forcing access strategy to control stealth under the virtual machine granularity, not to eliminate stealthy passage by the control routine that rewrites software virtual machine fine granularity resource, but by forcing access strategy to provide a scheduling of resource mode that can dispose to scheduling of resource for the user, the virtual machine that will prevent stealthy stream is isolated, make and to produce stealthy stream between the virtual machine.

Based on most important character in the dummy machine system concealed flow control method of preferential Chinese Wall strategy is the history run state that tactful decision logic depends on virtual machine.And control algolithm the most at last virtual machine be divided into difference and the communication set mutually isolated, allow information flow in the communication set, do not allow the existence of information flow between the communication set.

The decision logic of strategy depends on the history run state of virtual machine, so a data structure records virtual machine history run state must be arranged in the tactical management server.This data structure records all virtual machine tag sets that allow information flow each other that once allowed by policy logic.This relation is called to have has interconnected relationship, corresponding set is called communication logic collection (Coalition), has information flow to represent to be allowed once to move on same node simultaneously and allowed to set up correspondence by strategy by strategy here.

Support to force the dummy machine system of access control policy, need the cover mechanism can the detection system behavior, and with carry out the unit communication that strategy is judged, implementation strategy is judged.We follow the appellation of Flask framework, and this is overlapped machine-processed appellation secure virtual machine monitor, and (Virtual Machine SecurityMonitor VMSM), by the Chinese Wall type of its monitoring virtual machine, and carries out the control decision.Strategy is described:

At the demand for security of system, definition a series of Chinese Wall type label (Chinese Wall-Type Label) for example have following Chinese Wall label { T1, T2, T3, T4} in implementing this tactful dummy machine system.Label is allocation units in essence with the load, because our control granularity is a virtual machine, they be the load that only allows the single label of operation in each virtual machine, so we are hereinafter with the virtual machine label, this appellation is distinguished and is being moved label unequally loaded virtual machine.

The description of strategy is by using above-mentioned Chinese Wall type label, and the virtual machine set of information flow can not be arranged, and (Conflict of Interest Set CIS) is described by conflict set.As using above-mentioned label, our system will guarantee T1 and T3, can not have stealthy stream between the T4, then T1 and T3, T1 and T4 can be defined as conflict set.It should be noted that this conflict relationship is symmetrical in our strategy, if promptly T1 conflicts with T2, otherwise T2 also conflicts with T1.But this conflict relationship be not usually reflexive with transmit, so can will have the set of the virtual machine label of conflict relationship to be expressed as that CIS (T1)={ T3, T4} then necessarily exist T1 to belong to CIS (T3) and CIS (T4) with T1.

(preferential Chinese Wall strategy PCW) can be used for the stealth stream between the control virtual machine in single node and distributed virtual machine system in the present invention.In the single node environment, by secure virtual machine monitor VMSM according to the startup of the virtual machine history run of this node and status information monitoring virtual machine/close.In distributed environment, need to collect the historical record and the status information of virtual machine operation on each child node, we use global safety server (Overall Security Server by name, OSS) a logical server, be used for depositing the historic state array on each child node, communicate by letter with the virtual machine monitor of each child node.Each child node is monitored the startup of virtual machine on each node in this environment/close, and moves between communication and virtual machine between virtual machine.

The following describes in the single node environment, use the embodiment of PCW strategy:

In the single node environment, by secure virtual machine monitor (VMSM) according to the startup of preferential Chinese Wall (PCW) strategy monitoring virtual machine/close.The virtual machine that promptly only meets the requirement of PCW strategy could operate in the node simultaneously.According to the description of PCW strategy, in the single node environment, only contain a communication logic collection (Coalition), promptly comprise the virtual machine label that is moving on all these nodes and once moving.With an array preserve once moved on this node and the present virtual machine label (communication logic collection) of operation, be designated as historical Chinese Wall type array (History CW Types Array, HCWTA).

Under the single node environment, VMSM judges that according to the PCW strategy startup flow process (as shown in Figure 2) of virtual machine VM A (its corresponding Chinese Wall type label is T1) is as follows:

(1) beginning, detection history Chinese Wall type array (HCWTA) judges whether HCWTA is empty: if HCWTA forwards to (4) for empty; If HCWTA is not empty, then forward (2) to.

(2) traversal HCWTA judges whether T1 belongs to HCWTA in the pairing label of VM A: if T1 ∈ HCWTA forwards (5) to; If $\mathrm{<figure-callout\; id="1"\; label="T"\; filenames="S2008100479468E00061.png"\; state="\{\{state\}\}">T</figure-callout>}1\&NotElement;\mathrm{HCWTA},$ Then forward (3) to.

(3) traversal HCWTA, judge VM A label T1 whether with this node on HCWTA in label conflict mutually, promptly judge T1 whether belong to ∪ CIS (x) | x ∈ HCWTA}: if T1 ∈ ∪ CIS (x) | x ∈ HCWTA}, in HCWTA, there are type T and the pairing type comflict of VM A, do not allow VMA to start.If $\mathrm{<figure-callout\; id="1"\; label="T"\; filenames="S2008100479468E00061.png"\; state="\{\{state\}\}">T</figure-callout>}1\&NotElement;\&cup;\left\{\mathrm{CIS}\left(x\right)\right|x\&Element;\mathrm{HCWTA}\},$ Then forward (4) to

(4) allow VM A to start, pairing label T1 joins HCWTA with inferior virtual machine, forwards (7) to.

(5) allow VM A to start, do not revise HCWTA, forward (6) to.

(6) end of output information finishes.

Under the single node environment, VMSM is as follows according to the pass closed procedure of PCW strategy monitoring virtual machine:

When closing VM A, according to the description of PCW strategy;

(1) beginning if VM A is not last virtual machine that is moving of this node, does not change HCWTA after then closing VM A, forwards (3) to.

(2), empty HCWTA after then closing VM A if VM A is last virtual machine that is moving of this node.

(3) end of output information finishes.

In distributed environment, global safety server (OSS) is responsible for the historical record of virtual machine operation on each node of record, the state and the communications status of operation.Each node should write down operation historical record, operation state and have the virtual machine label of correspondence with local node, when system state changes, communicate by letter, synchronously the global policies server with the global safety strategic server.Each child node secure virtual machine monitor monitors the startup of virtual machine on each node in this environment/cut out, communication and virtual machine (vm) migration between virtual machine.As shown in Figure 1, in distributed dummy machine system, realize said method, dummy machine system dynamically is divided into the communication logic collection (Coalition) that the preferential Chinese Wall strategy of a plurality of quilts allows, and allows between the virtual machine in each logical set by overt channel and stealthy channel transferring information stream.In distributed environment, may there be a plurality of communication logic collection (Coalition).With the single node environmental facies similarly be, communication logic collection uses a historical Chinese Wall type array (HCWTA) record, in local node in store with just at this node virtual machine label with communications status (communication logic collection) operation or that moved.Global safety server (OSS) is collected the historical Chinese Wall type array of each node, and whole historical Chinese Wall type arrays are formed historical Chinese Wall type list, and (History CW Types Table, HCWTT), HCWTT is stored in the global safety server.Under system initial state, HCWTT is all sky in the historical Chinese Wall type array (HCWTA) of each node and the global safety server (OSS).

Under distributed environment, the flow process (as shown in Figure 3) that application PCW strategy decision node N1 (historical Chinese Wall type array is HCWTA1) goes up VM A (its corresponding Chinese Wall type label is T1) startup is as follows;

(1) beginning detects HCWTA1, judges whether HCWTA1 is empty: if HCWTA1 forwards to (5) for empty; If HCWTA1 is not empty, then forward (2) to.

(2) according to the HCWTA1 of HCWTT renewal local node in the global safety server, HCWTA corresponding with HCWTA1 among the OSS is locked.(locking is meant that these data can not be write simultaneously by plural node, guarantees same time point, can only have the information of a node to write.)

(3) traversal HCWTA1 judges whether T1 belongs to HCWTA1: if T1HCWTA1 forwards (6) to; If $\mathrm{<figure-callout\; id="1"\; label="T"\; filenames="S2008100479468E00061.png"\; state="\{\{state\}\}">T</figure-callout>}1\&NotElement;\mathrm{<figure-callout\; id="1"\; label="HCWTA"\; filenames="S2008100479468E00061.png"\; state="\{\{state\}\}">HCWTA</figure-callout>}1,$ Forward (4) to.

(4) traversal HCWTA1, judge VM A label T1 whether with HCWTA1 in label conflict mutually, promptly judge T1 whether belong to ∪ CIS (xi) | xi ∈ HCWTA1}: if T1 ∈ ∪ CIS (xi) | xi ∈ HCWTA1}, have type T and the pairing type comflict of VM A in HCWTA, then VM A does not allow to start and forwards (8) to; If $\mathrm{<figure-callout\; id="1"\; label="T"\; filenames="S2008100479468E00061.png"\; state="\{\{state\}\}">T</figure-callout>}1\&NotElement;\&cup;\left\{\mathrm{CIS}\left(\mathrm{xi}\right)\right|\mathrm{xi}\&Element;\mathrm{HCWTA}1\},$ Then forward (7) to.

(5) allow VM A to move at N1, the pairing label T1 of VM A is joined among the local HCWTA1, the HCWTA according to local HCWTA1 upgrades HCWTT correspondence among the OSS forwards (9) to.

(6) in this communication logic collection history, moved, and then allowed to start VM A, do not revise HCWTA1, upgraded HCWTT respective items record running status, forwarded (8) at node N1.

(7) label of the new virtual machine that starts does not conflict mutually with the label of the virtual machine that is moving, allow VM A to start at node N1, the pairing label T1 of VM A is joined among the local HCWTA1, and the HCWTA according to local HCWTA1 upgrades HCWTT correspondence among the OSS forwards (8) to.

(8) to HCWTA release corresponding among the OSS with HCWTA1.

(9) end of output information finishes.

Under distributed environment, use the PCW strategy and judge on each node that the flow process (as shown in Figure 4) of communication between virtual machine or virtual machine (vm) migration request is as follows:

Suppose: node N1 goes up virtual machine VM A (its corresponding Chinese Wall type label is T1, and historical Chinese Wall type array is HCWTA1), and node N2 goes up virtual machine VM B (its corresponding Chinese Wall type label is T2, and historical Chinese Wall type array is HCWTA2).Request is communication requests between VM A and the VM B, is perhaps initiated to move to from node N1 the migration request of node N2 by VM A.

(1) beginning is upgraded HCWTA1 and HCWTA2 according to HCWTT in the global safety server, and HCWTA corresponding with HCWTA1 and HCWTA2 among the OSS is locked.

(2) the secure virtual machine monitor of node N2 detects HCWTA1, HCWTA2, relatively HCWTA1 and HCWTA2: if HCWTA1=HCWTA2 forwards (4) to; If HCWTA1 ≠ HCWTA2 then forwards (3) to.

(3) travel through HCWTA1 and HCWTA2 respectively, judge among the HCWTA1 arbitrary label T whether belong to ∪ CIS (x) | whether x ∈ HCWTA2} promptly exists T ∈ HCWTA1, T ' ∈ HCWTA2 and T ∈ CIS (T '): if $\&ForAll;T\&Element;\mathrm{<figure-callout\; id="1"\; label="HCWTA"\; filenames="S2008100479468E00061.png"\; state="\{\{state\}\}">HCWTA</figure-callout>}1,$ $T\&NotElement;\&cup;\left\{\mathrm{CIS}\left(x\right)\right|x\&Element;\mathrm{HCWTA}2\},$ Forward (5) to; If there is a T ∈ HCWTA1, T ∈ ∪ CIS (x) | x ∈ HCWTA2}, do not allow VM A and VM B communicate by letter or VM A by the migration request of node N1 to N2, forward (6) to.

(4) allow VM A and VM B communicate by letter or VM A by the migration request of node N1 to N2, forward (6) to.

(5) allow VM A and VM B communicate by letter or VM A by the migration request of node N1 to N2, in the renewal global safety server among the HCWTT HCWTA of corresponding HCWTA1 and HCWTA2 be HCWTA1 ∪

HCWTA2, the historical Chinese Wall type array of upgrading N1 and N2 node is HCWTA1U HCWTA2, forwards step (6) to;

(6) to HCWTA release corresponding among the OSS with HCWTA1, HCWTA2.

(7) end of output information finishes.

Under distributed environment, the pass closed procedure of using virtual machine on each node of PCW strategy monitoring is as follows;

For example, during the VM A on closed node N1 (its corresponding Chinese Wall type label is T1, and affiliated historical Chinese Wall type array is HCWTA1), according to the description of PCW strategy;

(1) beginning judges whether VM A is last last virtual machine that is moving of node N1: if VM A is not to forward (3) to;

(2) whether decision node N1 is that communication logic concentrates last moving the node of virtual machine under it: if N1 is not to forward (4) to; If N1 is then to forward (5) to.

(3) close VM A, do not change the HCWTA on this node, forward (6) to.

(4) close VM A, empty local HCWTA1, forward (6) to.

(5) close VM A, empty local HCWTA1, empty simultaneously in OSS in the HCWTT and the corresponding HCWTA of HCWTA1.

(6) end of output information finishes.

Example

In order to verify the validity based on the dummy machine concealed flow control method of preferential Chinese Wall strategy, we are at the pressure access control system of having realized under the single node environment under the virtual machine granularity, and system architecture as shown in Figure 5.System adopts open source code Xen as virtual machine monitor (VMM).Add in Xen and force access control module secure virtual machine monitor (VSMM), its structure mainly is divided into three parts according to function:

(1) security server (Security Server), major function are to develop and manage (storage, modification, checking) security strategy.Because high safety of this security server and high believable requirement, in native system, security server operates among the VM O.System guarantees the safety of VM O and credible by SELinux.

(2) safety control module (Securi ty Control Module), keep Policy Status,, from security server, read security strategy according to the decision-making of current strategies generation strategy, trigger readjustment (Call-Back) function, when strategy changes, verify the control decision among the VMM again.

(3) safe run time version (Securi ty Control Hook) is carried out this strategic decision-making according to the strategic decision-making that safety control module generates.

Wherein complexity and assurance security in order to minimize the VSMM code, security server operates among the VM O, and safety control module and safe run time version are added in the Xen source code.

According to the PCW strategy, historical Chinese Wall type array (HCWTA) is safeguarded by safety control module.HCWTA is by Chinese Wall type label index, and comprises a zone bit and represent whether the virtual machine of this label representative moves (1 for starting, and 0 for stopping).

When some virtual machines sent the startup request, safety control module judged according to label among the HCWTA and zone bit thereof whether this virtual machine has the right to start; When some virtual machines stopped, safety control module judged whether to empty HCWTA according to label among the HCWTA and zone bit thereof.

Fig. 6 implements preferential Chinese Wall policy control at a single node operation rough schematic, label is that the load of OilA and OilB is afoul two loads of interests, prohibition information stream flows between them, strategy forbids that they move simultaneously, makes like this and can not produce direct stealthy stream between them.Label be the load of BankC both do not conflict with them, promptly can have information flow, in case but BankC moved with OilA, will forbid that it and OilB move simultaneously, can prevent indirect stealthy stream of transmitting by BankC.Make like this between OilA and the OilB and can not carry out the information transmission.

Claims (1)

1. dummy machine concealed flow control method based on preferential Chinese Wall strategy, be provided with historical Chinese Wall type array HCWTA in the secure virtual machine monitor, this array makes in to be assigned with on the record node history run record and the present running status of label virtual machine;

The secure virtual machine monitor is monitored the startup of the arbitrary virtual machine VM of this intranodal A and is closed closed procedure according to the label of virtual machine according to process (A) with (B) respectively in the single node system, and it is T1 that the corresponding own level of security of this virtual machine VMA distributes the Chinese Wall type label;

In distributed system, the secure virtual machine monitor of each node according to process (C) and (E) is monitored the arbitrary virtual machine VM of this intranodal B and is started, closes closed procedure; Monitor migration and the communication request that arbitrary virtual machine VMC sends on other nodes according to process (D), suppose that it is T2 and T3 that the corresponding own level of security with VMC of virtual machine VM B distributes the Chinese Wall type label;

Process (A): the secure virtual machine monitor has the start-up course of the virtual machine VM A of T1 label according to following step monitoring:

(A1) detection history Chinese Wall type array HCWTA judges whether HCWTA is empty: if HCWTA forwards step (A4) to for empty; If HCWTA is not empty, then enter step (A2);

(A2) traversal HCWTA judges whether the pairing label T1 of virtual machine VM A belongs to HCWTA: if T1 ∈ HCWTA forwards (A5) to; If

Then forward (A3) to;

(A3) traversal HCWTA, judge virtual machine VM A label T1 whether with this node on HCWTA in label conflict mutually, promptly judge T1 whether belong to ∪ CIS (xi) | xi ∈ HCWTA}: as if T1 ∈ ∪ CIS (xi) | xi ∈ HCWTA} forwards step (A6) to; If

Then forward step (A4) to;

(A4) virtual machine VM A allow to start, and the label T1 of virtual machine VM A is joined HCWTA, and wherein: HCWTA={T1} forwards step (A7) to;

(A5) virtual machine VM A allows to start, and does not revise HCWTA, forwards step (A7) to;

(A6) have type T and the pairing type comflict of virtual machine VM A in HCWTA, virtual machine VM A does not allow to start;

(A7) end of output information finishes;

Process (B): the secure virtual machine monitor is monitored the pass closed procedure of virtual machine VM A according to following step:

(B1) beginning if virtual machine VM A is not last virtual machine that is moving of this node, does not change HCWTA after then closing virtual machine VM A, forwards step (B3) to;

(B2), empty HCWTA after then closing virtual machine VM A if virtual machine VM A is last virtual machine that is moving of this node;

(B3) end of output information finishes;

Process (C): the secure virtual machine monitor on the node N1 is monitored the start-up course of arbitrary virtual machine VM B on this node in this node according to following step, the Chinese Wall type label of virtual machine VM B correspondence is T2, and the historical Chinese Wall type array of node N1 is HCWTA1;

(C1) beginning detects HCWTA1, judges whether HCWTA1 is empty: if HCWTA1 forwards step (C5) to for empty; If HCWTA1 is not empty, then forward step (C2) to;

(C2) according to the HCWTA1 of HCWTT renewal local node in the global safety server, HCWTA corresponding with HCWTA1 in the global safety server is locked;

(C3) traversal HCWTA1 judges whether T2 belongs to HCWTA1: if T2 ∈ HCWTA1 forwards step (C6) to; If Forward step (C4) to;

(C4) traversal HCWTA1, judge virtual machine VM B label T2 whether with HCWTA1 in label conflict mutually, promptly judge T2 whether belong to ∪ CIS (x) | x ∈ HCWTA1}: if T2 ∈ ∪ CIS (x) | x ∈ HCWTA1}, have label T and the pairing type comflict of virtual machine VM B in HCWTA, then virtual machine VM B does not allow to start and forwards step (C8) to; If

Then forward step (C7) to;

(C5) allow virtual machine VM B to move at N1, the pairing label T2 of virtual machine VM B is joined among this node HCWTA1, and the global safety server increases new array HCWTA1 in historical Chinese Wall type list HCWTT synchronously, upgrade HCWTA1, forward step (C9) to;

(C6) then this virtual machine VM B allows to start at node N1, does not revise HCWTA1, upgrades HCWTT record running status, forwards step (C8) to;

(C7) label of the new virtual machine that starts does not conflict mutually with the label of the virtual machine that is moving, allow virtual machine VM B to start at node N1, the pairing label T2 of virtual machine VM B is joined among the local HCWTA1, synchronous global safety server, upgrade HCWTA corresponding among the HCWTT, forward step (C8) to;

(C8) to HCWTA release corresponding in the global safety server with HCWTA1;

(C9) end of output information finishes;

Process (D): the secure virtual machine monitor on each node is according to the communication or the process of virtual machine (vm) migration request between virtual machine on each node in the following step supervisory system:

Suppose: node N1 goes up virtual machine VM B, and its corresponding Chinese Wall type label is T2, and affiliated historical Chinese Wall type array is HCWTA1; Node N2 goes up virtual machine VM C, and its corresponding Chinese Wall type label is T3, and affiliated historical Chinese Wall type array is HCWTA2; Request is communication requests between virtual machine VM B and the virtual machine VM C, is perhaps initiated to move to from node N1 the migration request of node N2 by virtual machine VM B;

(D1) beginning is upgraded HCWTA1 and HCWTA2 according to HCWTT in the global safety server, and HCWTA corresponding with HCWTA1 and HCWTA2 in the global safety server is locked;

(D2) detect HCWTA1, HCWTA2, relatively HCWTA1 and HCWTA2: if HCWTA1=HCWTA2 forwards step (D4) to; If HCWTA1 ≠ HCWTA2 then forwards step (D3) to;

(D3) travel through HCWTA1 and HCWTA2 respectively, judge among the HCWTA1 arbitrary label T whether belong to ∪ CIS (x) | whether x ∈ HCWTA2} promptly exists T ∈ HCWTA1, T ' HCWTA2 and T ∈ CIS (T '): if

Forward (D5) to; If there is a T ∈ HCWTA1, T ∈ ∪ CIS (x) | x ∈ HCWTA2}, do not allow virtual machine VM B and virtual machine VM C communicate by letter or virtual machine VM B by the migration request of node N1 to N2, forward step (D6) to;

(D4) allow virtual machine VM B and virtual machine VM C communicate by letter or virtual machine VM B by the migration request of node N1 to N2, forward step (D6) to;

(D5) allow virtual machine VM B and virtual machine VM C communicate by letter or virtual machine VM B by the migration request of node N1 to N2, the HCWTA1 and the HCWTA2 that upgrade in the global safety server are HCWTA1U HCWTA2, the historical Chinese Wall type array of upgrading N1 and N2 node is HCWTA1 ∪ HCWTA2, forwards step (D6) to;

(D6) to HCWTA1 corresponding in the global safety server and HCWTA2 release with node;

(D7) end of output information finishes;

Process (E): the secure virtual machine monitor on the node N1 is according to the pass closed procedure of virtual machine on each node in the following step supervisory system:

(E1) beginning judges whether virtual machine VM B is last last virtual machine that is moving of node N1: if virtual machine VM B is not to forward step (E3) to;

(E2) whether decision node N1 is that communication logic concentrates last moving the node of virtual machine under it: if N1 is not to forward (E4) to; If N1 is then to forward step (E5) to;

(E3) close virtual machine VM B, do not change the HCWTA on this node, forward step (E6) to;

(E4) close virtual machine VM B, empty local HCWTA1, forward step (E6) to;

(E5) close virtual machine VM B, empty local HCWTA1, empty in the global safety server corresponding HCWTA1 in the HCWTT simultaneously;

(E6) end of output information finishes.

Images