CN103457974A - Safety control method and device for virtual machine mirror images - Google Patents
Safety control method and device for virtual machine mirror images Download PDFInfo
- Publication number
- CN103457974A CN103457974A CN2012101789557A CN201210178955A CN103457974A CN 103457974 A CN103457974 A CN 103457974A CN 2012101789557 A CN2012101789557 A CN 2012101789557A CN 201210178955 A CN201210178955 A CN 201210178955A CN 103457974 A CN103457974 A CN 103457974A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- machine image
- access request
- security strategy
- accessing operation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a safety control method and device for virtual machine mirror images. The method comprises the steps that in a virtual machine system, a safety strategy is preset and is used for protecting the safety of the virtual machine images in the whole life period; in the operation period and in the rest period of the virtual machine mirror images, an access control mechanism is adopted so as to prevent theft and modification conducted on the virtual machine mirror images; before the virtual machine images start, safety inspection is adopted to prevent mis-configuration and cheat to the preset virtual machine mirror images. The safety control method and device for the virtual machine mirror images solve the problem that potential safety hazards exist when the virtual machine mirror images are accessed, and ensures the access safety of a virtual machine mirror images.
Description
Technical field
The present invention relates to the cloud computing security fields, in particular to a kind of method of controlling security and device of virtual machine image.
Background technology
The use of service, application, information and infrastructure that calculating, network, information and storage etc. that " resource pool " change form has been described in cloud computing.These assemblies can be planned rapidly, purchased, deployment and retired, and can expand rapidly or reduce, provide as required, distribute and consumption mode like the effectiveness compute classes.In general, the service mode of cloud computing can be divided into IaaS(cloud infrastructure as the service), PaaS(cloud platform as the service), SaaS(cloud software as the service).
Virtual is one of the key technology of cloud computing, and it is also one of important element of IaaS cloud service.The benefit that Intel Virtualization Technology brings is a lot, comprises and can realize many tenants, higher system effectiveness etc.Yet, virtually also brought a lot of safety problems.For example, the security breaches of Hypervisor layer, the safe handling of CPU and internal memory, the dummy machine system safety management, the dummy machine system mirror image waits safely.Along with the development of cloud computing, the safety problem of dummy machine system more and more receives publicity.
Safety when the virtual machine image safety problem comprises dummy machine system operation and dormancy, also comprise the storage security of virtual machine image, and prevent pre-configured virtual machine image deception etc.
Yet, do not provide concrete security solution in prior art, make and have a large amount of hidden dangers when accesses virtual machine mirror image.
Summary of the invention
Have the problem of hidden danger and propose the present invention when the accesses virtual machine mirror image for what exist in prior art, for this reason, main purpose of the present invention is to provide a kind of method of controlling security and device of virtual machine image, to address the above problem at least it
To achieve these goals, according to an aspect of the present invention, provide a kind of method of controlling security of virtual machine image, it comprises: in dummy machine system, set in advance security strategy, be used for protecting the safety of virtual machine image in whole life cycle; In virtual machine image operation and dormant stage, adopt access control mechanisms, prevent stealing and revising virtual machine image; Before virtual machine image starts, adopt safety inspection, prevent that mismatching of pre-configured virtual machine image from putting and cheating.
Preferably, the step of described employing access control mechanisms and described employing safety inspection includes: sink virtual machine mirror image access request; Judge whether the accessing operation that allows the virtual machine image access request to ask according to security strategy, wherein, security strategy is for the access rights of managing virtual machines mirror image; If allow, carry out the accessing operation that the virtual machine image access request is asked; If do not allow, refuse the accessing operation that the virtual machine image access request is asked.
Preferably, according to security strategy, judge whether to allow the step of the accessing operation that the virtual machine image access request asks to comprise: to judge whether the accessing operation that allows the virtual machine image access request to ask according to different security strategies in the different stages; Wherein, the different stages comprise following one of at least: when virtual machine image operation and dormancy, before loading pre-configured virtual machine image, before the virtual machine image startup, or, in the virtual machine image storing process.
Preferably, security strategy comprises: when virtual machine image operation and dormancy, adopt described access control mechanisms to the control of authority that conducts interviews of virtual machine image access request, for preventing stealing and revising virtual machine image.
Preferably, adopt described access control mechanisms to comprise the conduct interviews step of control of authority of virtual machine image access request: to judge whether to have authority to the following accessing operation that the virtual machine image access request is asked: CPU, internal memory, file system or the dummy machine system network of one of at least carrying out.
Preferably, security strategy comprises: before loading pre-configured virtual machine image, virtual machine image is carried out to safety verification, for guaranteeing the legitimacy of virtual machine image, prevent the virtual machine image deception.
The step of preferably, virtual machine image being carried out to safety verification comprises: the integrality to virtual machine image is verified.
The step of preferably, virtual machine image being carried out to safety verification comprises: the source to virtual machine image is verified.
Preferably, security strategy comprises: before loading pre-configured virtual machine image, the loading user who indicates in the virtual machine image access request is carried out to authentication, for preventing the illegal loading of virtual machine image.
Preferably, security strategy comprises: before virtual machine image starts, adopt safety inspection to carry out patch reparation and software version update to virtual machine image, for preventing the malicious attack caused because of system vulnerability.
Preferably, security strategy comprises: in the virtual machine image storing process, safe storage mechanism is set, for preventing, because virtual machine image is stolen, gets the information leakage caused.
To achieve these goals, according to a further aspect in the invention, provide a kind of safety control of virtual machine image, it comprises: setting unit, for at dummy machine system, set in advance security strategy, be used for protecting the safety of virtual machine image in whole life cycle; Control unit, in virtual machine image operation and dormant stage, adopt access control mechanisms, prevents stealing and revising virtual machine image; Before virtual machine image starts, adopt safety inspection, prevent that mismatching of pre-configured virtual machine image from putting and cheating.
Described control unit comprises: receiver module, for sink virtual machine mirror image access request; Judge module, for the accessing operation that judges whether according to security strategy to allow the virtual machine image access request to ask, wherein, security strategy is for the access rights of managing virtual machines mirror image; Processing module, during for the accessing operation allowing the virtual machine image access request to ask, carry out the accessing operation that the virtual machine image access request is asked; When the accessing operation that does not allow the virtual machine image access request to ask, the accessing operation that refusal virtual machine image access request is asked.
Judge module comprises: the judgement submodule judges whether the accessing operation that allows the virtual machine image access request to ask according to different security strategies for the stage different; Wherein, the different stages comprise following one of at least: when the operation of virtual machine module and dormancy, before loading pre-configured virtual machine image, before the virtual machine image startup, or, in the virtual machine image storing process.
In each preferred implementation of the present invention, carry out different concrete safe realization mechanisms according to the different phase of virtual machine image, ensured the access security of virtual machine image.When virtual machine operation and dormancy, the mirror image access request is controlled, prevent stealing and revising mirror image; Before loading pre-configured mirror image, virtual machine image is configured to inspection, source-verify and completeness check, guarantee the legitimacy of mirror image, prevent the mirror image deception; Before loading pre-configured mirror image, carry out authentication to loading the user, prevent the illegal loading of mirror image; Before mirror image completes startup, mirror image is carried out to patch reparation and software version update, prevent the malicious attack caused because of system vulnerability; In the mirrored storage process, by safe storage mechanism is set, prevent from getting because mirror image is stolen the information leakage caused.
Other features and advantages of the present invention will be set forth in the following description, and, partly from specification, become apparent, or understand by implementing the present invention.Purpose of the present invention and other advantages can realize and obtain by specifically noted structure in the specification write, claims and accompanying drawing.
The accompanying drawing explanation
Accompanying drawing described herein is used to provide a further understanding of the present invention, forms the application's a part, and schematic description and description of the present invention the present invention does not form inappropriate limitation of the present invention for explaining.In the accompanying drawings:
Fig. 1 is a kind of preferred flow charts according to the method for controlling security of the virtual machine image of the embodiment of the present invention;
Fig. 2 is the another kind of preferred flow charts according to the method for controlling security of the virtual machine image of the embodiment of the present invention;
Fig. 3 is a kind of preferred structure block diagram according to the safety control system of the virtual machine image of the embodiment of the present invention;
Fig. 4 is a kind of preferred structure block diagram according to the safety control of the virtual machine image of the embodiment of the present invention; And
Fig. 5 is the another kind of preferred structure block diagram according to the safety control of the virtual machine image of the embodiment of the present invention.
Embodiment
Hereinafter with reference to accompanying drawing, also describe the present invention in detail in conjunction with the embodiments.It should be noted that, in the situation that do not conflict, embodiment and the feature in embodiment in the application can combine mutually.
Embodiment 1
As shown in Figure 1, in the present embodiment, the method for controlling security of virtual machine image can comprise the steps:
S102, in dummy machine system, set in advance security strategy, is used for protecting the safety of virtual machine image in whole life cycle; Preferably, it is one of following that above-mentioned security strategy can include but not limited to: in virtual machine image operation and dormant stage, adopt access control mechanisms, prevent from stealing and revising; Before virtual machine image starts, adopt safety inspection, prevent that mismatching of pre-configured virtual machine image from putting and cheating.
S104, in virtual machine image operation and dormant stage, adopt access control mechanisms, prevents stealing and revising virtual machine image; Before virtual machine image starts, adopt safety inspection, prevent that mismatching of pre-configured virtual machine image from putting and cheating.That is to say, in virtual machine image operation and dormant stage, carry out the access control mechanisms in the security strategy set in advance; Before virtual machine image starts, carry out the safety inspection in the security strategy set in advance.
Preferably, the invention provides a kind of preferred mode and realize above-mentioned access control mechanisms and safety inspection.As shown in Figure 2, adopt access control mechanisms and adopt the step of safety inspection to include following steps:
S202, sink virtual machine mirror image access request.Preferably, in the present embodiment, above-mentioned virtual machine image access request can be, but not limited to send from client (as the client 302 Fig. 3) to virtual machine (as the virtual machine 304 in Fig. 3).
S204, judge whether the accessing operation that allows described virtual machine image access request to ask according to security strategy, wherein, described security strategy is for the access rights of managing virtual machines mirror image.Preferably, in the present embodiment, after receiving above-mentioned virtual machine image access request, virtual machine 304 judges whether according to the security strategy set in advance the accessing operation that allows described virtual machine image access request to ask, and follow-uply will introduce in detail above-mentioned decision operation.
S206, if allow, carry out the accessing operation that described virtual machine image access request is asked; If do not allow, refuse the accessing operation that described virtual machine image access request is asked.Preferably, in the present embodiment, by but be not limited to the response message that virtual machine 304 is carried out above-mentioned accessing operations or returned to the denied access operation to client.
Preferably, improvements of the present invention are: according to the different phase of virtual machine image, carry out different concrete safe realization mechanisms.In order to realize above-mentioned improvement, according to the security strategy arranged, judge whether to allow the step of the accessing operation that the virtual machine image access request asks to comprise: to judge whether the accessing operation that allows the virtual machine image access request to ask according to different security strategies in the different stages; Wherein, the different stages comprise following one of at least: when virtual machine image operation and dormancy, before loading pre-configured virtual machine image, before the virtual machine image startup, or, in the virtual machine image storing process.
In above-mentioned preferred implementation, carry out different concrete safe realization mechanisms according to the different phase of virtual machine image, ensured the access security of virtual machine image.
The method of controlling security of the virtual machine image under different security strategies is described below in conjunction with concrete example.
1) security strategy 1
Security strategy comprises: when virtual machine image operation and dormancy, adopt described access control mechanisms to the control of authority that conducts interviews of virtual machine image access request, for preventing stealing and revising virtual machine image.
Preferably, adopt access control mechanisms to comprise the conduct interviews step of control of authority of virtual machine image access request: to judge whether to have authority to the following accessing operation that the virtual machine image access request is asked: CPU, internal memory, file system or the dummy machine system network of one of at least carrying out.
Under this security strategy, according to the security strategy arranged, judge whether to allow the step of the accessing operation that the virtual machine image access request asks to comprise: when virtual machine operation and dormancy, to judge whether the accessing operation that the virtual machine image access request is asked is the operation allowed in security strategy; If the accessing operation that the virtual machine image access request is asked is the operation allowed in security strategy, the accessing operation that allows the virtual machine image access request to ask; Otherwise, the accessing operation that refusal virtual machine image access request is asked.
For example, suppose that security strategy comprises: only allow the data in CPU are carried out to read-only operation.According to the security strategy arranged, judge whether to allow the step of the accessing operation that the virtual machine image access request asks to comprise: to judge whether the accessing operation that the virtual machine image access request is asked is the data of reading in CPU, if the accessing operation that the virtual machine image access request is asked is the data of reading in CPU, the accessing operation that allows this virtual machine image access request to ask; If the accessing operation that the virtual machine image access request is asked is not for example, for reading the data (accessing operation that, the virtual machine image access request is asked is that CPU is carried out to data writing operation) in CPU
2) security strategy 2
Security strategy comprises: before loading pre-configured virtual machine image, virtual machine image is carried out to safety verification, for guaranteeing the legitimacy of virtual machine image, prevent the virtual machine image deception.
The step of preferably, virtual machine image being carried out to safety verification can comprise: the integrality to virtual machine image is verified.The mode that above-mentioned checking adopts can include but not limited to following one of at least: hash, hash or data signature through encrypting.
Under this security strategy, according to the security strategy arranged, judge whether to allow the step of the accessing operation that the virtual machine image access request asks to comprise: before loading pre-configured virtual machine image, to judge whether the virtual machine image of virtual machine image access request institute request access can be by the checking of integrality; If can mean that the virtual machine image of virtual machine image access request institute request access meets the requirement of integrality by the checking of integrality, the accessing operation that allows the virtual machine image access request to ask; If can not pass through, mean that the virtual machine image of virtual machine image access request institute request access does not meet the requirement of integrality, the accessing operation that refusal virtual machine image access request is asked.
In addition, as a kind of optional mode, the above-mentioned step that virtual machine image is carried out to safety verification can comprise: the source to virtual machine image is verified.For example, the above-mentioned checking to source can comprise: whether the virtual machine image that judges virtual machine image access request institute request access is the virtual machine image that comes from trusted party, if come from the virtual machine image of trusted party, judge that client can be used had access to virtual machine image; If not from the virtual machine image of trusted party, judge that client can not be used had access to virtual machine image.
Under this security strategy, according to the security strategy arranged, judge whether to allow the step of the accessing operation that the virtual machine image access request asks to comprise: whether the source that judges the virtual machine image of virtual machine image access request institute request access meets predetermined requirement; If its source meets predetermined requirement, the accessing operation that allows the virtual machine image access request to ask; If its source does not meet predetermined requirement, refuse the accessing operation that the virtual machine image access request is asked.
3) security strategy 3
Security strategy comprises: before loading pre-configured virtual machine image, the loading user who indicates in the virtual machine image access request is carried out to authentication, for preventing the illegal loading of virtual machine image.
Under this security strategy, according to the security strategy arranged, judge whether to allow the step of the accessing operation that the virtual machine image access request asks to comprise: before loading pre-configured virtual machine image, according to the user's who carries in the virtual machine image access request sign, to judge whether this user has access rights; If this user has access rights, the accessing operation that allows the virtual machine image access request to ask; If this user does not have access rights, refuse the accessing operation that the virtual machine image access request is asked.
For example, in order to realize above-mentioned security strategy, can in the virtual machine image access request, carry user ID (for example, the sign of client 302).Then, the sign of 304 pairs of these clients 302 of virtual machine is carried out authentication, in order to judge according to the sign of above-mentioned client 302 whether client 302 has access rights.If client 302 has access rights, the accessing operation that allows the virtual machine image access request to ask; If client 302 does not have access rights, refuse the accessing operation that the virtual machine image access request is asked.
4) security strategy 4
Security strategy comprises: before virtual machine image starts, adopt safety inspection to carry out patch reparation and software version update to virtual machine image, for preventing the malicious attack caused because of system vulnerability.
Under this security strategy, according to the security strategy arranged, judge whether to allow the step of the accessing operation that the virtual machine image access request asks to comprise: before virtual machine image starts, whether the virtual machine image that judges virtual machine image access request institute request access needs to carry out the patch reparation and/or whether has software version update, need to carry out the patch reparation and/or have software version update if exist, refuse the accessing operation that the virtual machine image access request is asked, so that after pending patch reparation and software version update, the accessing operation that allows again the virtual machine image access request to ask, otherwise, the accessing operation that allows the virtual machine image access request to ask.
5) security strategy 5
Security strategy comprises: in the virtual machine image storing process, safe storage mechanism is set, for preventing, because virtual machine image is stolen, gets the information leakage caused.
Preferably, the above-mentioned operation that safe storage mechanism is set comprises: arrange and allow the user that the memory device that stores virtual machine image is operated, and, the corresponding operating right of this user.
Under this security strategy, according to the security strategy arranged, judge whether to allow the step of the accessing operation that the virtual machine image access request asks to comprise: in the virtual machine image storing process, to judge whether the accessing operation that the virtual machine image access request is asked is the operation allowed in security strategy; If the accessing operation that the virtual machine image access request is asked is the operation allowed in security strategy, the accessing operation that allows the virtual machine image access request to ask; Otherwise, the accessing operation that refusal virtual machine image access request is asked.
As a kind of optional mode, according to the security strategy arranged, judge whether to allow the step of the accessing operation that the virtual machine image access request asks to comprise: in the virtual machine image storing process, according to the user's who carries in the virtual machine image access request sign, to judge whether this user has the authority that the memory device to storing virtual machine image is operated; If this user has authority, the accessing operation that allows the virtual machine image access request to ask; If this user does not have authority, refuse the accessing operation that the virtual machine image access request is asked.
The present embodiment is not done restriction to the combination of above-mentioned two kinds of modes, same, to whether carrying out aforesaid operations in the virtual machine image storing process, does not do restriction yet.
Each security strategy of above-mentioned proposition is all for virtual machine image is carried out to security control.The present invention does not do restriction to the combination of above-mentioned security strategy,, can adopt the security control of one of at least carrying out virtual machine image in above-mentioned security strategy that is simultaneously.
Embodiment 2
As shown in Figure 4, in the present embodiment, the safety control of virtual machine image can comprise:
1) setting unit 402, at dummy machine system, set in advance security strategy, are used for protecting the safety of virtual machine image in whole life cycle; Preferably, it is one of following that above-mentioned security strategy can include but not limited to: in virtual machine image operation and dormant stage, adopt access control mechanisms, prevent stealing and revising virtual machine image; Before virtual machine image starts, adopt safety inspection, prevent that mismatching of pre-configured virtual machine image from putting and cheating.
2) control unit 404, with setting unit 402, are connected, and in virtual machine image operation and dormant stage, adopt access control mechanisms, prevent from stealing and revising; Before virtual machine image starts, adopt safety inspection, prevent that mismatching of pre-configured virtual machine image from putting and cheating.That is to say, in virtual machine image operation and dormant stage, control unit 404 can be carried out the access control mechanisms in the security strategy set in advance, and before virtual machine image starts, carries out the safety inspection in the security strategy set in advance.
As shown in Figure 5, control unit 404 can comprise:
1) receiver module 502, for sink virtual machine mirror image access request.Preferably, in the present embodiment, above-mentioned virtual machine image access request can be, but not limited to send from client (as the client 302 Fig. 3) to virtual machine (as the virtual machine 304 in Fig. 3).
2) judge module 504, with receiver module 502, are connected, and for the accessing operation that judges whether according to security strategy to allow the virtual machine image access request to ask, wherein, security strategy is for the access rights of managing virtual machines mirror image.Preferably, in the present embodiment, after receiving above-mentioned virtual machine image access request, judge module 504 judges whether according to the security strategy set in advance the accessing operation that allows the virtual machine image access request to ask.
3) processing module 506, with judge module 504, are connected, and during for the accessing operation allowing the virtual machine image access request to ask, carry out the accessing operation that the virtual machine image access request is asked; When the accessing operation that does not allow the virtual machine image access request to ask, the accessing operation that refusal virtual machine image access request is asked.Preferably, the present embodiment is not limited to be carried out above-mentioned accessing operation or returned to client the response message that denied access operates by processing module 506.
In above-mentioned preferred implementation, carry out different concrete safe realization mechanisms according to the different phase of virtual machine image, ensured the access security of virtual machine image.
In the present embodiment, judge module 504 and processing module 506 can adopt each security strategy (security strategy 1-5) described in embodiment 1 and carry out and each security strategy operates accordingly, for above-mentioned security strategy and concrete operation, do not repeat them here.
The execution mode of this scheme carries out different concrete safe realization mechanisms according to the different phase of virtual machine image, ensures the safety of virtual machine image.When virtual machine operation and dormancy, the mirror image access request is controlled, prevent stealing and revising mirror image; Before loading pre-configured mirror image, virtual machine image is configured to inspection, source-verify and completeness check, guarantee the legitimacy of mirror image, prevent the mirror image deception; Before loading pre-configured mirror image, carry out authentication to loading the user, prevent the illegal loading of mirror image; Before mirror image completes startup, mirror image is carried out to patch reparation and software version update, prevent the malicious attack caused because of system vulnerability; In the mirrored storage process, by safe storage mechanism is set, prevent from getting because mirror image is stolen the information leakage caused.
It should be noted that, in the step shown in the flow chart of accompanying drawing, can in the computer system such as one group of computer executable instructions, carry out, and, although there is shown logical order in flow process, but in some cases, can carry out step shown or that describe with the order be different from herein.
Obviously, those skilled in the art should be understood that, above-mentioned each module of the present invention or each step can realize with general calculation element, they can concentrate on single calculation element, perhaps be distributed on the network that a plurality of calculation elements form, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in storage device and be carried out by calculation element, perhaps they are made into respectively to each integrated circuit modules, perhaps a plurality of modules in them or step being made into to the single integrated circuit module realizes.Like this, the present invention is not restricted to any specific hardware and software combination.
The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.
Claims (14)
1. the method for controlling security of a virtual machine image, is characterized in that, comprising:
In dummy machine system, set in advance security strategy, be used for protecting the safety of virtual machine image in whole life cycle;
In virtual machine image operation and dormant stage, adopt access control mechanisms, prevent stealing and revising virtual machine image; Before virtual machine image starts, adopt safety inspection, prevent that mismatching of pre-configured virtual machine image from putting and cheating.
2. method according to claim 1, is characterized in that, the step of described employing access control mechanisms and described employing safety inspection includes:
Sink virtual machine mirror image access request;
Judge whether the accessing operation that allows described virtual machine image access request to ask according to described security strategy, wherein, described security strategy is for the access rights of managing virtual machines mirror image;
If allow, carry out the accessing operation that described virtual machine image access request is asked; If do not allow, refuse the accessing operation that described virtual machine image access request is asked.
3. method according to claim 2, is characterized in that, according to described security strategy, judges whether to allow the step of the accessing operation that described virtual machine image access request asks to comprise:
Judge whether the accessing operation that allows described virtual machine image access request to ask according to different security strategies in the different stages;
Wherein, the described different stage comprise following one of at least: when virtual machine image operation and dormancy, before loading pre-configured virtual machine image, before the virtual machine image startup, or, in the virtual machine image storing process.
4. according to the method in claim 2 or 3, it is characterized in that, described security strategy comprises: when virtual machine image operation and dormancy, adopt described access control mechanisms to the control of authority that conducts interviews of described virtual machine image access request, for preventing stealing and revising virtual machine image.
5. method according to claim 4, is characterized in that, the described access control mechanisms of described employing comprises the conduct interviews step of control of authority of described virtual machine image access request:
Judge whether to have authority to the following accessing operation that described virtual machine image access request is asked: CPU, internal memory, file system or the dummy machine system network of one of at least carrying out.
6. according to the method in claim 2 or 3, it is characterized in that, described security strategy comprises: before loading pre-configured virtual machine image, virtual machine image is carried out to safety verification, for guaranteeing the legitimacy of virtual machine image, prevent the virtual machine image deception.
7. method according to claim 6, is characterized in that, the described step that virtual machine image is carried out to safety verification comprises: the integrality to described virtual machine image is verified.
8. method according to claim 6, is characterized in that, the described step that virtual machine image is carried out to safety verification comprises: the source to described virtual machine image is verified.
9. according to the method in claim 2 or 3, it is characterized in that, described security strategy comprises: before loading pre-configured virtual machine image, the loading user who indicates in described virtual machine image access request is carried out to authentication, for preventing the illegal loading of virtual machine image.
10. according to the method in claim 2 or 3, it is characterized in that, described security strategy comprises: before virtual machine image starts, adopt described safety inspection to carry out patch reparation and software version update to virtual machine image, for preventing the malicious attack caused because of system vulnerability.
11. according to the method in claim 2 or 3, it is characterized in that, described security strategy comprises: in the virtual machine image storing process, safe storage mechanism is set, for preventing, because virtual machine image is stolen, gets the information leakage caused.
12. the safety control of a virtual machine image, is characterized in that, comprising:
Setting unit, at dummy machine system, set in advance security strategy, is used for protecting the safety of virtual machine image in whole life cycle;
Control unit, in virtual machine image operation and dormant stage, adopt access control mechanisms, prevents stealing and revising virtual machine image; Before virtual machine image starts, adopt safety inspection, prevent that mismatching of pre-configured virtual machine image from putting and cheating.
13. device according to claim 12, is characterized in that, described control unit comprises:
Receiver module, for sink virtual machine mirror image access request;
Judge module, for the accessing operation that judges whether according to described security strategy to allow described virtual machine image access request to ask, wherein, described security strategy is for the access rights of managing virtual machines mirror image;
Processing module, during for the accessing operation allowing described virtual machine image access request to ask, carry out the accessing operation that described virtual machine image access request is asked; When the accessing operation that does not allow described virtual machine image access request to ask, refuse the accessing operation that described virtual machine image access request is asked.
14. device according to claim 13, is characterized in that, described judge module comprises:
The judgement submodule, judge whether the accessing operation that allows described virtual machine image access request to ask according to different security strategies for the stage different;
Wherein, the described different stage comprise following one of at least: when virtual machine image operation and dormancy, before loading pre-configured virtual machine image, before the virtual machine image startup, or, in the virtual machine image storing process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012101789557A CN103457974A (en) | 2012-06-01 | 2012-06-01 | Safety control method and device for virtual machine mirror images |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012101789557A CN103457974A (en) | 2012-06-01 | 2012-06-01 | Safety control method and device for virtual machine mirror images |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103457974A true CN103457974A (en) | 2013-12-18 |
Family
ID=49739923
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012101789557A Pending CN103457974A (en) | 2012-06-01 | 2012-06-01 | Safety control method and device for virtual machine mirror images |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103457974A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103970908A (en) * | 2014-05-28 | 2014-08-06 | 浪潮电子信息产业股份有限公司 | Virtual machine template IVF storage method |
| CN104346582A (en) * | 2014-11-05 | 2015-02-11 | 山东乾云启创信息科技有限公司 | Method for preventing mirror image from being tampered in desktop virtualization |
| CN105007261A (en) * | 2015-06-02 | 2015-10-28 | 华中科技大学 | Security protection method for image file in virtual environment |
| CN105262735A (en) * | 2015-09-24 | 2016-01-20 | 浪潮(北京)电子信息产业有限公司 | Method and system for cloud platform data safety protection |
| CN105389522A (en) * | 2015-12-23 | 2016-03-09 | 普华基础软件股份有限公司 | Safety management system for virtual machine and computer terminal |
| CN105871942A (en) * | 2015-01-19 | 2016-08-17 | 中国移动通信集团公司 | IaaS management platform and method |
| CN106330575A (en) * | 2016-11-08 | 2017-01-11 | 上海有云信息技术有限公司 | Safety service platform and safety service deployment method |
| CN110807198A (en) * | 2019-11-04 | 2020-02-18 | 吉林亿联银行股份有限公司 | Method for acquiring information for repairing bugs and patch processing system |
| CN111090470A (en) * | 2019-10-15 | 2020-05-01 | 平安科技(深圳)有限公司 | Secure starting method and device of cloud host, computer equipment and storage medium |
| CN111324497A (en) * | 2020-02-20 | 2020-06-23 | 杭州涂鸦信息技术有限公司 | Linux system partition self-checking method and system |
| CN111538566A (en) * | 2020-04-24 | 2020-08-14 | 咪咕文化科技有限公司 | Mirror image file processing method, device and system, electronic equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101754407A (en) * | 2008-12-16 | 2010-06-23 | 联想(北京)有限公司 | Method, server and system for processing service access request |
| CN101976317A (en) * | 2010-11-05 | 2011-02-16 | 北京世纪互联工程技术服务有限公司 | Virtual machine image safety method in private cloud computing application |
| CN102208000A (en) * | 2010-03-31 | 2011-10-05 | 伊姆西公司 | Method and system for providing security mechanisms for virtual machine images |
| CN102307207A (en) * | 2010-09-25 | 2012-01-04 | 广东电子工业研究院有限公司 | System and method for online customizing virtual machine image |
-
2012
- 2012-06-01 CN CN2012101789557A patent/CN103457974A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101754407A (en) * | 2008-12-16 | 2010-06-23 | 联想(北京)有限公司 | Method, server and system for processing service access request |
| CN102208000A (en) * | 2010-03-31 | 2011-10-05 | 伊姆西公司 | Method and system for providing security mechanisms for virtual machine images |
| CN102307207A (en) * | 2010-09-25 | 2012-01-04 | 广东电子工业研究院有限公司 | System and method for online customizing virtual machine image |
| CN101976317A (en) * | 2010-11-05 | 2011-02-16 | 北京世纪互联工程技术服务有限公司 | Virtual machine image safety method in private cloud computing application |
Non-Patent Citations (1)
| Title |
|---|
| 雷丙超: "《基于云计算的安全性研究》", 《信息科技辑》 * |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103970908A (en) * | 2014-05-28 | 2014-08-06 | 浪潮电子信息产业股份有限公司 | Virtual machine template IVF storage method |
| CN104346582A (en) * | 2014-11-05 | 2015-02-11 | 山东乾云启创信息科技有限公司 | Method for preventing mirror image from being tampered in desktop virtualization |
| CN105871942A (en) * | 2015-01-19 | 2016-08-17 | 中国移动通信集团公司 | IaaS management platform and method |
| CN105871942B (en) * | 2015-01-19 | 2019-03-22 | 中国移动通信集团公司 | A kind of IaaS management platform and method |
| CN105007261A (en) * | 2015-06-02 | 2015-10-28 | 华中科技大学 | Security protection method for image file in virtual environment |
| CN105262735A (en) * | 2015-09-24 | 2016-01-20 | 浪潮(北京)电子信息产业有限公司 | Method and system for cloud platform data safety protection |
| CN105262735B (en) * | 2015-09-24 | 2019-05-28 | 浪潮(北京)电子信息产业有限公司 | A kind of method and system of cloud platform data security protecting |
| CN105389522B (en) * | 2015-12-23 | 2022-03-04 | 普华基础软件股份有限公司 | Virtual machine safety management system and computer terminal |
| CN105389522A (en) * | 2015-12-23 | 2016-03-09 | 普华基础软件股份有限公司 | Safety management system for virtual machine and computer terminal |
| CN106330575A (en) * | 2016-11-08 | 2017-01-11 | 上海有云信息技术有限公司 | Safety service platform and safety service deployment method |
| CN111090470A (en) * | 2019-10-15 | 2020-05-01 | 平安科技(深圳)有限公司 | Secure starting method and device of cloud host, computer equipment and storage medium |
| CN110807198A (en) * | 2019-11-04 | 2020-02-18 | 吉林亿联银行股份有限公司 | Method for acquiring information for repairing bugs and patch processing system |
| CN111324497A (en) * | 2020-02-20 | 2020-06-23 | 杭州涂鸦信息技术有限公司 | Linux system partition self-checking method and system |
| CN111324497B (en) * | 2020-02-20 | 2023-10-27 | 杭州涂鸦信息技术有限公司 | Partition self-checking method and system for linux system |
| CN111538566A (en) * | 2020-04-24 | 2020-08-14 | 咪咕文化科技有限公司 | Mirror image file processing method, device and system, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103457974A (en) | Safety control method and device for virtual machine mirror images | |
| JP7086908B2 (en) | How to authenticate the actions performed on the target computing device | |
| CN105447406B (en) | A kind of method and apparatus for accessing memory space | |
| TWI648649B (en) | Mobile communication device and method of operating same | |
| US6609199B1 (en) | Method and apparatus for authenticating an open system application to a portable IC device | |
| EP2278514B1 (en) | System and method for providing secure virtual machines | |
| US8856512B2 (en) | Method and system for enterprise network single-sign-on by a manageability engine | |
| CN109840430B (en) | Safety processing unit of PLC and bus arbitration method thereof | |
| KR101281678B1 (en) | Method and Apparatus for authorizing host in portable storage device and providing information for authorizing host, and computer readable medium thereof | |
| CN105184147B (en) | User safety management method in cloud computing platform | |
| CN105184164B (en) | A kind of data processing method | |
| US20170003996A1 (en) | Protected guests in a hypervisor controlled system | |
| CN103890716A (en) | Web-based interface to access a function of a basic input/output system | |
| JPH1124919A (en) | Method and device for protecting application data in safe storage area | |
| US9460272B2 (en) | Method and apparatus for group licensing of device features | |
| CN104221027A (en) | Hardware and software association and authentication | |
| US9525705B2 (en) | System and method for managing tokens authorizing on-device operations | |
| CN107292176A (en) | Method and system for accessing a trusted platform module of a computing device | |
| CN112182560B (en) | Efficient isolation method, system and medium for Intel SGX interior | |
| CN112446032B (en) | Trusted execution environment construction method, system and storage medium | |
| EP2746978B1 (en) | License control method and system thereof | |
| CN105308610A (en) | Method and system for platform and user application security on a device | |
| CN104318176A (en) | Terminal and data management method and device thereof | |
| CN104252377A (en) | Virtualized host ID key sharing | |
| CN104471584A (en) | Network based management of protected data sets |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20131218 |