CN103810422A - Safety virtualization isolation method based on mirror image intelligent management - Google Patents
Safety virtualization isolation method based on mirror image intelligent management Download PDFInfo
- Publication number
- CN103810422A CN103810422A CN201410058594.1A CN201410058594A CN103810422A CN 103810422 A CN103810422 A CN 103810422A CN 201410058594 A CN201410058594 A CN 201410058594A CN 103810422 A CN103810422 A CN 103810422A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- svis
- reserved
- file
- virtual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 36
- 238000000034 method Methods 0.000 claims abstract description 49
- 230000000694 effects Effects 0.000 claims abstract description 11
- 230000008569 process Effects 0.000 claims description 22
- 230000004048 modification Effects 0.000 claims description 21
- 238000012986 modification Methods 0.000 claims description 21
- 238000005192 partition Methods 0.000 claims description 21
- 238000005516 engineering process Methods 0.000 claims description 12
- 230000005012 migration Effects 0.000 claims description 11
- 238000013508 migration Methods 0.000 claims description 10
- 230000004913 activation Effects 0.000 claims description 9
- 238000001914 filtration Methods 0.000 claims description 6
- 230000006870 function Effects 0.000 claims description 6
- 230000009466 transformation Effects 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 8
- 230000006399 behavior Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Abstract
The invention relates to the technical field of cloud computing virtualization safety, in particular to a safety virtualization isolation method based on mirror image intelligent management. The method includes the following steps of dynamically distributing and adjusting virtual machine resources, dynamically moving an operating system, executing virtualization safety isolation based on mirror image intelligent management, starting virtual machines from a host machine, modifying and tracking the execution effect of isolation programs and operating programs on the virtual machines or the host machine. Through the safety virtualization isolation method, safety isolation, functional completeness, performance adaptability, behavior monitorability and the like of a virtual system can be balanced, and the safety virtualization isolation method can be used for cloud computing virtualization safety.
Description
Technical field
The present invention relates to the virtual safety technique of cloud computing field, especially a kind of safety virtualization partition method based on mirror image intelligent management.
Background technology
Virtual is development new industry very rapidly in current cloud computing technology, has vast potential for future development and application; But under internet environment, virtual user and virtual platform face simultaneously security threat and challenge are also unprecedented.In typical cloud computing service platform, resource offers user with the virtual order pattern that makes of renting as required, virtually can reduce running cost, allows user's allocate resource rapidly as required; But this dirigibility also can make secure virtual machine hidden danger at cloud computing platform Quick Extended.If the virtualization software in cloud computing platform exists security breaches, user's data just may be by user's unauthorized access of other shared cloud platform.And, due to features such as huge property, opening and the complicacy of cloud computing scale, once it suffers malicious attack, will bring serious information security accident, it is necessary to take virtual partition method.
What in cloud computing, user used is virtual resources, communication between virtual machine on same computing machine is undertaken by local hardware, thereby the controling mechanism of traditional communication Network Based cannot effectively monitor and filter, need new method solve this problem.Virtual machine is the key level of accepting bottom hardware and top service application simultaneously, and setting up safe and reliable virtualized environment is the basic support to tension management application safety.The technology such as virtual machine is credible, isolation, migration all need there is the solution for answering hardware layer, virtual to cloud computing and the next new risk of large data tape to solve.
Current virtual isolation technology cannot make each virtual machine I/O performance isolation problem between shared disk bandwidth, assurance virtual machine coequally, often cause conflicting of file system data and local disk data, the inconsistent collapse that will cause virtualization system of operating system critical file.Due to the difference of virtual machine and host's hardware environment, when probably causing virtual machine activation, the local service that depends on hardware system hangs up even collapse.In addition, existing isolation program is only carried out virtual machine isolated operation, and lacks the tracking of isolated execution effect, cannot monitor running environment because the data that outside world causes are revised behavior.For the running environment of isolation operation untrusted software, in order to realize the transparent target of operating system application program, can reappear existing software runtime environment and support operation system information reconstruct, just need under the prerequisite that guarantees safe isolation, promote functional completeness, performance adaptability and the behavior property monitored of isolation running environment simultaneously.
Summary of the invention
The technical matters that the present invention solves is to propose a kind of safety virtualization partition method based on mirror image intelligent management; Be used for protecting virtual machine file and storage resources in virtual machine operational process.
The technical scheme that the present invention solves the problems of the technologies described above is:
Comprise the following steps:
Step 1: reserved virtual machine or physical machine on host, start timer and power supervisor, by each deploying virtual machine in different disk region or space;
Step 2: the process of operating system dynamic migration manager in virtual level mark client operating system, is recorded to incompatible service database automatically by process daily record;
Step 3: make the image file of the required operation of virtual machine, create boot files, kernel file and image file, manage by mirror image, image file and data Replica are arrived to specific storage space or other storage servers;
Step 4: start SVIS virtual machine, operational system service and the start software of operation automatically;
Step 5: operation is revised tracking filtration drive and monitored data modification information and the isolation program implementation effect in Local-Booted OS (local boot system);
Step 6: run application on virtual machine or host.
Step 1 specifically comprises:
Step 11: the long-range application virtual machine of client or physical machine are reserved;
Step 12: host system jumps to reserved module according to user's authority and reserved situation;
Step 13: if physical machine is reserved, system judges whether user has the reserved authority of physical machine, if had, the information such as physical machine IP address, startup, shut-in time of reserving are put into database and preserved; Otherwise prompting insufficient permission, can not reserve;
Step 14: timer carries out event handling, when first 10 minutes of the reserved end time of arrival, starts physical machine; In the time arriving the reserved start time, lock or shut down computer;
Step 15: if virtual machine is reserved, system judges that whether user has virtual machine or the reserved authority of CPU, if had, puts into database such as virtual machine type, reserved virtual hard disk size, CPU, internal memory, startup and shut-in time etc. and preserves; Otherwise prompting insufficient permission, can not reserve;
Step 16: timer carries out event handling, in the time arriving first 30 minutes of reserved start time, system is carried out virtual machine activation program and is started; When arriving the reserved end time, the operation of system closing or termination virtual machine.
Step 3 specifically comprises:
Step 31: make virtual machine image file, comprise and make boot files, kernel file and utilize operating system to pack and synthesize image file, and above-mentioned three files are put into assigned address;
Step 32: include image file in service database and file system manages, comprise that mounting software and program in modification, the mirror image of mirror image dynamically increase or reduce, the Attribute tuning of image file, the plug management of the adjustment of the configuration of boot files and management, kernel file and hardware etc.;
Step 33: physical machine disk management, comprises management and configuration etc. that disk is monitored, communicated by letter between the dynamic partition of disk, disk;
Step 34: create SVIS virtual machine instance according to disc information on host;
Step 35: utilize SVIS virtual machine monitor, the data on virtual machine and virtual machine are carried out to virtual management;
Step 36: for the sensitive data such as catalogue, file of accessing in Local-Booted OS, will copy to specific disk partition and realize data isolation before being modified.
Step 5 specifically comprises:
Step 51: simultaneously dispose modification tracking filtration drive at host and virtual machine;
Step 52: open SVIS virtual machine monitor, follow the tracks of isolation program implementation effect, monitor the modification information of virtual machine and data;
Step 53: provide three kinds of operations to user when end of run: abandon execution result, the reservation execution result of isolation program in SVIS and submit to execution result to host operating system.
Method also comprises: carry out after secure virtual machine isolation, SVIS VMM adopts " dynamic instruction switch technology ", and while making SVIS VMM by operation, instruction transformation replaces with the instruction with notice VMM function by originally not producing the self-trapping responsive instruction of non-privilege.Segregate untrusted software moves in the Local-Booted OS by SVIS virtual machine activation, and credible program is directly moved on host operating system.
Beneficial effect of the present invention has:
The present invention is by virtual safety isolation and operating system dynamic migration manager based on mirror image intelligent management, realize local virtual technology, solve between SVIS virtual machine and host's hardware environment and conflicted, user can not allow the sensitive data such as catalogue, file of accessing in local operation system by safety deleting, has realized the safety isolation of SVIS virtual machine and data.
Be isolated the retouching operation of software to data by revising tracking manager, can following the tracks of and record, thereby for routine analyzer behavior and the implementation effect of submitting corresponding program to provide foundation to host environment, realized the behavior monitoring of isolation of system running environment.And mirror image intelligent management can guarantee that virtual machine is positioned at different disk regions, guarantee the not overlapping of resources of virtual machine.Thus, untrusted software may operate in one with the virtual computer system of host operating system isolation in, realized operating system isolation.
The inventive method is at safety virtualization shielding system (Safe Virtualization Isolation System, SVIS) above realize, construct the method for the satisfied isolation moving model take local virtual technology as core, the method is independent of operating system and realizes, and has good portability.Meanwhile, the method can the safe isolation of balance virtualization system, functional completeness, performance adaptability and the behavior property monitored, and the appearance of protected host environment is invaded ability and also will effectively be promoted.
Accompanying drawing explanation
Below in conjunction with accompanying drawing, invention is further illustrated:
Fig. 1 is the safety virtualization shielding system Organization Chart based on mirror image intelligent management of the present invention;
Fig. 2 is the safety virtualization partition method process flow diagram based on mirror image intelligent management of the present invention;
Fig. 3 is the reserved process flow diagram of resources of virtual machine of the present invention;
Fig. 4 is mirror image intelligent management process flow diagram of the present invention;
Fig. 5 is modification track recorder process flow diagram of the present invention.
Embodiment
As shown in Figure 1, be the safety virtualization shielding system Organization Chart based on mirror image intelligent management of the present invention.Safety virtualization shielding system (Safe Virtualization Isolation System, SVIS) architecture is made up of five core components: SVIS virtual machine monitor (SVIS Virtual Machine Monitor, be called for short SVISVMM), the isolation of virtual safety, operating system dynamic migration manager, modification tracking manager and virtual level system information assembly based on mirror image intelligent management.According to isolation moving model, SVIS VMM need to realize with the form of VMM, on host operating system, moves.SVIS VMM is responsible for creating the isolation running environment one SVIS virtual machine (SVIS Virtual Machine is called for short SVIS VM) of untrusted software.By virtual safety isolation and operating system dynamic migration manager based on mirror image intelligent management, SVIS has realized local virtual technology, be without reinstalling operating system (this is the operational mode of existing software virtual machine) in SVIS virtual machine, but directly start from host operating system, the operating system after startup is " local boot operating system " (Local-Booted OS).Revise tracking manager and record resource (as file, the registration table etc.) change information in Local-Booted OS and host operating system (host OS), provide support for further analyzing to be isolated the behavior of software or afterwards the data variation of Local-Booted OS to be merged to host operating system.Virtual level system information assembly does not rely on the interface that operating system provides, and can utilize the data (as processor register information, Memory Management Unit, disc information etc.) of hardware layer to reconstruct the client operating system information with application layer semanteme.
As shown in Figure 2, be the safety virtualization partition method process flow diagram based on mirror image intelligent management of the present invention.Safety virtualization partition method based on mirror image intelligent management of the present invention, comprises the following steps:
(1) resources of virtual machine dynamic assignment and adjustment.
The dynamic assignment of resources of virtual machine and adjustment are the necessary preparations that uses virtual machine, and the present invention, by realizing the effectively reserved of physical machine and virtual machine, can dynamically start and close physical machine, also can dynamic creation and destruction virtual machine.Resources of virtual machine dynamic assignment is mainly the reserved authority that virtual machine or physical machine are set on host with adjusting, start timer and power supervisor, prepare reserved event to process, make each virtual machine be positioned at different disk region or space, and then distribute or adjustment resources of virtual machine.
(2) operating system dynamic migration
Due to the difference of SVIS virtual machine and host's hardware environment, when may causing SVIS virtual machine activation, the system service that depends on hardware system hangs up even collapse.In order to address this problem, the process (comprise current process) of operating system dynamic migration manager in virtual level mark client operating system, the memory information of the Local-Booted OS obtaining in conjunction with this technology and SVIS VMM, just can determine the process that causes Local-Booted OS to hang up or collapse, and then these information are recorded to incompatible service database automatically.After this,, before startup SVIS virtual machine, operating system dynamic migration manager will automatically be forbidden the service in all incompatible service databases in Local-Booted OS.
In system starting process, a crucial step starts each system service by Service controll manager exactly.If wherein there is system service to depend on hardware platform and incompatible with SVIS virtual unit, also can causes Local-Booted OS normally not start and even make system crash.For this problem, the present invention is by operating system dynamic migration technology, identify at any one time the current process of moving in SVIS virtual machine, so can find to cause the process of operating system deadlock or collapse, so after start-up course in forbid accordingly and serve.After successfully having started Local-Booted OS, still have the normal operation of some softwares need to depend on hardware information.In order to address this problem, SVIS has introduced hardware identifier moving method, thereby the various types of hardware of host computer system is identified on the respective virtual equipment that exports to SVIS virtual machine and solved the software migration problem that depends on hardware information.
(3) carry out the virtual safety isolation based on mirror image intelligent management
Because SVIS virtual machine or extraneous application program need access system volume, and now host operating system is also being revised system volume, the access interface that the former does not use host operating system to provide to the modification of data, the latter's modification information also cannot be in time by the file system perception in SVIS virtual machine, this has just caused conflicting of file system data and data in magnetic disk, the inconsistent collapse that will cause system of operating system critical file.In order to address this problem, the virtual safe isolation technology based on mirror image intelligent management is proposed herein.Carry out mirror image intelligent management and refer to by making the needed image file of virtual machine, include image file in database and file system manages.It provides file system standard to roll up identical access interface, and image file exports to SVIS virtual machine with the form of memory device, forms virtual machine virtual disk.Manage by mirror image, image file is copied before the data of original volume are modified to these data to specific storage space or other storage servers.Between virtual machine and host, have strict Permission Levels, can not arbitrarily carry out file-sharing, virtual machine can not visit again another virtual machine by host.Afterwards, user can not allow the sensitive data such as catalogue, file of accessing in Local-Booted OS by safety deleting, thereby realizes the safety isolation of SVIS virtual machine and data.
(4) start virtual machine from host
Operating system from host directly starts SVIS virtual machine, the system service that operation is enabled on SVIS virtual machine afterwards and the start software of operation automatically.SVIS virtual machine is in the time starting for the first time, and virtual unit can be reused original device driver or be reinstalled new device drives.
(5) revise and follow the tracks of isolation program implementation effect
In order to follow the tracks of isolation program implementation effect and to monitor the data modification information in Local-Booted OS, need operation to revise and follow the tracks of the retouching operation of filtration drive with supervision and log file.
(6) at virtual machine or host working procedure
After in the application program realizing or data, the safety on virtual machine is isolated, can be from virtual machine or host working procedure.SVIS VMM adopts " dynamic instruction switch technology ", and while making SVIS VMM by operation, instruction transformation replaces with the instruction with notice VMM function by originally not producing the self-trapping responsive instruction of non-privilege.Thus, segregate untrusted software moves in the Local-Booted OS by SVIS virtual machine activation, and credible program is directly moved on host operating system.
Fig. 3 is the reserved process flow diagram of resources of virtual machine of the present invention.Fig. 3 has further explained the reserved flow process of the resources of virtual machine in Fig. 2 resources of virtual machine dynamic assignment and adjustment.The dynamically reserved and adjustment of resources of virtual machine comprises following function: management, the power management of physical machine etc. of the setting of the management of resource reservation and distribution, reserved authority, the management of obligate information and configuration, timer.Fig. 3 idiographic flow is:
(1) the long-range application virtual machine of client or physical machine are reserved.
(2) host system jumps to the reserved or virtual machine reserved function module of physical machine according to user's authority and reserved situation;
(3), if physical machine is reserved, system judges whether user has the reserved authority of physical machine, if had, the information such as physical machine IP address, startup, shut-in time of reserving are put into database and preserved; Otherwise prompting insufficient permission, can not reserve.
(4) timer carries out event handling, when first 10 minutes of the reserved end time of arrival, starts physical machine; In the time arriving the reserved start time, lock or shut down computer.
(5), if virtual machine is reserved, system judges that whether user has virtual machine or the reserved authority of CPU, if had, puts into database such as virtual machine type, reserved virtual hard disk size, CPU, internal memory, startup and shut-in time etc. and preserves; Otherwise prompting insufficient permission, can not reserve.
(6) timer carries out event handling, and in the time arriving first 30 minutes of reserved start time, system is carried out virtual machine activation program and started; When arriving the reserved end time, the operation of system closing or termination virtual machine.
Fig. 4 is mirror image intelligent management process flow diagram of the present invention.Operation steps is as follows:
(1) make the needed image file of virtual machine, comprise and make boot files, kernel file and utilize operating system to pack and synthesize image file, and above-mentioned three files are put into assigned address.
(2) include image file in service database and file system manages, comprise that mounting software and program in modification, the mirror image of mirror image dynamically increase or reduce, the Attribute tuning of image file, the plug management of the adjustment of the configuration of boot files and management, kernel file and hardware etc.
(3) physical machine disk management, comprises management and configuration etc. that disk is monitored, communicated by letter between the dynamic partition of disk, disk.
(4) on host, create SVIS virtual machine instance according to disc information.
(5) utilize SVIS virtual machine monitor, the data on virtual machine and virtual machine are carried out to virtual management.
(6) manage by SVIS virtual machine image, realize virtual machine isolation, for the sensitive data such as catalogue, file of accessing in Local-Booted OS, will before being modified, copy to specific disk partition and realize data isolation.
Fig. 5 is modification track recorder process flow diagram of the present invention.As further having explained Fig. 2, Fig. 5 revises and follows the tracks of the modification track recorder disposal route in isolation program implementation effect.Concrete steps are as follows:
(1) dispose modification tracking filtration drive at host and virtual machine simultaneously, thereby submit to the modification result in Local-Booted OS to arrive host operating system.
(2) open SVIS virtual machine monitor, follow the tracks of isolation program implementation effect, monitor the modification information of virtual machine and data.
(3), when SVIS end of run, can provide three kinds of operations to user: abandon isolation program in SVIS execution result, retain execution result and submit to execution result to host operating system.For the first situation, the whole service environment of SVIS virtual machine will be destroyed, and the SVIS virtual machine starting afterwards all needs to re-create new virtual simple disk; If reservation execution result, only closes SVIS virtual machine, and does not destroy virtual simple disk; For the third situation, need to utilize and revise tracking manager and carry out analysis and comparison SVIS virtual machine from being created to the data variation that finishes Local-Booted OS and host operating system whole process, and then revise pooled data.
More than the description to the specific embodiment of the invention, not limiting the scope of the invention; All within scheme disclosed by the invention, any modification without too much creative work of making, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.
Claims (7)
1. the safety virtualization partition method based on mirror image intelligent management, is characterized in that: comprise the following steps:
Step 1: reserved virtual machine or physical machine on host, start timer and power supervisor, by each deploying virtual machine in different disk region or space;
Step 2: the process of operating system dynamic migration manager in virtual level mark client operating system, is recorded to incompatible service database automatically by process daily record;
Step 3: make the image file of the required operation of virtual machine, create boot files, kernel file and image file, manage by mirror image, image file and data Replica are arrived to specific storage space or other storage servers;
Step 4: start SVIS virtual machine, operational system service and the start software of operation automatically;
Step 5: operation is revised tracking filtration drive and monitored data modification information and the isolation program implementation effect in Local-Booted OS;
Step 6: run application on virtual machine or host.
2. safety virtualization partition method according to claim 1, is characterized in that: step 1 specifically comprises:
Step 11: the long-range application virtual machine of client or physical machine are reserved;
Step 12: host system jumps to reserved module according to user's authority and reserved situation;
Step 13: if physical machine is reserved, system judges whether user has the reserved authority of physical machine, if had, the information such as physical machine IP address, startup, shut-in time of reserving are put into database and preserved; Otherwise prompting insufficient permission, can not reserve;
Step 14: timer carries out event handling, when first 10 minutes of the reserved end time of arrival, starts physical machine; In the time arriving the reserved start time, lock or shut down computer;
Step 15: if virtual machine is reserved, system judges that whether user has virtual machine or the reserved authority of CPU, if had, puts into database such as virtual machine type, reserved virtual hard disk size, CPU, internal memory, startup and shut-in time etc. and preserves; Otherwise prompting insufficient permission, can not reserve;
Step 16: timer carries out event handling, in the time arriving first 30 minutes of reserved start time, system is carried out virtual machine activation program and is started; When arriving the reserved end time, the operation of system closing or termination virtual machine.
3. safety virtualization partition method according to claim 1, is characterized in that: step 3 specifically comprises:
Step 31: make virtual machine image file, comprise and make boot files, kernel file and utilize operating system to pack and synthesize image file, and above-mentioned three files are put into assigned address;
Step 32: include image file in service database and file system manages, comprise that mounting software and program in modification, the mirror image of mirror image dynamically increase or reduce, the Attribute tuning of image file, the plug management of the adjustment of the configuration of boot files and management, kernel file and hardware etc.;
Step 33: physical machine disk management, comprises management and configuration etc. that disk is monitored, communicated by letter between the dynamic partition of disk, disk;
Step 34: create SVIS virtual machine instance according to disc information on host;
Step 35: utilize SVIS virtual machine monitor, the data on virtual machine and virtual machine are carried out to virtual management;
Step 36: for the sensitive data such as catalogue, file of accessing in Local-Booted OS, will copy to specific disk partition and realize data isolation before being modified.
4. safety virtualization partition method according to claim 2, is characterized in that: step 3 specifically comprises:
Step 31: make virtual machine image file, comprise and make boot files, kernel file and utilize operating system to pack and synthesize image file, and above-mentioned three files are put into assigned address;
Step 32: include image file in service database and file system manages, comprise that mounting software and program in modification, the mirror image of mirror image dynamically increase or reduce, the Attribute tuning of image file, the plug management of the adjustment of the configuration of boot files and management, kernel file and hardware etc.;
Step 33: physical machine disk management, comprises management and configuration etc. that disk is monitored, communicated by letter between the dynamic partition of disk, disk;
Step 34: create SVIS virtual machine instance according to disc information on host;
Step 35: utilize SVIS virtual machine monitor, the data on virtual machine and virtual machine are carried out to virtual management;
Step 36: for the sensitive data such as catalogue, file of accessing in Local-Booted OS, will copy to specific disk partition and realize data isolation before being modified.
5. according to the safety virtualization partition method described in claim 1 to 4 any one, it is characterized in that: step 5 specifically comprises:
Step 51: simultaneously dispose modification tracking filtration drive at host and virtual machine;
Step 52: open SVIS virtual machine monitor, follow the tracks of isolation program implementation effect, monitor the modification information of virtual machine and data;
Step 53: provide three kinds of operations to user when end of run: abandon execution result, the reservation execution result of isolation program in SVIS and submit to execution result to host operating system.
6. according to the safety virtualization partition method described in claim 1 to 4 any one, it is characterized in that: described method also comprises: carry out after secure virtual machine isolation, SVIS VMM adopts " dynamic instruction switch technology ", and while making SVIS VMM by operation, instruction transformation replaces with the instruction with notice VMM function by originally not producing the self-trapping responsive instruction of non-privilege.Segregate untrusted software moves in the Local-Booted OS by SVIS virtual machine activation, and credible program is directly moved on host operating system.
7. safety virtualization partition method according to claim 5, it is characterized in that: described method also comprises: carry out after secure virtual machine isolation, SVIS VMM adopts " dynamic instruction switch technology ", and while making SVIS VMM by operation, instruction transformation replaces with the instruction with notice VMM function by originally not producing the self-trapping responsive instruction of non-privilege.Segregate untrusted software moves in the Local-Booted OS by SVIS virtual machine activation, and credible program is directly moved on host operating system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410058594.1A CN103810422B (en) | 2014-02-20 | 2014-02-20 | Safety virtualization isolation method based on mirror image intelligent management |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410058594.1A CN103810422B (en) | 2014-02-20 | 2014-02-20 | Safety virtualization isolation method based on mirror image intelligent management |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103810422A true CN103810422A (en) | 2014-05-21 |
| CN103810422B CN103810422B (en) | 2017-05-17 |
Family
ID=50707178
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410058594.1A Expired - Fee Related CN103810422B (en) | 2014-02-20 | 2014-02-20 | Safety virtualization isolation method based on mirror image intelligent management |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103810422B (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104767741A (en) * | 2015-03-24 | 2015-07-08 | 杭州安恒信息技术有限公司 | Calculation service separating and safety protecting system based on light virtual machine |
| CN105955805A (en) * | 2015-12-28 | 2016-09-21 | 中国银联股份有限公司 | Application container transferring method and device |
| CN106055976A (en) * | 2016-05-16 | 2016-10-26 | 杭州华三通信技术有限公司 | Document detection method and sandbox controller |
| CN106293512A (en) * | 2016-07-27 | 2017-01-04 | 福建升腾资讯有限公司 | The transregional storage of foundation image based on Xen virtual platform and the implementation method of distribution |
| CN106528269A (en) * | 2016-11-08 | 2017-03-22 | 西安电子科技大学 | Light weight virtual machine access control system and method |
| CN106648827A (en) * | 2016-09-20 | 2017-05-10 | 国云科技股份有限公司 | Method for online adding virtual machine resources |
| CN106919439A (en) * | 2017-03-13 | 2017-07-04 | 中国人民解放军理工大学 | Virtual machine storage isolation technology based on magnetic disc virtualization and mirror image intelligent management |
| CN107547250A (en) * | 2017-06-26 | 2018-01-05 | 新华三云计算技术有限公司 | The method and apparatus that database is disposed in cloud computing management platform |
| CN109165023A (en) * | 2018-07-20 | 2019-01-08 | 紫光华山信息技术有限公司 | Modify the method, apparatus and equipment of ISO image file |
| CN109284169A (en) * | 2018-09-10 | 2019-01-29 | 福建星瑞格软件有限公司 | Big data platform process management method and computer equipment based on process virtual |
| CN109388454A (en) * | 2018-09-14 | 2019-02-26 | 珠海国芯云科技有限公司 | Virtual desktop method and system based on container |
| CN110866245A (en) * | 2019-11-13 | 2020-03-06 | 哈尔滨工业大学 | Detection method and detection system for maintaining file security of virtual machine |
| CN112817693A (en) * | 2021-01-28 | 2021-05-18 | 浪潮云信息技术股份公司 | Safety container system for function computing service |
| CN113448682A (en) * | 2020-03-27 | 2021-09-28 | 支付宝(杭州)信息技术有限公司 | Virtual machine monitor loading method and device and electronic equipment |
| US11941259B2 (en) | 2019-09-18 | 2024-03-26 | Huawei Technologies Co., Ltd. | Communication method, apparatus, computer-readable storage medium, and chip |
| CN113448682B (en) * | 2020-03-27 | 2024-04-19 | 支付宝(杭州)信息技术有限公司 | Virtual machine monitor loading method and device and electronic equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101957900A (en) * | 2010-10-26 | 2011-01-26 | 中国航天科工集团第二研究院七○六所 | Credible virtual machine platform |
| US20110078681A1 (en) * | 2009-09-30 | 2011-03-31 | International Business Machines Corporation | Method and system for running virtual machine image |
| CN102930213A (en) * | 2012-10-25 | 2013-02-13 | 中国航天科工集团第二研究院七〇六所 | Security monitoring system and security monitoring method based on virtual machine |
| CN103107994A (en) * | 2013-02-06 | 2013-05-15 | 中电长城网际系统应用有限公司 | Vitualization environment data security partition method and system |
| CN103473064A (en) * | 2013-09-18 | 2013-12-25 | 国云科技股份有限公司 | Method for monitoring use conditions of magnetic disk of virtual machine in host machine |
-
2014
- 2014-02-20 CN CN201410058594.1A patent/CN103810422B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110078681A1 (en) * | 2009-09-30 | 2011-03-31 | International Business Machines Corporation | Method and system for running virtual machine image |
| CN101957900A (en) * | 2010-10-26 | 2011-01-26 | 中国航天科工集团第二研究院七○六所 | Credible virtual machine platform |
| CN102930213A (en) * | 2012-10-25 | 2013-02-13 | 中国航天科工集团第二研究院七〇六所 | Security monitoring system and security monitoring method based on virtual machine |
| CN103107994A (en) * | 2013-02-06 | 2013-05-15 | 中电长城网际系统应用有限公司 | Vitualization environment data security partition method and system |
| CN103473064A (en) * | 2013-09-18 | 2013-12-25 | 国云科技股份有限公司 | Method for monitoring use conditions of magnetic disk of virtual machine in host machine |
Non-Patent Citations (1)
| Title |
|---|
| 段翼真等: "可信安全虚拟机平台的研究", 《第26 次全国计算机安全学术交流会论文集》, 30 September 2011 (2011-09-30) * |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104767741B (en) * | 2015-03-24 | 2018-03-06 | 杭州安恒信息技术有限公司 | A kind of calculating service separation and safety system based on light-duty virtual machine |
| CN104767741A (en) * | 2015-03-24 | 2015-07-08 | 杭州安恒信息技术有限公司 | Calculation service separating and safety protecting system based on light virtual machine |
| CN105955805A (en) * | 2015-12-28 | 2016-09-21 | 中国银联股份有限公司 | Application container transferring method and device |
| CN105955805B (en) * | 2015-12-28 | 2019-01-22 | 中国银联股份有限公司 | A kind of method and device of application container migration |
| CN106055976A (en) * | 2016-05-16 | 2016-10-26 | 杭州华三通信技术有限公司 | Document detection method and sandbox controller |
| CN106293512B (en) * | 2016-07-27 | 2020-07-31 | 福建升腾资讯有限公司 | Method for realizing trans-regional storage and distribution of basic mirror image based on Xen virtualization platform |
| CN106293512A (en) * | 2016-07-27 | 2017-01-04 | 福建升腾资讯有限公司 | The transregional storage of foundation image based on Xen virtual platform and the implementation method of distribution |
| CN106648827A (en) * | 2016-09-20 | 2017-05-10 | 国云科技股份有限公司 | Method for online adding virtual machine resources |
| CN106528269B (en) * | 2016-11-08 | 2019-05-21 | 西安电子科技大学 | The virtual machine access control system and control method of lightweight |
| CN106528269A (en) * | 2016-11-08 | 2017-03-22 | 西安电子科技大学 | Light weight virtual machine access control system and method |
| CN106919439A (en) * | 2017-03-13 | 2017-07-04 | 中国人民解放军理工大学 | Virtual machine storage isolation technology based on magnetic disc virtualization and mirror image intelligent management |
| CN107547250A (en) * | 2017-06-26 | 2018-01-05 | 新华三云计算技术有限公司 | The method and apparatus that database is disposed in cloud computing management platform |
| CN109165023A (en) * | 2018-07-20 | 2019-01-08 | 紫光华山信息技术有限公司 | Modify the method, apparatus and equipment of ISO image file |
| CN109284169A (en) * | 2018-09-10 | 2019-01-29 | 福建星瑞格软件有限公司 | Big data platform process management method and computer equipment based on process virtual |
| CN109388454A (en) * | 2018-09-14 | 2019-02-26 | 珠海国芯云科技有限公司 | Virtual desktop method and system based on container |
| US11941259B2 (en) | 2019-09-18 | 2024-03-26 | Huawei Technologies Co., Ltd. | Communication method, apparatus, computer-readable storage medium, and chip |
| CN110866245A (en) * | 2019-11-13 | 2020-03-06 | 哈尔滨工业大学 | Detection method and detection system for maintaining file security of virtual machine |
| CN110866245B (en) * | 2019-11-13 | 2023-11-07 | 哈尔滨工业大学 | Detection method and detection system for maintaining file security of virtual machine |
| CN113448682A (en) * | 2020-03-27 | 2021-09-28 | 支付宝(杭州)信息技术有限公司 | Virtual machine monitor loading method and device and electronic equipment |
| CN113448682B (en) * | 2020-03-27 | 2024-04-19 | 支付宝(杭州)信息技术有限公司 | Virtual machine monitor loading method and device and electronic equipment |
| CN112817693A (en) * | 2021-01-28 | 2021-05-18 | 浪潮云信息技术股份公司 | Safety container system for function computing service |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103810422B (en) | 2017-05-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103810422A (en) | Safety virtualization isolation method based on mirror image intelligent management | |
| CN110647754B (en) | Method, apparatus, medium and system for enforcing view separation in a file system | |
| Eder | Hypervisor-vs. container-based virtualization | |
| US9465518B1 (en) | Method and system for creation, analysis and navigation of virtual snapshots | |
| Badger et al. | Practical domain and type enforcement for UNIX | |
| Reshetova et al. | Security of OS-level virtualization technologies | |
| US8959055B1 (en) | Method and system for creation, analysis and navigation of virtual snapshots | |
| US20050091214A1 (en) | Internal object protection from application programs | |
| US8843926B2 (en) | Guest operating system using virtualized network communication | |
| WO2014177044A1 (en) | File system level data protection during potential security breach | |
| US20180060588A1 (en) | Operating system | |
| US11886902B2 (en) | Physical-to-virtual migration method and apparatus, and storage medium | |
| DE112020000280T5 (en) | TRANSPARENT INTERPRETATION OF GUEST COMMANDS IN A SECURE VIRTUAL MACHINE ENVIRONMENT | |
| CN112433822A (en) | Method for realizing cross-domain network terminal virtual machine based on separation of three rights | |
| Potter | Virtualization Mechanisms for Mobility, Security and system Administration | |
| AbdElRahem et al. | Virtualization security: A survey | |
| Reshetova et al. | Security of OS-level virtualization technologies: Technical report | |
| US9971613B2 (en) | Tag based permission system and method for virtualized environments | |
| CN105512553A (en) | Access control method for preventing virtual machine from escaping and attacking | |
| CN105120010A (en) | Anti-stealing method for virtual machine under cloud environment | |
| Valdez et al. | Retrofitting the ibm power hypervisor to support mandatory access control | |
| Semjonov | Security analysis of user namespaces and rootless containers | |
| Tidswell et al. | An approach to dynamic domain and type enforcement | |
| Dimou | Automatic security hardening of Docker containers using Mandatory Access Control, specialized in defending isolation | |
| Martin | Virtualization and containerization: a new concept for data center management to optimize resources distribution |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170517 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |