CN103902884B - Virtual-machine data protection system and method - Google Patents
Virtual-machine data protection system and method Download PDFInfo
- Publication number
- CN103902884B CN103902884B CN201210583627.5A CN201210583627A CN103902884B CN 103902884 B CN103902884 B CN 103902884B CN 201210583627 A CN201210583627 A CN 201210583627A CN 103902884 B CN103902884 B CN 103902884B
- Authority
- CN
- China
- Prior art keywords
- data
- virtual machine
- virtual
- machine
- domain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Abstract
The invention discloses a kind of virtual-machine data protection system and method, are related to cloud computing virtualization data security technology area.Carry out verifying in Domain0 by the request to accessing virtual-machine data, labelling and network control, the data behavior inside combined with virtual machine and flow direction monitoring, reach the purpose had secure access to by virtual-machine data.Solve under multi-tenant virtual machine environment, cause the problem of or other virtual machine unauthorized access outer by cloud as the leaky or configuration error of service of deploying virtual machine, the application of virtual machine or kernel have bug.
Description
Technical field
The present invention relates to cloud computing virtualization data security technology area, more particularly to a kind of virtual-machine data protection system
And method.
Background technology
Mainly there are following three kinds of modes to the secure access of virtual unit at present:
Technology 1:Firewall technology.Firewall technology can effectively be taken precautions against and attack from outside unauthorized access, but for
The unauthorized access broken through between the unauthorized access of fire wall arrival virtual machine internal and virtual machine cannot be processed.
Technology 2:Data isolation technology.Data isolation technology is set up security strategy configuration in storage cloud system host node and is come
Conduct interviews control, inconsistent with the data isolation and protected mode of cloud main frame.
Technology 3:Authentication and access control system.Which is mainly using authentication and visit outside virtual unit
Control system is asked, but not enough to the data access control between virtual unit.
Therefore, under multi-tenant virtual machine environment, the leaky or configuration error of service of deploying virtual machine, virtual machine
Application or kernel have bug, may cause by cloud is outer or other virtual machine unauthorized access.
Content of the invention
The inventors found that in above-mentioned prior art and have problems, and therefore at least in the problem
Individual problem proposes a kind of new technical scheme.
It is an object of the present invention to provide a kind of technical scheme for virtual-machine data protection.
According to the first aspect of the invention, there is provided a kind of virtual-machine data protection system, including virtual machine privileged domain
Domain0 and more than one non-privileged domain, also include:
It is located at privileged domain Domain0:
Security policy module, for arranging safety regulation according to security strategy, is authenticated to user identity and role;
Data markers module, for being marked to user data according to security strategy;
Network Isolation module, for being controlled to invalid data behavior and flow direction and operating;
With
It is located at non-privileged domain:
Data examination module, for associating the resource in all virtual machines, the operation behavior and flow direction of monitoring data will be really
Fixed invalid data behavior and flow direction are sent to Network Isolation module to be controlled and to operate.
Alternatively, data flow is marked or unique identifier by data markers module.
Alternatively, the coding rule of labelling content is determined according to security strategy level.
Alternatively, detection of the Network Isolation module interference to the virtual machine of shared hardware resource, to making illegal
Virtual machine carries out Network Isolation control.
Alternatively, Network Isolation control includes interrupting network access or closes virtual machine;
Or
Jamming exposure area includes going to sandbox operation order, kills order thread or the pseudo- data of feedback.
According to a further aspect in the invention, there is provided a kind of virtual-machine data guard method, including:
Safety regulation is arranged according to security strategy in virtual machine privileged domain Domain0, user identity and role are carried out
Certification;
User data is marked according to security strategy in virtual machine privileged domain Domain0;
Invalid data behavior and flow direction are controlled in virtual machine privileged domain Domain0 and are operated;
And,
The resource in all virtual machines, the operation behavior of monitoring data and stream is associated in the non-privileged domain of each virtual machine
To the invalid data behavior of determination and flow direction are sent to virtual machine privileged domain Domain0 to be controlled and to operate.
Alternatively, according to security strategy user data is marked including:Data flow is beaten according to the security strategy
Upper labelling or unique identifier, the coding rule of labelling content are determined according to security strategy level.
Alternatively, invalid data behavior and flow direction are controlled and operation includes:Disturb the void to sharing hardware resource
The detection of plan machine;Network Isolation control is carried out to the virtual machine for making illegal.
Alternatively, Network Isolation control includes interrupting network access or closes virtual machine.
An advantage of the invention that, the request for accessing virtual-machine data is carried out verifying in Domain0, labelling and
Network is controlled, and the data behavior inside combined with virtual machine and flow direction are monitored, and reach the purpose had secure access to by virtual-machine data.
By referring to the drawings to the present invention exemplary embodiment detailed description, the present invention further feature and its
Advantage will be made apparent from.
Description of the drawings
The Description of Drawings embodiments of the invention of a part for description are constituted, and is used for together with the description solving
Release the principle of the present invention.
Referring to the drawings, according to detailed description below, the present invention can be more clearly understood from, wherein:
Fig. 1 illustrates the structure chart of one embodiment of the virtual-machine data protection system according to the present invention.
The flow chart that Fig. 2 illustrates one embodiment of the virtual-machine data guard method according to the present invention.
Fig. 3 illustrates the structure chart of another embodiment of the virtual-machine data protection system according to the present invention.
The flow chart that Fig. 4 illustrates another embodiment of the virtual-machine data guard method according to the present invention.
Specific embodiment
Describe the various exemplary embodiments of the present invention now with reference to accompanying drawing in detail.It should be noted that:Unless in addition had
Body illustrates that the part and the positioned opposite of step, numerical expression and numerical value for otherwise illustrating in these embodiments does not limit this
The scope of invention.
Simultaneously, it should be appreciated that for the ease of description, the size of the various pieces shown in accompanying drawing is not according to reality
Proportionate relationship draw.
It is illustrative below to the description only actually of at least one exemplary embodiment, never as to the present invention
And its application or any restriction for using.
For known to person of ordinary skill in the relevant, technology, method and apparatus may be not discussed in detail, but suitable
In the case of, the technology, method and apparatus should be considered the part for authorizing description.
In all examples of shown here and discussion, any occurrence should be construed as merely exemplary, and not
It is as restriction.Therefore, the other examples of exemplary embodiment can have different values.
It should be noted that:Similar label and letter represent similar terms in following accompanying drawing, therefore, once a certain Xiang Yi
It is defined in individual accompanying drawing, then which need not be further discussed in subsequent accompanying drawing.
Fig. 1 illustrates the structure chart of one embodiment of the virtual-machine data protection system according to the present invention.As shown in figure 1,
The dummy machine system includes privileged domain Domain0 and more than one non-privileged domain Domain1, Domain2 etc..Virtualization architecture
In, in virtual machine manager, Domain0 domains are the systems for managing other Domain domains, and start first, to other Domain
The control in domain has primary authority.The virtual-machine data protection system includes security policy module 11, data markers module 12, net
Network isolation module 13, data examination module 14.Wherein, security policy module 11, data markers module 12 and Network Isolation module
13 are located at privileged domain Domain0;Data examination module 14 is located at non-privileged domain Domain1, Domain2 etc..
Security policy module 11, for arranging safety regulation according to security strategy, is authenticated to user identity and role.
Safety regulation is the concrete clause of security strategy, and main purpose is the checking and process to accessing data.Safety regulation can be right
The importance for accessing resource is classified.Safety regulation itself can be determined as needed by user.To user identity and role
It is authenticated user identity and role's identifying algorithm and the flow process that can use general or agreement.
Data markers module 12, for being marked to user data according to security strategy.User data is marked
For example mark in data flow(tag)Or use unique identifier.Labelling reflects the source of data and whereabouts with access
According to security strategy level, the information such as resource, the coding rule of labelling content can determine that level is higher, and coding rule is more multiple
Miscellaneous.
Network Isolation module 13, for being controlled to invalid data behavior and flow direction and operating.For example, Network Isolation mould
Block 13 can disturb the detection of the virtual machine to sharing hardware resource, carry out Network Isolation control to the virtual machine for making illegal
System, Network Isolation control for example include interrupting network access or close virtual machine etc..Virtual machine detection behavior for example includes not having
Order or behavior through security policy module and data mark module;The illegal of virtual machine for example includes not meeting safety
The action of policy module, access beyond resource outside the marked resource of data markers etc., can be to the judgement of illegal
Specify in security strategy.Jamming exposure area can specify in security strategy, for example, go to sandbox and run the order, kill the order
Pseudo- data of thread, feedback etc..Only undesirable detection is processed, normal data are not interfered with, other moneys are called
Impact of the source to the processing speed of normal data is little.
Data examination module 14, for associating the resource in all virtual machines, follows the trail of all processes in virtual machine instance
Communication for information and between file, the invalid data behavior of determination and flow direction are sent to by the operation behavior and flow direction of monitoring data
Network Isolation module is to be controlled and to operate.If the data of virtual machine produce flow direction against regulation, in Domain0
Network Isolation module can terminate similar data exchange.In virtual machine the association of resource be mainly system call data flow out and
Calculating, storage resource in the virtual machine of data inflow.
In above-described embodiment, the request for accessing virtual-machine data is carried out verifying in Domain0, labelling and network control
System, the data behavior inside combined with virtual machine and flow direction monitoring, reach the purpose had secure access to by virtual-machine data.
The flow chart that Fig. 2 illustrates one embodiment of the virtual-machine data guard method according to the present invention.
As shown in Fig. 2 step 202, when there is access request to reach, request is forwarded to security policy module carries out safety
Strategy is examined.
The data that request is accessed, after certification passes through, are marked by step 204.
Step 206, the operation behavior and flow direction of data examination module monitors data.
Step 208, Network Isolation module are controlled to invalid data behavior and flow direction and operate.
Fig. 3 illustrates the structure chart of another embodiment of the virtual-machine data protection system according to the present invention.Such as Fig. 3 institutes
Show, the system includes privileged domain Domain0 and more than one non-privileged domain Domain1, Domain2 etc..The virtual-machine data is protected
Protecting system includes security policy module 11, data markers module 12, Network Isolation module 13, data examination module 14.Wherein, pacify
Full policy module 11, data markers module 12 and Network Isolation module 13 are located at privileged domain Domain0;Data examination module 14
In non-privileged domain Domain1, Domain2 etc..In Fig. 3, path 1 describes the extraneous path for accessing virtual-machine data.Outside access
Request carries out user and authentication through Domain0 through security policy module 11;Through data markers module 12, carry out
Data flow token;Then Domain1, Domain2 etc. are gone to.Path 2 describes the data access path between virtual machine.Example
Such as, data access is carried out between Domain1 and Domain2, need also exist for carrying out in Domain0 verifying, labelling and network control
System.After data examination module 14 finds invalid data behavior and flow direction, Network Isolation module is notified.
In above-described embodiment, the data access between virtual machine equally has to pass through certification, labelling and the network of Domain0
Control, enhances the data access control between virtual unit, so as to realize that the secure data between virtual machine is accessed.
The flow chart that Fig. 4 illustrates another embodiment of the virtual-machine data guard method according to the present invention.
As shown in figure 4, step 402, arranges safety regulation according to security strategy in virtual machine privileged domain Domain0, right
User identity and role are authenticated.
Step 404, is marked to user data according to security strategy in virtual machine privileged domain Domain0.
Step 406, is controlled to invalid data behavior and flow direction in virtual machine privileged domain Domain0 and operates.
Step 408, associates the resource in all virtual machines, the operation of monitoring data in the non-privileged domain of each virtual machine
The invalid data behavior of determination and flow direction are sent to Domain0 to be controlled and to operate by behavior and flow direction.
In above-described embodiment, the request for accessing virtual-machine data is carried out verifying in Domain0, labelling and network control
System, the data behavior inside combined with virtual machine and flow direction monitoring, reach the purpose had secure access to by virtual-machine data.
In the embodiment of the present invention, mainly include following technical essential:
(1)Data access is monitored in virtual machine manager Domain0 and is managed.
(2)Limit path and behavior that outer bound pair virtual-machine data is accessed.
(3)Tracking and control in Domain0 to user's mark data.
Technical scheme, the cloud host services for being specifically as follows the offer of cloud computing operator provide data access peace
Full protection works, or the Data Access Security protected working that can be used for virtualization product.
At present virtual machine access control is mainly implemented by the data access software or hardware system outside virtual machine
Security strategy, verifies user identity, for the unauthorized access protection deficiency of virtual machine internal.Technical scheme,
Carry out verifying in Domain0, labelling and network control.In virtualization architecture, in virtual machine manager, Domain0 domains are to manage which
The system in his Domain domains, and start first, there is primary authority to the control in other Domain domains.In Domain0
Security strategy ensure that the normal access to multi-tenant virtual machine, prevent cloud outer and multi-tenant virtual machine internal illegal visit
Ask.
Technical scheme can be used in conjunction with existing virtual machine access control scheme, strengthen multi-tenant virtual machine
The safety of user data.
So far, the virtual-machine data protection system and method according to the present invention is described in detail.In order to avoid masking
The design of the present invention, does not describe some details known in the field.Those skilled in the art as described above, completely
It can be appreciated how implementing technical scheme disclosed herein.
The method of the present invention and system may be achieved in many ways.For example, can pass through software, hardware, firmware or
Software, hardware, any combinations of firmware are realizing the method for the present invention and system.For said sequence the step of methods described
Merely to illustrate, order described in detail above is not limited to the step of the method for the present invention, special unless otherwise
Do not mentionlet alone bright.Additionally, in certain embodiments, can also be embodied as recording program in the recording medium by the present invention, these programs
Including for realizing the machine readable instructions of the method according to the invention.Thus, the present invention also covers storage to be used for executing basis
The recording medium of the program of the method for the present invention.
Although some specific embodiments of the present invention are described in detail by example, the skill of this area
Art personnel it should be understood that above example is merely to illustrate, rather than in order to limit the scope of the present invention.The skill of this area
Art personnel are it should be understood that can modify to above example without departing from the scope and spirit of the present invention.This
Bright scope is defined by the following claims.
Claims (10)
1. a kind of virtual-machine data protection system, including virtual machine privileged domain Domain 0 and more than one non-privileged domain, which is special
Levy and be, including:
It is located at privileged domain Domain 0:
Security policy module, for arranging safety regulation according to security strategy, is authenticated to user identity and role;
Data markers module, for being marked to user data according to the security strategy;
Network Isolation module, for being controlled to invalid data behavior and flow direction and operating;
With
It is located at the non-privileged domain:
Data examination module, for associating the resource in all virtual machines, the operation behavior and flow direction of monitoring data, by determined
Invalid data behavior and flow direction are sent to the Network Isolation module to be controlled and to operate.
2. system according to claim 1, it is characterised in that the data markers module data flow is marked or
Unique identifier.
3. system according to claim 2, it is characterised in that the coding rule of labelling content is true according to security strategy level
Fixed.
4. system according to claim 1, it is characterised in that the Network Isolation module interference is to sharing hardware resource
The detection of virtual machine, carries out Network Isolation control to the virtual machine for making illegal.
5. system according to claim 4, it is characterised in that the Network Isolation control includes interruption network access or pass
Close virtual machine;
Or
Jamming exposure area includes going to sandbox operation order, kills order thread or the pseudo- data of feedback.
6. a kind of virtual-machine data guard method, it is characterised in that include:
Safety regulation is arranged according to security strategy in virtual machine privileged domain Domain 0, user identity and role are recognized
Card;
User data is marked according to the security strategy in virtual machine privileged domain Domain 0;
Invalid data behavior and flow direction are controlled in virtual machine privileged domain Domain 0 and are operated;
And,
Associate the resource in all virtual machines in the non-privileged domain of each virtual machine, the operation behavior and flow direction of monitoring data,
The invalid data behavior of determination and flow direction are sent to virtual machine privileged domain Domain 0 to be controlled and to operate.
7. method according to claim 6, it is characterised in that described rower is entered to user data according to the security strategy
Note includes:
Data flow is marked or unique identifier according to the security strategy, the coding rule of labelling content is according to safety
Tactful level determines.
8. method according to claim 6, it is characterised in that described invalid data behavior and flow direction be controlled and grasped
Work includes:
Disturb the detection of the virtual machine to sharing hardware resource;
Network Isolation control is carried out to the virtual machine for making illegal.
9. method according to claim 8, it is characterised in that jamming exposure area includes going to sandbox operation order, kills life
Make thread or the pseudo- data of feedback.
10. method according to claim 8, it is characterised in that the Network Isolation control include interruption network access or
Close virtual machine.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210583627.5A CN103902884B (en) | 2012-12-28 | 2012-12-28 | Virtual-machine data protection system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210583627.5A CN103902884B (en) | 2012-12-28 | 2012-12-28 | Virtual-machine data protection system and method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103902884A CN103902884A (en) | 2014-07-02 |
CN103902884B true CN103902884B (en) | 2017-03-15 |
Family
ID=50994196
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201210583627.5A Active CN103902884B (en) | 2012-12-28 | 2012-12-28 | Virtual-machine data protection system and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103902884B (en) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104270467B (en) * | 2014-10-24 | 2017-09-29 | 冯斌 | A kind of virtual machine management-control method for mixed cloud |
CN105184147B (en) * | 2015-09-08 | 2017-11-24 | 成都博元科技有限公司 | User safety management method in cloud computing platform |
CN105184164B (en) * | 2015-09-08 | 2017-11-24 | 成都博元科技有限公司 | A kind of data processing method |
CN105303102A (en) * | 2015-11-03 | 2016-02-03 | 浪潮电子信息产业股份有限公司 | Secure access method for virtual machine and virtual machine system |
WO2017185202A1 (en) * | 2016-04-25 | 2017-11-02 | 深圳前海达闼云端智能科技有限公司 | Virtualisation system monitoring method and apparatus |
CN106528267B (en) * | 2016-10-27 | 2019-08-09 | 广东铂亚信息技术有限公司 | Network communication monitoring system and method based on Xen privileged domain |
CN109101819A (en) * | 2017-06-21 | 2018-12-28 | 中兴通讯股份有限公司 | A kind of leak detection method and terminal, storage medium |
CN115987566A (en) * | 2022-12-01 | 2023-04-18 | 贵州电网有限责任公司 | Isolation framework based on new energy power system server |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101350044A (en) * | 2008-09-02 | 2009-01-21 | 中国科学院软件研究所 | Method for constructing virtual environment trust |
CN101599022A (en) * | 2009-07-07 | 2009-12-09 | 武汉大学 | The Trustworthy computing base cutting method that is used for dummy machine system |
CN102289620A (en) * | 2011-08-12 | 2011-12-21 | 华南理工大学 | Credible equipment virtualization system and method based on Xen safety computer |
CN102332069A (en) * | 2011-08-05 | 2012-01-25 | 道里云信息技术(北京)有限公司 | Method and system for full life cycle security management of virtual machine |
CN102609638A (en) * | 2011-12-22 | 2012-07-25 | 中国航天科工集团第二研究院七〇六所 | Xen virtual machine framework based on UEFI (unified extensible firmware interface) runtime service and implementation method thereof |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7836303B2 (en) * | 2005-12-09 | 2010-11-16 | University Of Washington | Web browser operating system |
US20120266209A1 (en) * | 2012-06-11 | 2012-10-18 | David Jeffrey Gooding | Method of Secure Electric Power Grid Operations Using Common Cyber Security Services |
-
2012
- 2012-12-28 CN CN201210583627.5A patent/CN103902884B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101350044A (en) * | 2008-09-02 | 2009-01-21 | 中国科学院软件研究所 | Method for constructing virtual environment trust |
CN101599022A (en) * | 2009-07-07 | 2009-12-09 | 武汉大学 | The Trustworthy computing base cutting method that is used for dummy machine system |
CN102332069A (en) * | 2011-08-05 | 2012-01-25 | 道里云信息技术(北京)有限公司 | Method and system for full life cycle security management of virtual machine |
CN102289620A (en) * | 2011-08-12 | 2011-12-21 | 华南理工大学 | Credible equipment virtualization system and method based on Xen safety computer |
CN102609638A (en) * | 2011-12-22 | 2012-07-25 | 中国航天科工集团第二研究院七〇六所 | Xen virtual machine framework based on UEFI (unified extensible firmware interface) runtime service and implementation method thereof |
Non-Patent Citations (1)
Title |
---|
虚拟机系统安全综述;秦中元等;《计算机应用研究》;20120531;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN103902884A (en) | 2014-07-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103902884B (en) | Virtual-machine data protection system and method | |
Jin et al. | Architectural support for secure virtualization under a vulnerable hypervisor | |
CN106462438B (en) | The proof of host comprising trusted execution environment | |
CN110233817B (en) | Container safety system based on cloud computing | |
CN106575323A (en) | A security and trust framework for virtualized networks | |
Almutairy et al. | A taxonomy of virtualization security issues in cloud computing environments | |
US8839237B2 (en) | Method and apparatus for tamper resistant communication in a virtualization enabled platform | |
CN107483414A (en) | A kind of security protection system and its means of defence based on cloud computing virtualized environment | |
Hunt et al. | Isolation and beyond: Challenges for system security | |
Duy et al. | Confidential machine learning computation in untrusted environments: A systems security perspective | |
Khan et al. | Virtualization software security: oracle VM VirtualBox | |
US10749880B2 (en) | Cloud tenant oriented method and system for protecting privacy data | |
CN108388793A (en) | A kind of virtual machine escape means of defence based on Initiative Defense | |
Krautheim | Building trust into utility cloud computing | |
CN110069920A (en) | Guarantee the method and system of SGX safety based on virtualization | |
CN106775923B (en) | The kernel address space fine granularity management method that processor is assisted | |
CN105120010A (en) | Anti-stealing method for virtual machine under cloud environment | |
Wu et al. | A secure and rapid response architecture for virtual machine migration from an untrusted hypervisor to a trusted one | |
CN103793645A (en) | Hypercall protection method | |
Toffalini et al. | Careful-packing: A practical and scalable anti-tampering software protection enforced by trusted computing | |
CN106909838A (en) | A kind of method and device of hooking system service call | |
Kanoongo et al. | Exposition of solutions to hypervisor vulnerabilities | |
Venelle et al. | Security enhanced java: Mandatory access control for the java virtual machine | |
Benzina et al. | Some ideas on virtualized system security, and monitors | |
Lombardi et al. | Security for cloud computing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |