CN103914647A - Method for running programs in isolation manner on basis of local virtualization mechanism - Google Patents
Method for running programs in isolation manner on basis of local virtualization mechanism Download PDFInfo
- Publication number
- CN103914647A CN103914647A CN201410148000.6A CN201410148000A CN103914647A CN 103914647 A CN103914647 A CN 103914647A CN 201410148000 A CN201410148000 A CN 201410148000A CN 103914647 A CN103914647 A CN 103914647A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- write
- fundamental block
- read
- turn
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2149—Restricted operating environment
Abstract
The invention discloses a method for running programs in an isolation manner on the basis of a local virtualization mechanism. The method aims to solve the problem that an existing method for running programs in an isolation manner cannot simultaneously meet three application constraints required when non-trusted software is executed. The technical scheme includes that a local virtualization system which comprises a type-two virtual machine monitor, a starter and a read-write monitor is installed in a host operating system, the type-two virtual machine monitor starts a local virtual machine according to volume snapshots provided by the starter, and the read-write monitor performs read-write operation on an original volume device object in a unified manner according to a principle that 'basic blocks in a snapshot space only can be written by the virtual machine and original basic blocks only can be written by a host machine'. The method has the advantages that a host computation environment can be reconstructed on a personal computing platform, file system access conflict of the local virtual machine and the host operating system can be prevented, and non-trusted software can effectively and safely run in an isolation manner.
Description
Technical field
The present invention relates to the program isolation operation method of computer safety field, the especially a kind of isolation of the program based on local virtual mechanism operation method.
Background technology
Along with the widespread use of the network safety protection method such as fire wall, Network Intrusion Detection System, the difficulty that assailant directly invades computer system by network intrusions means is increasing.
But existing diverse network Protection Product is difficult to effectively resist from the attack of hiding the malicious code in the untrusted software of initiatively being carried out.The various main frame type safety protecting methods such as therefore, access control, virus detection, sandbox are introduced into this deficiency of supplementary network type guard technology.But access control method cannot be for the malicious act of authorized user and the maloperation of validated user are effectively protected System Implementation; Virus detects and similar safety protecting method can effectively be resisted the attack of pandemic malicious code, but also has himself very formidable defect in the resonable opinion of these class methods and realization.Because Fred Cohen is verified in article " Computational Aspects of Computer Viruses ": in theory, judge that whether any one program comprises malicious code is a undecidable problem.And it is also very difficult will accurately detecting in realization distortion and polymorphic virus.
The harm that may cause computer system in order to limit untrusted software, safeguards that the functional completeness of these untrusted codes, researcher have proposed the method for program isolation operation as much as possible.According to the residing level of shielding system in computer system, the method for program isolation operation mainly contains sandbox, based on single operating system Mono-OS and based on hardware abstraction layer virtual machine three classes.
Sandbox is operated in system resource that code wherein can access and is come the security of maintenance system by restriction, because safe isolation and the functional completeness of isolation running environment are often difficult to take into account, therefore the most outstanding deficiency of sandbox is to be difficult to select suitable resource access control strategy.
Compared with sandbox, be by untrusted software and sorts of systems resource isolation based on single operating system and the target based on hardware abstraction layer virtual machine, and then under the condition that does not configure complex security policies, realize and hold invade/fault-tolerant target.
Isolation operation method based on single operating system is also to realize in operating system, and therefore the running environment of each isolation can be shared identical software runtime environment.But this partition method can be destroyed by the malicious code of level of privilege (kernel state).In addition, the partition method realizing in single operating system, in order to limit the untrusted software of kernel state, often needs to forbid the execution of many privileged operations, has destroyed to a certain extent the functional completeness of isolation running environment.
Isolation operation method based on hardware abstraction layer virtual machine can effectively be realized the isolation of operating system, but still lack at present, under individual calculus platform, to reappear host operating system (be the operating system of direct installation and operation on computer hardware system, namely user's software environment used in everyday) software runtime environment, make user be difficult to the ruuning situation of evaluating objects software in current host's computing environment.
In sum, current program isolation operation method still can not meet simultaneously carries out three required application constraint of untrusted software, can not between safe isolation, functional completeness and the performance adaptability of isolation running environment, find suitable equilibrium point.
In order to meet safe isolation, need to utilize virtual machine monitor VMM(Virtual Machine Monitor) create operation container-virtual machine VM(Virtual Machine of untrusted software), only have this virtual machine technique based on hardware abstraction layer could realize the isolation of operating system.According to the definition of Goldberg, VMM can create software efficient, copy that isolate for computer system.These copies are virtual machine, enough directly on concurrent physical processor, carry out in a sub-energy collecting of virtual machine inner treater instruction set.Goldberg has defined two kinds of virtual machine monitors: a type virtual machine monitor and two type virtual machine monitors.One type virtual machine monitor VMM runs directly in computer hardware system, is responsible for scheduling and distribution system hardware resource, is one and has realized virtualized operating system.Two type virtual machine monitors (as VMWare) operate on existing legacy operating system with the form of an application program, the direct installation and operation of this legacy operating system is on computer hardware system, this operating system is called as host operating system (Host OS), and the operating system operating on virtual machine hardware system (virtual machine) is called as client operating system (Guest OS).
Summary of the invention:
The technical problem to be solved in the present invention is: still can not meet for existing program isolation operation method the problem of carrying out three required application constraint of untrusted software simultaneously, can not between safe isolation, functional completeness and the performance adaptability of isolation running environment, find suitable equilibrium point, propose one and utilize virtual machine monitor VMM(Virtual Machine Monitor) create the method for the isolation running environment (being localized virtual machine) of untrusted software.The volume shadow copy of the method based on host operating system, for untrusted software provides a virtual machine that can reappear host operating system, ensures the security of host operating system.
For solving the problems of the technologies described above, technical scheme of the present invention is as follows:
In the operational process of untrusted software, can reappear the localized virtual machine of host operating system and host operating system all can access file system, and this just likely causes access conflict.Between host operating system and localized virtual machine, be to realize the most crucial problem of the required solution of localized virtual machine to the access conflict problem of file system.The present invention is by solving this problem for file system builds snapshot space (data space being made up of snapshot data), total thought is that virtual machine is only write the fundamental block in snapshot space, and host is only write original basic blocks (fundamental block is the base unit of file system).The present invention is based on two data structures and manage COW(Copy-On-Write, be copy-on-write) operation information: the one, snapshot bitmap table (Snapshot Bitmap Table), snapshot bitmap table is a bit sequence, whether a fundamental block of each bit mark has been performed COW operation, has been backed up to snapshot space; Another is original volume fundamental block piece number to the mapping relations of corresponding snapshot space fundamental block piece number, and these mapping relations are with Adelson-Velskii-Landis tree structure organization information, and each node comprises two, and index entry is original volume fundamental block piece number, and value is snapshot space fundamental block piece number.COW operation is made up of two son operations: the one, bit corresponding to current fundamental block in snapshot bitmap table is set; The 2nd, the fundamental block of current fundamental block and corresponding snapshot space thereof is inserted in Adelson-Velskii-Landis tree (self-equilibrating binary tree sees the paper " An algorithm for the organization of information Information Organization algorithm " that G.M.Adelson-Velsky and E.M.Landis are delivering for 1962).Adelson-Velskii-Landis tree has recorded the corresponding relation of original basic blocks and snapshot space fundamental block.
Concrete technical scheme is:
The first step is installed local virtual system on host operating system.Local virtual system is made up of two type virtual machine monitors, starter, three software modules of read-write watch-dog.
Starter presents the reel number list of local all volumes to user, and obtains the original volume reel number for generating local virtual machine from user.Starter creates the volume shadow copy consistance copy of original volume corresponding to given time () according to original volume reel number, and gives two type virtual machine monitors by volume shadow copy.
The volume shadow copy that two type virtual machine monitors provide according to starter starts local virtual machine (local virtual machine runs on two type virtual machine monitors), and in local virtual machine, moves untrusted target software.The read-write operation of local virtual machine is all given the processing of read-write watch-dog by two type virtual machine monitors.
Read-write watch-dog creates snapshot bitmap table and Adelson-Velskii-Landis tree, monitor the read-write operation from host operating system and local virtual machine simultaneously, according to the principle of " virtual machine is only write the fundamental block in snapshot space; host is only write original basic blocks ", the unified read-write operation carrying out original volume device object, prevents file system access conflict.
Second step, starter calling system API(Application Programming Interface, application programming interface) list of obtaining all volumes of current operation system, and show to user.
The 3rd step, starter is known and which volume need to be exported to localized virtual machine from user.
The 4th step, starter is the volume establishment volume shadow copy that each needs export to localized virtual machine.
The 5th step, two type virtual machine monitors start localized virtual machine according to volume shadow copy, and read-write watch-dog creates snapshot bitmap table and Adelson-Velskii-Landis tree according to volume shadow copy.
The 6th step, two type virtual machine monitors are forbidden hardware-related service in localized virtual machine.
The 7th step is moved untrusted target software in localized virtual machine.
The 8th step, if read-write watch-dog is not received the write operation requests that host operating system sends, turns the 9th step, if receive the write operation requests that host operating system sends, read-write watch-dog is carried out following sub-step:
8.1 judge that whether the fundamental block of all fundamental block piece number corresponding original volume that will write has all been performed COW operation, if so, turns 8.2; Otherwise, turn 8.3.
This write operation requests is directly forwarded to original volume device object by 8.2; Turn 8.6.
8.3 hang up (suspending) current write operation requests of writing original volume.
8.4 check all fundamental blocks of the original volume that will write, to not being performed the fundamental block of COW operation, carrying out COW operation, and upgrade snapshot bitmap table and Adelson-Velskii-Landis tree.
The write operation requests of writing original volume of hanging up is transmitted to original volume device object by 8.5.
8.6 original volume device objects complete write operation, and now this write operation requests is resumed and completes, and turn the 9th step.
The 9th step, if do not receive the read operation request that localized virtual machine sends, turns the tenth step, if receive the read operation request that localized virtual machine sends, read-write watch-dog is carried out following sub-step;
9.1 if the original basic blocks in all fundamental block pieces number corresponding original volume of reading is not all performed COW operation (being that in snapshot bitmap table, corresponding bits position is 0), turns 9.2; Otherwise, turn 9.3.
This read operation request is directly transmitted to original volume device object by 9.2; Turn 9.9.
9.3 hang up this read operation request.
9.4 check snapshot bitmap table, judge whether the current fundamental block piece that will read number corresponding original basic blocks has been performed COW operation: if turn 9.5; Otherwise, turn 9.7.
9.5 search corresponding snapshot space fundamental block piece number according to the current fundamental block piece that will read number in Adelson-Velskii-Landis tree.
9.6 read fundamental block corresponding in snapshot space, and now this read operation request is resumed and completes; Turn 9.8.
9.7 read the fundamental block of the original volume that current fundamental block piece is number corresponding, and now this read operation request is resumed and completes.
9.8 judge whether the fundamental block piece number of not reading in addition, are to turn 9.4; Otherwise, turn 9.9.
9.9 read operations finish, and turn the tenth step.
The tenth step, if do not receive the write operation requests that local virtual machine is initiated, turns the 11 step, if receive the write operation requests that local virtual machine is initiated, read-write watch-dog is carried out following sub-step; 10.1 hang up current write operation requests.
10.2 check snapshot bitmap tables, judge whether the fundamental block of the original volume that the current fundamental block piece that will write is number corresponding has been performed COW operation, are to turn 10.3; Otherwise, turn 10.5.
10.3 search fundamental block piece number corresponding in snapshot space according to the current fundamental block piece that will write number in Adelson-Velskii-Landis tree.
Fundamental block corresponding in 10.4 pairs of snapshot space is carried out write operation, and now this write operation requests is resumed and completes; Turn 10.7.
The original basic blocks of the original volume that the fundamental block piece that the 10.5 pairs of current volumes will be write is number corresponding is carried out COW operation, thereby in snapshot space, produces new fundamental block, and upgrades snapshot bitmap table and Adelson-Velskii-Landis tree.
New fundamental block in 10.6 pairs of snapshot space is carried out write operation, and now this write operation requests is resumed and completes.
10.7 judge whether the fundamental block of not writing in addition: be to turn 10.2; Otherwise, turn 10.8.
10.8 write operations finish, and turn the 11 step.
The 11 step, starter judges whether to receive exit message from user, if so, turns the 12 step; Otherwise, turn the 8th step.
The 12 step, finishes.
Adopt the present invention can reach following technique effect:
The present invention starts localized virtual machine by fourth, fifth step, has realized the reproduction to host's computing environment under individual calculus platform; Avoid local virtual machine and the access conflict of host operating system to file system by the 8th, nine, ten steps, effectively realized the safety isolation operation of untrusted software.
Brief description of the drawings:
Fig. 1 is general flow chart of the present invention.
Fig. 2 is the local virtual system schematic that the first step is set up.
Fig. 3 is step 8.1-8.6 flow process.
Fig. 4 is step 9.1-9.9 flow process.
Fig. 5 is step 10.1-10.8 flow process.
Embodiment:
Fig. 1 is general flow chart of the present invention.
Fig. 2 is the local virtual system schematic that the first step is set up.
Fig. 3 is step 8.1-8.6 flow process.
Fig. 4 is step 9.1-9.9 flow process.
Fig. 5 is step 10.1-10.8 flow process.
The first step is installed local virtual system on host operating system.Local virtual system is made up of two type virtual machine monitors, starter, three software modules of read-write watch-dog.
Starter presents the reel number list of local all volumes to user, and obtains the original volume reel number for generating local virtual machine from user.Starter creates the volume shadow copy consistance copy of original volume corresponding to given time () according to original volume reel number, and gives two type virtual machine monitors by volume shadow copy.
The volume shadow copy that two type virtual machine monitors provide according to starter starts local virtual machine (local virtual machine runs on two type virtual machine monitors), and in local virtual machine, moves untrusted target software.The read-write operation of local virtual machine is all given the processing of read-write watch-dog by two type virtual machine monitors.
Read-write watch-dog creates snapshot bitmap table and Adelson-Velskii-Landis tree, monitor the read-write operation from host operating system and local virtual machine simultaneously, according to the principle of " virtual machine is only write the fundamental block in snapshot space; host is only write original basic blocks ", the unified read-write operation carrying out original volume device object, prevents file system access conflict.
Second step, starter calling system API(Application Programming Interface, application programming interface) list of obtaining all volumes of current operation system, and show to user.
The 3rd step, starter is known and which volume need to be exported to localized virtual machine from user.
The 4th step, starter is the volume establishment volume shadow copy that each needs export to localized virtual machine.
The 5th step, two type virtual machine monitors start localized virtual machine according to volume shadow copy, and read-write watch-dog creates snapshot bitmap table and Adelson-Velskii-Landis tree according to volume shadow copy.
The 6th step, two type virtual machine monitors are forbidden hardware-related service in localized virtual machine.
The 7th step is moved untrusted target software in localized virtual machine.
The 8th step, if read-write watch-dog is not received the write operation requests that host operating system sends, turns the 9th step, if receive the write operation requests that host operating system sends, read-write watch-dog is carried out following sub-step:
8.1 judge that whether the fundamental block of all fundamental block piece number corresponding original volume that will write has all been performed COW operation, if so, turns 8.2; Otherwise, turn 8.3.
This write operation requests is directly forwarded to original volume device object by 8.2; Turn 8.6.
8.3 hang up (suspending) current write operation requests of writing original volume.
8.4 check all fundamental blocks of the original volume that will write, to not being performed the fundamental block of COW operation, carrying out COW operation, and upgrade snapshot bitmap table and Adelson-Velskii-Landis tree.
The write operation requests of writing original volume of hanging up is transmitted to original volume device object by 8.5.
8.6 original volume device objects complete write operation, and now this write operation requests is resumed and completes, and turn the 9th step.
The 9th step, if do not receive the read operation request that localized virtual machine sends, turns the tenth step, if receive the read operation request that localized virtual machine sends, read-write watch-dog is carried out following sub-step;
9.1 if the original basic blocks in all fundamental block pieces number corresponding original volume of reading is not all performed COW operation (being that in snapshot bitmap table, corresponding bits position is 0), turns 9.2; Otherwise, turn 9.3.
This read operation request is directly transmitted to original volume device object by 9.2; Turn 9.9.
9.3 hang up this read operation request.
9.4 check snapshot bitmap table, judge whether the current fundamental block piece that will read number corresponding original basic blocks has been performed COW operation: if turn 9.5; Otherwise, turn 9.7.
9.5 search corresponding snapshot space fundamental block piece number according to the current fundamental block piece that will read number in Adelson-Velskii-Landis tree.
9.6 read fundamental block corresponding in snapshot space, and now this read operation request is resumed and completes; Turn 9.8.
9.7 read the fundamental block of the original volume that current fundamental block piece is number corresponding, and now this read operation request is resumed and completes.
9.8 judge whether the fundamental block piece number of not reading in addition, are to turn 9.4; Otherwise, turn 9.9.
9.9 read operations finish, and turn the tenth step.
The tenth step, if do not receive the write operation requests that local virtual machine is initiated, turns the 11 step, if receive the write operation requests that local virtual machine is initiated, read-write watch-dog is carried out following sub-step; 10.1 hang up current write operation requests.
10.2 check snapshot bitmap tables, judge whether the fundamental block of the original volume that the current fundamental block piece that will write is number corresponding has been performed COW operation, are to turn 10.3; Otherwise, turn 10.5.
10.3 search fundamental block piece number corresponding in snapshot space according to the current fundamental block piece that will write number in Adelson-Velskii-Landis tree.
Fundamental block corresponding in 10.4 pairs of snapshot space is carried out write operation, and now this write operation requests is resumed and completes; Turn 10.7.
The original basic blocks of the original volume that the fundamental block piece that the 10.5 pairs of current volumes will be write is number corresponding is carried out COW operation, thereby in snapshot space, produces new fundamental block, and upgrades snapshot bitmap table and Adelson-Velskii-Landis tree.
New fundamental block in 10.6 pairs of snapshot space is carried out write operation, and now this write operation requests is resumed and completes.
10.7 judge whether the fundamental block of not writing in addition: be to turn 10.2; Otherwise, turn 10.8.
10.8 write operations finish, and turn the 11 step.
The 11 step, starter judges whether to receive exit message from user, if so, turns the 12 step; Otherwise, turn the 8th step.
The 12 step, finishes.
Claims (1)
1. the isolation of the program based on a local virtual mechanism operation method, is characterized in that comprising the following steps:
The first step is installed local virtual system on host operating system, and local virtual system is made up of two type virtual machine monitors, starter, three software modules of read-write watch-dog;
Starter presents the reel number list of local all volumes to user, and obtains the original volume reel number for generating local virtual machine from user, and starter creates volume shadow copy according to original volume reel number, and gives two type virtual machine monitors by volume shadow copy;
The volume shadow copy that two type virtual machine monitors provide according to starter starts local virtual machine, and in local virtual machine, moves untrusted target software, and the read-write operation of local virtual machine is all given the processing of read-write watch-dog by two type virtual machine monitors;
Read-write watch-dog creates snapshot bitmap table and Adelson-Velskii-Landis tree is self-equilibrating binary tree, monitor the read-write operation from host operating system and local virtual machine simultaneously, according to the principle of " virtual machine is only write the fundamental block in snapshot space; host is only write original basic blocks ", the unified read-write operation carrying out original volume device object, prevents file system access conflict; Described snapshot bitmap table is a bit sequence, and whether fundamental block of each bit mark has been performed COW operation is copy on write, has been backed up to snapshot space; Described Adelson-Velskii-Landis tree records the corresponding relation of original basic blocks and snapshot space fundamental block, and each node of Adelson-Velskii-Landis tree comprises two, and index entry is original volume fundamental block piece number, and value is snapshot space fundamental block piece number; Described COW operation is made up of two son operations: the one, bit corresponding to current fundamental block in snapshot bitmap table is set; The 2nd, the fundamental block of the snapshot space of current fundamental block and correspondence thereof is inserted in Adelson-Velskii-Landis tree;
Second step, the list that starter calling system application programming interface API obtains all volumes of current operation system, and show to user;
The 3rd step, starter is known and which volume need to be exported to localized virtual machine from user;
The 4th step, starter is the volume establishment volume shadow copy that each needs export to localized virtual machine;
The 5th step, two type virtual machine monitors start localized virtual machine according to volume shadow copy, and read-write watch-dog creates snapshot bitmap table and Adelson-Velskii-Landis tree according to volume shadow copy;
The 6th step, two type virtual machine monitors are forbidden hardware-related service in localized virtual machine;
The 7th step is moved untrusted target software in localized virtual machine;
The 8th step, if read-write watch-dog is not received the write operation requests that host operating system sends, turns the 9th step, if receive the write operation requests that host operating system sends, read-write watch-dog is carried out following sub-step:
8.1 judge that whether the fundamental block of all fundamental block piece number corresponding original volume that will write has all been performed COW operation, if so, turns 8.2; Otherwise, turn 8.3;
This write operation requests is directly forwarded to original volume device object by 8.2; Turn 8.6;
8.3 hang-up suspend the current write operation requests of writing original volume;
8.4 check all fundamental blocks of the original volume that will write, to not being performed the fundamental block of COW operation, carrying out COW operation, and upgrade snapshot bitmap table and Adelson-Velskii-Landis tree;
The write operation requests of writing original volume of hanging up is transmitted to original volume device object by 8.5;
8.6 original volume device objects complete write operation, turn the 9th step;
The 9th step, if do not receive the read operation request that localized virtual machine sends, turns the tenth step, if receive the read operation request that localized virtual machine sends, read-write watch-dog is carried out following sub-step;
9.1 if the original basic blocks in all fundamental block pieces number corresponding original volume of reading is not all performed COW operation, and in snapshot bitmap table, corresponding bits position is 0, turns 9.2; Otherwise, turn 9.3;
This read operation request is directly transmitted to original volume device object by 9.2; Turn 9.9;
9.3 hang up this read operation request;
9.4 check snapshot bitmap table, judge whether the current fundamental block piece that will read number corresponding original basic blocks has been performed COW operation: if turn 9.5; Otherwise, turn 9.7;
9.5 search corresponding snapshot space fundamental block piece number according to the current fundamental block piece that will read number in Adelson-Velskii-Landis tree;
9.6 read fundamental block corresponding in snapshot space; Turn 9.8;
9.7 read the fundamental block of the original volume that current fundamental block piece is number corresponding;
9.8 judge whether the fundamental block piece number of not reading in addition, are to turn 9.4; Otherwise, turn 9.9;
9.9 read operations finish, and turn the tenth step;
The tenth step, if do not receive the write operation requests that local virtual machine is initiated, turns the 11 step, if receive the write operation requests that local virtual machine is initiated, read-write watch-dog is carried out following sub-step:
10.1 hang up current write operation requests;
10.2 check snapshot bitmap tables, judge whether the fundamental block of the original volume that the current fundamental block piece that will write is number corresponding has been performed COW operation, are to turn 10.3; Otherwise, turn 10.5;
10.3 search fundamental block piece number corresponding in snapshot space according to the current fundamental block piece that will write number in Adelson-Velskii-Landis tree;
Fundamental block corresponding in 10.4 pairs of snapshot space is carried out write operation, turns 10.7;
The original basic blocks of the original volume that the fundamental block piece that the 10.5 pairs of current volumes will be write is number corresponding is carried out COW operation, thereby in snapshot space, produces new fundamental block, and upgrades snapshot bitmap table and Adelson-Velskii-Landis tree;
New fundamental block in 10.6 pairs of snapshot space is carried out write operation;
10.7 judge whether the fundamental block of not writing in addition: be to turn 10.2; Otherwise, turn 10.8;
10.8 write operations finish, and turn the 11 step;
The 11 step, starter judges whether to receive exit message from user, if so, turns the 12 step; Otherwise, turn the 8th step;
The 12 step, finishes.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410148000.6A CN103914647A (en) | 2014-04-14 | 2014-04-14 | Method for running programs in isolation manner on basis of local virtualization mechanism |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410148000.6A CN103914647A (en) | 2014-04-14 | 2014-04-14 | Method for running programs in isolation manner on basis of local virtualization mechanism |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103914647A true CN103914647A (en) | 2014-07-09 |
Family
ID=51040321
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410148000.6A Pending CN103914647A (en) | 2014-04-14 | 2014-04-14 | Method for running programs in isolation manner on basis of local virtualization mechanism |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103914647A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017054636A1 (en) * | 2015-09-30 | 2017-04-06 | 中兴通讯股份有限公司 | Method and apparatus for processing virtual machine snapshots |
| CN107533482A (en) * | 2016-02-12 | 2018-01-02 | 慧与发展有限责任合伙企业 | Combination operation system volume |
| CN108701048A (en) * | 2017-09-29 | 2018-10-23 | 华为技术有限公司 | Data load method and device |
| CN108762815A (en) * | 2018-05-16 | 2018-11-06 | 北京麟卓信息科技有限公司 | A kind of Android running environment implementation methods based on non-virtualized architectural framework |
| CN109196505A (en) * | 2016-06-02 | 2019-01-11 | 微软技术许可有限责任公司 | Hardware based virtualization security isolation |
| CN109923522A (en) * | 2016-11-12 | 2019-06-21 | 微软技术许可有限责任公司 | Anonymous container |
| US10417142B2 (en) | 2016-06-17 | 2019-09-17 | Red Hat Israel, Ltd. | Operating system integrated application isolation |
-
2014
- 2014-04-14 CN CN201410148000.6A patent/CN103914647A/en active Pending
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017054636A1 (en) * | 2015-09-30 | 2017-04-06 | 中兴通讯股份有限公司 | Method and apparatus for processing virtual machine snapshots |
| CN107533482A (en) * | 2016-02-12 | 2018-01-02 | 慧与发展有限责任合伙企业 | Combination operation system volume |
| CN107533482B (en) * | 2016-02-12 | 2020-11-13 | 慧与发展有限责任合伙企业 | Combined operating system volume |
| US10678554B2 (en) | 2016-02-12 | 2020-06-09 | Hewlett Packard Enterprise Development Lp | Assembling operating system volumes |
| CN109196505A (en) * | 2016-06-02 | 2019-01-11 | 微软技术许可有限责任公司 | Hardware based virtualization security isolation |
| US10417142B2 (en) | 2016-06-17 | 2019-09-17 | Red Hat Israel, Ltd. | Operating system integrated application isolation |
| CN109923522A (en) * | 2016-11-12 | 2019-06-21 | 微软技术许可有限责任公司 | Anonymous container |
| CN109923522B (en) * | 2016-11-12 | 2023-09-22 | 微软技术许可有限责任公司 | Anonymous container |
| CN108701048B (en) * | 2017-09-29 | 2020-09-11 | 华为技术有限公司 | Data loading method and device |
| CN108701048A (en) * | 2017-09-29 | 2018-10-23 | 华为技术有限公司 | Data load method and device |
| US10838829B2 (en) | 2017-09-29 | 2020-11-17 | Huawei Technologies Co., Ltd. | Method and apparatus for loading data from a mirror server and a non-transitory computer readable storage medium |
| CN108762815A (en) * | 2018-05-16 | 2018-11-06 | 北京麟卓信息科技有限公司 | A kind of Android running environment implementation methods based on non-virtualized architectural framework |
| CN108762815B (en) * | 2018-05-16 | 2021-01-01 | 北京麟卓信息科技有限公司 | Method for realizing Android running environment based on non-virtualization system architecture |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Bauman et al. | A survey on hypervisor-based monitoring: approaches, applications, and evolutions | |
| CN103914647A (en) | Method for running programs in isolation manner on basis of local virtualization mechanism | |
| KR101946982B1 (en) | Process Evaluation for Malware Detection in Virtual Machines | |
| JP6142027B2 (en) | System and method for performing protection against kernel rootkits in a hypervisor environment | |
| RU2703156C2 (en) | Computer security systems and methods using asynchronous introspection exceptions | |
| US20180336070A1 (en) | SYSTEMS AND METHODS INVOLVING FEATURES OF HARDWARE VIRTUALIZATION, HYPERVISOR, APIs OF INTEREST, AND/OR OTHER FEATURES | |
| Srinivasan et al. | Process out-grafting: an efficient" out-of-vm" approach for fine-grained process execution monitoring | |
| EP2864876B1 (en) | Systems and methods involving features of hardware virtualization such as separation kernel hypervisors, hypervisors, hypervisor guest context, hypervisor context, rootkit detection/prevention, and/or other features | |
| US20210124824A1 (en) | Securing secret data embedded in code against compromised interrupt and exception handlers | |
| US10095538B2 (en) | Systems and methods involving features of hardware virtualization, hypervisor, pages of interest, and/or other features | |
| Srivastava et al. | Efficient Monitoring of Untrusted Kernel-Mode Execution. | |
| Wang et al. | Design and implementation of SecPod, a framework for virtualization-based security systems | |
| Jang et al. | Atra: Address translation redirection attack against hardware-based external monitors | |
| WO2015176048A1 (en) | Aspects of hardware virtualization, hypervisors, code detection | |
| CN107949846A (en) | The detection of malice thread suspension | |
| MXPA05012560A (en) | Computer security management, such as in a virtual machine or hardened operating system. | |
| Pék et al. | On the feasibility of software attacks on commodity virtual machine monitors via direct device assignment | |
| US9824225B1 (en) | Protecting virtual machines processing sensitive information | |
| EP3079057B1 (en) | Method and device for realizing virtual machine introspection | |
| EP3178032A1 (en) | Embedding secret data in code | |
| EP3308274A1 (en) | Executing services in containers | |
| KR101467877B1 (en) | System and method for securing process memory using Hypervisor | |
| Shi et al. | Vanguard: A cache-level sensitive file integrity monitoring system in virtual machine environment | |
| Hua et al. | Barrier: a lightweight hypervisor for protecting kernel integrity via memory isolation | |
| CN103793645A (en) | Hypercall protection method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140709 |
|
| WD01 | Invention patent application deemed withdrawn after publication |