CN103997502A - Safety enhanced model designing method based on cloud computing data center - Google Patents
Safety enhanced model designing method based on cloud computing data center Download PDFInfo
- Publication number
- CN103997502A CN103997502A CN201410246362.9A CN201410246362A CN103997502A CN 103997502 A CN103997502 A CN 103997502A CN 201410246362 A CN201410246362 A CN 201410246362A CN 103997502 A CN103997502 A CN 103997502A
- Authority
- CN
- China
- Prior art keywords
- vms
- label
- data center
- resource
- virtual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 15
- 238000002955 isolation Methods 0.000 claims description 41
- 230000002708 enhancing effect Effects 0.000 claims description 9
- 239000003550 marker Substances 0.000 claims description 3
- 241000700605 Viruses Species 0.000 abstract description 2
- 238000004891 communication Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 230000001276 controlling effect Effects 0.000 description 4
- 238000013475 authorization Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000010276 construction Methods 0.000 description 2
- 238000009792 diffusion process Methods 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 230000003612 virological effect Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 239000003086 colorant Substances 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 230000007717 exclusion Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a safety enhanced model designing method based on a cloud computing data center. The designing method comprises the steps of extending a Xen credible security architecture based on sHype, isolating a virtual network, isolating network storage resources and the like. The designing method is mainly used for reasonably and effectively dividing and classifying resources of the cloud computing data center and establishing a plurality of separated areas. Thus, mutual leakage of data and expansion of malicious virus codes are avoided, the occurrence probability of allocation and management errors is reduced or the allocation and management errors are prevented, and the purposes of perfectly isolating and sharing VMs and resources are achieved.
Description
Technical field
The present invention relates to computer communication technology field, specifically a kind of method for designing based on cloud computing data center safety enhancing type.
Background technology
In virtual cloud data center environment, Hypervisor(monitor of virtual machine, be called for short VMM) be a software layer between hardware and operating system, it is in charge of the hardware resource of bottom, and these resources are distributed to the running virtual machine VM in upper strata, these virtual machines form one by one the execution environment of isolation mutually, ensure that the business of moving in each isolation environment is independent of each other.The execution environment of mutually isolating in Xen is also referred to as isolated execution territory Domain.Although Hypervisor provides the execution environment of mutual isolation for upper-layer user, but in whole virtual cloud data center, information beyond isolated execution territory be mutually mix interactional, such as intercoming mutually between any VM, any VM can access any storage resources in this cloud computing data center.In order to control the communication between VM and the access to memory block resource in virtual cloud data center environment, the present invention has designed a kind of based on cloud computing data center safety enhancing type, the present invention includes the Xen credible and secure framework of expansion based on sHype, virtual Network Isolation, the aspects such as network storage resource isolation, be mainly used to the resource in cloud computing data center to carry out rationally effectively dividing and sorting out, and build the environment of multiple mutual isolation, prevent the mutual leakage of data and the diffusion of malice viral code, reduce or prevent the probability of happening that configuration management makes mistakes, to reach the perfect isolation of VMs and resource and shared object.
Summary of the invention
The object of this invention is to provide a kind of method for designing based on cloud computing data center safety enhancing type.
Its feature comprises following technology:
(1) expansion sHype Hypervisor security architecture, by the operation of access control mould mechanism control virtual machine, concrete by being virtual machine and related resource mark safety label, user can limit by Hypervisor the ruuning situation of VMs and resource;
(2) virtual Network Isolation, associates the label of mark VMs and VLANs, with tense marker VM and VLAN, such as the corresponding VLAN of the label of a type and a class VMs.System constraint VMs must mate safety label with VLANs and could be connected and communicate by letter;
(3) network storage resource isolation, in order to realize network storage isolation based on safety label, CbCS mechanism is integrated into credible virtual data center by system, and realize the access to the network storage by encrypted certificate and safety label.
Above-mentioned virtual machine forces access control to it is characterized in that user can limit by Hypervisor the ruuning situation of VMs and resource, by Hypervisor and safety label strategy, VMs is verified to startup, limit which VMs and can run in certain VMM, retrain which VMs can parallel running in same system and do not clash.
Network service between above-mentioned virtual Network Isolation control virtual machine; Virtual Network Isolation is characterized in that safety label to be combined with virtual 802.1Q VLAN, and system software on Xen host has been realized the function of VLAN.
The access of above-mentioned network storage resource isolated controlling virtual machine to storage resources; Network storage resource isolation is characterized in that storage resources to carry out corresponding classifying and dividing, and to VM and storage resources mark safety label, client VM needs authentication certificate ability accessing storage resources simultaneously; If there is total safety label and correct certificate, VMs just can pass through network, storage or the mode visit data such as directly share; If tag types difference or certificate are incorrect, VMs cannot share and visit data piece.
System manager can be for controlling and access control definition managing security policies in virtual Domain and between virtual Domain.Wherein markup resources comprises the resources such as mark VMs, VLANs and storage, such as being marked as blueness or redness.Once create and given safety label, the strategy that is deployed in Domain0 can build the VMs that allows to have same label the security domain of a shared resource.System also can be set up the rule of mutual exclusion, such as the VMs of different colours label can not operate in same system simultaneously.For Hypervisor isolation, need in VMM architecture, apply Mandatory Access Control (MAC, Mandatory Access Control), expand Xen security architecture with sHype.For virtual Network Isolation, need software creation bridge and configuration ethernet switch to support isolating tactful deployment.For the isolation of the network storage, need to expand CbCS (Capability-based Command Security) mechanism, control the access of VMs to the network storage by safety label and safety certificate.
Strengthen Hypervisor security architecture
On the isolation basis that sHype Hypervisor security architecture provides based on Xen, it is the expansion to the credible and secure framework of Xen.Xen gives tacit consent to not by this module compiles, and enable this module needs source code to recompilate Xen.Intercommunication between sHype monitoring VMs between the shared and VM of resource.For simple and convenient management, be that these VMs of Workload(and resource are coordinated conventionally to complete certain common task and object by VMs and resources definition), keeper no longer monitors each VMs and resource like this, and only pays close attention to whole Workload.SHype has played the intermediation in Hypervisor and Domain 0, and controls intercommunication mutually and the access to resource between VM according to effective security strategy.
In sHype system, there are two class access media hooks (Access Mediation Hooks), as shown in Figure 1, specific as follows:
The 1st class hooks controls the communication between VM, and realizes and sharing in Hypervisor.In Xen, these hooks are controlling event channel event channel (long-range interruption) and grant tables (internal memory is shared page), such as the access of network and virtual disk, and realize communication and shared between VM based on this basis.
The 2nd class hooks controls VMs to loading the access of resource, such as virtual disk or virtual partition.This class hooks is arranged in management VMs Domain 0.
These two kinds of hooks call identical access decision function in access control module (ACM, Access Control Module), and these functions are arranged in Xen.
Force access control (MAC, Mandatory Access Control) strategy
By implement Mandatory Access Control (MAC) in VMM architecture, sHype can ensure the enforcement of System Security Policy.Can limit the Workloads behavior of different user and reach following security purpose by MAC:
1) virus and other malicious codes can not be diffused into other user Workload from a user Workload;
2) data can not be leaked to other user Workload from a user Workload easily, even if VMs has moved abnormal Workloads;
3) capture and expose the Workloads that a Workload can not cause exposing other configurations.
The scope (border) of credible virtual field (TVD, Trusted Virtual Domains) can determine by the mode of giving all VMs and the unique safety label of related resource mark, as shown in Figure 2.System allows and refuses the intercommunication between access and the VM of distribution, resource of resource according to movable access control policy.
Credible virtual data center (TVDc, Trusted Virtual Datacenter) isolation strategy comprises two parts:
1) definition label, i.e. definition can be assigned to the safe context of corresponding VMs and resource.
2) definition constraint combination, deployment strategy can operate in same system in the TVD specifying to retrain which VMs simultaneously.
Access control management has defined system management role and the distribution based on safety label authority.The isolated instances of supporting in different Workload and actual management has below been described:
1) data sharing: in color label model, if there is total color label, VMs can pass through network, storage or directly share the shared data of mode of (shared drive).
2) VMM system authorization: color label also can be used for limiting VMM can move for which Workloads.VMM can start a virtual machine that has respective color label in VMM system label storehouse.
3) constraint combination: which VMs of this policy constraints can operate in same system in the TVD specifying simultaneously, one group of each rule description has the color label group of conflict.
4) regulatory limits: in order to realize the integrated of VM isolation and management isolation in credible virtual data center (TVDc), system is the label in TVD (as color label) type ascribed role (as authority), and role is assigned to keeper.So just can limitation management person can only role of manager's corresponding label mark VMs and resource.
Safety label comprises reference name and set of types.In Mk system process, each VM and resource are assigned the reference name of a safety label.Label quote the same being stored of metamessage just as VMs and resource, their protection VMs and can only arranging and amendment by VMM manager (Domain0).SHype quotes to determine whether VMs can communicate by letter or access resources with these labels, specifically by retrieving VMs, resource, permission communication or accessing relevant label and quote whether shared same label type realizes.
Two kinds of Workloads of MA and SU.Domain0 is controlling these Workloads, and is labeled as the dummy block will equipment of MA for one of MA Workloads output.All Workloads can be connected to the label of Domain0(Workloads and the shared same type of Domain0).
Case (1), MA, SU} ∩ MA}=and MA} ≠, there is the label of same type, allow access.
Case (2), MA, SU} ∩ SU}=and SU} ≠, there is the label of same type, allow access.
Case (3), MA} ∩ SU}=, tag types difference, denied access.
Case (4), { { SU} has identical tag types to the resource tag of SU} and dummy block will equipment to VM label, and management VM allows carry dummy block will equipment.
Case (5), VM label { MA } does not have identical tag types, therefore access denied with the resource tag { MA } of dummy block will equipment.
Virtual Network Isolation strategy
The basic thought of realizing credible virtual data center (TVDc) Network Isolation is, the label of mark VMs and VLANs are associated, with tense marker VLAN, such as the corresponding vlan number of the label of a type, the concrete VLAN that follows IEEE 802.1Q standard that uses of Network Isolation controls the access of VM to LANs.System constraint VMs must mate safety label with VLANs and could be connected and communicate by letter.Like this, sharing the VMs of same type label just can communicate by the VLAN with same type label.
Network storage isolation strategy
In order to realize network storage isolation based on safety label, system is integrated into Capability-based Command Security (CbCS) mechanism in credible virtual data center (TVDc), and CbCS expansion SCSI agreement realizes network storage equipment access control.This agreement needs any client VM first initiate to store I/O instruction and an encrypted certificate need to be provided.Certificate (Credential) is to obtain from security policy manager person, and has the function of coding client access storage volume authority (as read and write or read-only authority).Storage security manager strengthens the reliability of certificate with the shared symmetric key of memory device by message authentication code (MAC), therefore certificate can not be forged and revise.The authenticity of memory device authentication certificate and according to coding authority allow or denied access.In credible virtual data center (TVDc) implements, also have an extra step (Client uses certificate access storage volumes) that checks certificates constructing, check that client VM and storage volume must have the safety label of same type.
The present invention includes the aspects such as the credible and secure framework of Xen of expanding based on sHype, virtual Network Isolation, network storage resource isolation.Be mainly used to cloud computing data center resource to carry out rationally effectively dividing and sorting out, and build the region of multiple mutual isolation, prevent the mutual leakage of data and the diffusion of malice viral code, reduce or prevent the probability of happening that configuration management makes mistakes, to reach the perfect isolation of VMs and resource and shared object.
4, brief description of the drawings
Fig. 1. sHype access control framework:
Fig. 2. isolation credible virtual domain view:
Fig. 3. access control policy operation principle:
Fig. 4. the deployment architecture figure of credible virtual data center.
5, execution mode
Be described in detail below of the present invention with reference to Figure of description.
A kind of method for designing based on cloud computing data center safety enhancing type of the present invention, comprises the function of the aspects such as the Xen credible and secure framework of expansion based on sHype, virtual Network Isolation, network storage resource isolation.Particular content is as follows:
The Xen credible and secure framework of expansion based on sHype
Xen platform based on sHype Hypervisor security architecture is supported multiple safe isolated instances.Under default situations, Xen is not by sHype module compiles, and therefore will enable this module needs source code to recompilate Xen.Can enable Xen sHype security component by following steps:
(1) configuration in Xen, the support of setting up sHype.
First, we need to be in Xen configuration access control module and ACM-enables Xen hypervisor is installed.This step controls to installation security tool and compiling sHype/ACM in Xen hypervisor.
In Xen, enable sHype/ACM, need to revise Config.mk file at Xen root:
1) in Config.mk: amendment XSM_ENABLE=n is XSM_ENABLE=y
Amendment ACM_SECURITY=n is ACM_SECURITY=y
2) the Xen environment of having enabled security module is installed in compiling:
# make world
# make install
3)mkinitrd initrd-2.6.18.8-xen-sec.img 2.6.18.8-xen
4) revised file xend-config.sxp under/etc/xen/ catalogue, increases following content:
(xsm_module_name acm)
(2) restart the Xen hypervisor that enters the security module of enabling.
First inspection policy configuration tool:
# which xensec_ezpolicy
Xen will enable the security strategy of an acquiescence, and after restarting, you can check this simple default policy:
# xm getpolicy
# xm labels
# xm list --label
Now, we need to create a strategy and be loaded into hypervisor.
(3) use ezPolicy construction strategy.
We use ezPolicy construction strategy fast.Need Python and wxPython to wrap to move this instrument.In Dom0, move this instrument, can download wxPython bag from www.wxpython.org, or install with yum install wxPython at Redhat/Fedora.In MS Windows, move this instrument, also need to download Python bag from www.python.org.After these bag installations, can use order below to start ezPolicy instrument:
# xensec_ezpolicy (xensec_ezpolicy that also can find under/Xen-x.x.x/tools/security/, and use python xensec_ezpolicy can open the strategy configuration page).
If use ezPolicy instrument in Dom0, the strategy producing is with under be kept at/etc/xen/acm-security/policies/ of the form of xml file catalogue, when conversation strategy, if the name of inserting is cse, the actual file producing cse_security-policy.xml by name.
After configuring strategy, need to configure Xen and make can load this strategy in the time starting.
1) first we want the form of switching strategy so that system can load strategy in the time starting:
# xm setpolicy ACM cse
2) then the cse.bin of generation is copied under boot catalogue:
# cp /etc/xen/acm-security/policies/cse.bin /boot/cse.bin
3) amendment grub file, adds the capable loading strategy of module:
title CentOS (2.6.18-164.el5xen-sec)
root (hd0,0)
kernel /xen-3.4.2.gz crashkernel=128M16M
module /vmlinuz-2.6.18.8-xen ro root=/dev/VolGroup00/LogVol00 rhgb quiet
module /initrd-2.6.18.8-xen-sec.img
module /cse.bin
4) restart, can check new policy information by said before.
After note: xen-3.4.2 installs, use # xm setpolicy ACM cse acquiescence cse.bin will be copied to/boot catalogue under, and it is capable to add module/cse.bin at grub/menu.lst.
Restart rear discovery and can not create smoothly Domain.Need to be for Domain adds label, bookmark name should be corresponding with strategy.Use as issued orders as Domain interpolation label:
# xm addlabel label_name dom domain_name
In addition, can also control the access to resource, need to be as follows for resource interpolation label:
# xm addlabel label_name res resource_name
Such as, be that virtual shared disk adds label, to control the access of Domain to shared disk, can add label to shared disk, and the access authorization to this shared disk is set in strategy.# xm addlabel share_disk res file:/home/xen/share_disk.img is that share_disk.img arranges label.The label occurring in strategy all needs to arrange, otherwise cannot set up DomU.
(4) enabled the xen example explanation of cse.bin security strategy.
# xm labels
SystemManagement
__UNLABELED__
blue
red
white
The safety label of cse.bin definition is checked in this order, wherein blue, red, tri-labels of white are our own definition, SystemManagement with _ _ UNLABELED__ is two special tag of system default._ _ UNLABELED__, tri-labels of blue and red are defined as a conflict group (conflict), the label of this three types can not run on same hypervisor(demand for security simultaneously).
# xm resources
tap:aio:/var/lib/libvirt/images/centos3.img
type: ACM
policy: cse
label: white
tap:aio:/var/lib/libvirt/images/centos2.img
type: ACM
policy: cse
label: blue
tap:aio:/var/lib/libvirt/images/centos1.img
type: ACM
policy: cse
label: red
The mark situation of resource tag to resource checked in this order, can limit and allow sharing or monopolizing resource to resource mark label.
#xm addlabel red dom centos1 // be red to centos1 markup tags
#xm addlabel red res tap:aio:/var/lib/libvirt/images/centos1.img // be red to the resource mark label of centos1 use
Just realized the label to a Workload by above two steps, below we just can start centos1
The territory of a centos1 by name of #xm create centos1 // establishment
By identical step, centos2 is labeled as to the label of blue type, due to _ _ UNLABELED__, tri-labels of blue and red are defined as a conflict group (conflict), the Workload of this three classes label can not operate in same hypervisor simultaneously, so there will be following error when we start centos2:
xm create centos2
Using config file "/etc/xen/centos2".
Error: Domain in conflict set with running domain
Credible virtual Network Isolation
In embodiments, credible virtual data center (TVDc) Network Isolation assembly internal virtual system (specifically Bridge or virtual switch) be connected the external ethernet switch of virtual system in configure respectively VLANs, therefore, VMs just can communicate by letter with other the VMs in local system and remote system with identical safety label.
In Xen system, Domain0 has physical network device and controls the access to netwoks to client VMs in system.Domain0 is each VLAN software bridge of establishment (virtual switch), and the VMs in Xen system is authorized to access this software bridge.As having created, Domain in Fig. 40 is marked as red and blue Bridge.In each Xen system, all VMs with same color label are connected to a corresponding bridge.Such as the VMs of all mark bluenesss is connected to blue bridge, the VMs of all mark redness is connected to red bridge.Each bridge restriction allows the VMs that is labeled as same color to intercom mutually.When a user VM starts, be granted access VLAN (s) that system connects this VM to corresponding Bridge.By this method, in same Xen system, the VMs of two shared safety labels can be connected to same software bridge and mutually communicate by letter; On the contrary, operate in same Xen system and can not intercom mutually even if do not share the VMs of label.
For expansion TVDc Network Isolation is beyond certain Xen system, need configuring external Ethernet switch to connect the VLANs of each Xen system to system authorization access, specifically open the Trunk pattern of physical switches.By such method, VMs just can communicate with the VMs of shared label in another Xen system, but can not communicate by letter with other any VMs.
Create software bridge and configure VM Vlan functional method as follows:
(1) in Xen system, set up OVS software bridge;
# ovs-vsctl add-br br0
(2) Xen system physical network card eth0 is added to bridge br0 upper (under default situations, all OVS ports are VLAN trunks, and therefore eth0 acquiescence forwards the packet of all VLANs);
# ovs-vsctl add-port br0 eth0
(3) configuration VM is the access of 10 networks to vlan number, supposes the Microsoft Loopback Adapter tap1.0 by name of VM;
# ovs-vsctl add-port br0 tap1.0 tag=10
Trustable network store isolated
The concrete steps of VM accesses network storage are as follows:
(1) Integrated manager disposes access control policy to Domain0, for storage controller arranges a symmetric key.
(2) storage volume resource is labeled label.
(3) create client VM and be client VM assignment safety label and the storage private key for authenticating to Integrated manager after a while.The same being stored in Domain0 of configuration information of this private key and VM.
(4) Domain0 also asks the credential of an access storage volumes by Integrated manager checking VM for client VM.
(5) in Integrated manager, only have label that VM and storage volume have a coupling just to distributing a credential, do not mate just refusal request.
(6) last, in the time that client VM sends I/O instruction, before permission fill order, hypervisor can check whether safety label mates, and storage system can be verified the validity of credential.
Storage system is not followed refusal the CbCS client-access storage of CbCS agreement.In order to reduce security threat, the access of storage is adopted to the principle of least privilege.When a client VM moves out after this system, Domain0 removes authentication information and all relevant credentials that this VM is relevant.
Claims (4)
1. the method for designing based on cloud computing data center safety enhancing type, it is characterized in that comprising: (1) expansion sHype Hypervisor security architecture, move by access control mould mechanism control virtual machine, concrete by being virtual machine and related resource mark safety label, user can limit by Hypervisor the ruuning situation of VMs and resource; (2) virtual Network Isolation, associates the label of mark VMs and VLANs, with tense marker VM and VLAN, such as the corresponding VLAN of the label of a type and a class VMs; System constraint VMs must mate safety label with VLANs and could be connected and communicate by letter; (3) network storage resource isolation, in order to realize network storage isolation based on safety label, CbCS mechanism is integrated into credible virtual data center by system, and realize the access to the network storage by encrypted certificate and safety label.
2. a kind of method for designing based on cloud computing data center safety enhancing type according to claim 1, it is characterized in that virtual machine pressure access control is characterized in that user can limit by Hypervisor the ruuning situation of VMs and resource, by Hypervisor and safety label strategy, VMs is verified to startup, limit which VMs and can run in certain VMM, retrain which VMs can parallel running in same system and do not clash.
3. a kind of method for designing based on cloud computing data center safety enhancing type according to claim 1, is characterized in that the network service between virtual Network Isolation control virtual machine; Virtual Network Isolation is characterized in that safety label to be combined with virtual 802.1Q VLAN, and system software on Xen host has been realized the function of VLAN.
4. a kind of method for designing based on cloud computing data center safety enhancing type according to claim 1, is characterized in that the access of network storage resource isolated controlling virtual machine to storage resources; Network storage resource isolation is characterized in that storage resources to carry out corresponding classifying and dividing, and to VM and storage resources mark safety label, client VM needs authentication certificate ability accessing storage resources simultaneously; If there is total safety label and correct certificate, VMs just can pass through network, storage or the mode visit data such as directly share; If tag types difference or certificate are incorrect, VMs cannot share and visit data piece.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410246362.9A CN103997502A (en) | 2014-06-05 | 2014-06-05 | Safety enhanced model designing method based on cloud computing data center |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410246362.9A CN103997502A (en) | 2014-06-05 | 2014-06-05 | Safety enhanced model designing method based on cloud computing data center |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103997502A true CN103997502A (en) | 2014-08-20 |
Family
ID=51311508
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410246362.9A Pending CN103997502A (en) | 2014-06-05 | 2014-06-05 | Safety enhanced model designing method based on cloud computing data center |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103997502A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105335212A (en) * | 2015-10-23 | 2016-02-17 | 浪潮电子信息产业股份有限公司 | Method for controlling cloud computing mandatory access based on distributed implementation |
| CN105701416A (en) * | 2016-01-11 | 2016-06-22 | 华为技术有限公司 | Mandatory access control method and device as well as physical host |
| WO2016106867A1 (en) * | 2014-12-29 | 2016-07-07 | 中国科学院信息工程研究所 | Method and system for protecting root ca certificate in virtualized environment |
| WO2016107576A1 (en) * | 2014-12-31 | 2016-07-07 | 北京热景生物技术有限公司 | Composition and system for separating and detecting alpha-fetoprotein variant and use thereof |
| CN107145300A (en) * | 2016-03-01 | 2017-09-08 | 深圳市深信服电子科技有限公司 | Data sharing management method and device |
| CN107203722A (en) * | 2016-03-16 | 2017-09-26 | 中国电子科技集团公司电子科学研究院 | A kind of virtualization data isolation exchange method and device |
| CN108776686A (en) * | 2018-06-04 | 2018-11-09 | 浪潮软件集团有限公司 | Data tag construction system and method |
| CN115987566A (en) * | 2022-12-01 | 2023-04-18 | 贵州电网有限责任公司 | Isolation framework based on new energy power system server |
-
2014
- 2014-06-05 CN CN201410246362.9A patent/CN103997502A/en active Pending
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016106867A1 (en) * | 2014-12-29 | 2016-07-07 | 中国科学院信息工程研究所 | Method and system for protecting root ca certificate in virtualized environment |
| WO2016107576A1 (en) * | 2014-12-31 | 2016-07-07 | 北京热景生物技术有限公司 | Composition and system for separating and detecting alpha-fetoprotein variant and use thereof |
| CN105335212A (en) * | 2015-10-23 | 2016-02-17 | 浪潮电子信息产业股份有限公司 | Method for controlling cloud computing mandatory access based on distributed implementation |
| CN105701416A (en) * | 2016-01-11 | 2016-06-22 | 华为技术有限公司 | Mandatory access control method and device as well as physical host |
| CN105701416B (en) * | 2016-01-11 | 2019-04-05 | 华为技术有限公司 | Forced access control method, device and physical host |
| US10762223B2 (en) | 2016-01-11 | 2020-09-01 | Huawei Technologies Co., Ltd. | Mandatory access control method and apparatus, and physical host |
| CN107145300A (en) * | 2016-03-01 | 2017-09-08 | 深圳市深信服电子科技有限公司 | Data sharing management method and device |
| CN107203722A (en) * | 2016-03-16 | 2017-09-26 | 中国电子科技集团公司电子科学研究院 | A kind of virtualization data isolation exchange method and device |
| CN107203722B (en) * | 2016-03-16 | 2020-01-14 | 中国电子科技集团公司电子科学研究院 | Virtualization data isolation exchange method and device |
| CN108776686A (en) * | 2018-06-04 | 2018-11-09 | 浪潮软件集团有限公司 | Data tag construction system and method |
| CN115987566A (en) * | 2022-12-01 | 2023-04-18 | 贵州电网有限责任公司 | Isolation framework based on new energy power system server |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103997502A (en) | Safety enhanced model designing method based on cloud computing data center | |
| US11416415B2 (en) | Technologies for secure device configuration and management | |
| US20200301764A1 (en) | Operating system on a computing system | |
| RU2679721C2 (en) | Attestation of host containing trusted execution environment | |
| Berger et al. | TVDc: managing security in the trusted virtual datacenter | |
| CN107153565B (en) | Method for configuring resource and network equipment thereof | |
| CN106599694B (en) | Security protection manages method, computer system and computer readable memory medium | |
| US10331882B2 (en) | Tracking and managing virtual desktops using signed tokens | |
| US11469964B2 (en) | Extension resource groups of provider network services | |
| Berger et al. | Security for the cloud infrastructure: Trusted virtual data center implementation | |
| CN105184147B (en) | User safety management method in cloud computing platform | |
| US9372964B2 (en) | Software license control | |
| CN105184164B (en) | A kind of data processing method | |
| US20090319806A1 (en) | Extensible pre-boot authentication | |
| EP2856385B1 (en) | Managing distributed operating system physical resources | |
| JP2010514028A (en) | A system that enables multiple execution environments to share a single data process | |
| US20200159555A1 (en) | Provider network service extensions | |
| Brost et al. | An ecosystem and IoT device architecture for building trust in the industrial data space | |
| US11575672B2 (en) | Secure accelerator device pairing for trusted accelerator-to-accelerator communication | |
| US20160057171A1 (en) | Secure communication channel using a blade server | |
| US20210344719A1 (en) | Secure invocation of network security entities | |
| CN114285850A (en) | Cross-cluster multi-tenant resource management system based on container platform | |
| Davi et al. | Trusted virtual domains on OKL4: Secure information sharing on smartphones | |
| CN112637111B (en) | Virtualized cloud platform system | |
| CN113407941A (en) | Edge cloud node and terminal user security management method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140820 |
|
| WD01 | Invention patent application deemed withdrawn after publication |