CN104346582A - Method for preventing mirror image from being tampered in desktop virtualization - Google Patents
Method for preventing mirror image from being tampered in desktop virtualization Download PDFInfo
- Publication number
- CN104346582A CN104346582A CN201410617959.XA CN201410617959A CN104346582A CN 104346582 A CN104346582 A CN 104346582A CN 201410617959 A CN201410617959 A CN 201410617959A CN 104346582 A CN104346582 A CN 104346582A
- Authority
- CN
- China
- Prior art keywords
- image file
- mirror image
- user
- iso
- tampered
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The invention discloses a method for preventing a mirror image from being tampered in desktop virtualization. The method comprises the following steps: establishing an independent storage field for an ISO mirror image file; creating two system users, one of which has a writing right while the other has a reading right; while uploading the mirror image file, verifying the user uploading the mirror image file; generating an MD5 code for each uploaded mirror image file, storing in a database and establishing a one-to-one correspondence relation between the mirror image file name and the MD5 code thereof in the database; before using the mirror image file each time, verifying if the MD5 value thereof is changed. The method provided by the invention has the beneficial effects that the operation is simple; the universality is strong; the flow is simple; MD5 is a widely used hashing function in the field of computer safety and is strong in universality; the dual protection of right separation and MD5 verification is adopted, so that the risk in tampering the mirror image is greatly reduced, the abnormal condition of the mirror image is timely detected and the safety is high.
Description
Technical field
The present invention relates to applying virtual technical field, be specifically related to a kind of method preventing mirror image to be tampered in desktop virtual.
Background technology
Under the tide of cloud computing development, desktop virtual technology have also been obtained to be applied widely.Increasing unit choice for use virtual desktop carrys out the pattern of alternative traditional physical machine add operation system because virtual desktop have can the plurality of advantages such as unified management, low energy consumption, cost be low.We enjoy that desktop virtual brings simultaneously easily, safety problem also can not be ignored.
Each virtual machine creates according to the ISO mirror image of operating system or template mirror image, if ISO mirror image or template mirror image are maliciously tampered, consequence is catastrophic.In order to prevent the generation of problems, we need the solution preventing mirror image to be tampered of complete set.
Summary of the invention
Object of the present invention is exactly to solve the problem; propose a kind of method preventing mirror image to be tampered in desktop virtual, the method adopt authority to be separated to add the duplicate protection of MD5 checking to greatly reduce risk that mirror image is tampered and can Timeliness coverage mirror image abnormal.
To achieve these goals, the present invention adopts following technical scheme:
The method preventing mirror image to be tampered in desktop virtual, comprises the following steps:
(1) for ISO image file creates independently storage domain, the access limit of user under this storage domain is set;
(2) create two system users, one of them user is used for uploading of image file, namely has write permission; Another user is used for carrying out read operation when establishment virtual machine, namely has read right;
(3), when image file is uploaded, the user uploading image file is verified;
(4) for each image file of uploading generates MD5 code and stored in the database of turnkey console, the one-to-one relationship of establish mirror image in a database filename and its MD5 code;
(5) first verify whether its MD5 value changes before each use image file, if changed, represent that image file is tampered.
Described step (3) proof procedure to user is specially:
If system client login user is not the user with upload permissions specified, then cannot operate the storage domain of ISO image file, ISO file cannot be uploaded, return log-in interface; User just can operate ISO storage domain by after client user's log-in interface of specifying, and uploads image file.
The concrete grammar of described step (5) is:
A. create virtual machine by turnkey console, specify the ISO image file needed for this virtual machine;
B. determine whether that designated user operates this ISO image file storage domain, if not then ejecting corresponding prompting;
C. calculate the MD5 value of this ISO mirror image, and compare with the value in database, if consistent, illustrate that ISO image file is preserved complete, virtual machine creating success, otherwise illustrate that this ISO file is tampered, eject miscue, virtual machine creating failure.
In described step (2), each is with arranging independently password per family.
The invention has the beneficial effects as follows:
The present invention utilizes multi-user's characteristic of linux to create independently two user's responsible read and writes to image file respectively, and the method adopting authority to be separated, effectively can improve overall security, reduces risk.This storage domain only has these two users specified to access, and its authority is tightly controlled.
The method calculating MD5 value is adopted to judge whether file is tampered; Message Digest Algorithm MD5 (Chinese Message Digest Algorithm 5 by name) is the widely used a kind of hash function of computer safety field, in order to provide the integrity protection of message.Main flow programming language generally existing MD5 realizes, and makes it have good versatility.
The present invention is simple to operate, highly versatile, and flow process is simple and clear, and MD5 is the widely used a kind of hash function of computer safety field, highly versatile.Adopt authority to be separated to add the duplicate protection of MD5 checking to greatly reduce risk that mirror image is tampered and can Timeliness coverage mirror image abnormal, security intensity is high.
Accompanying drawing explanation
Fig. 1 is the method flow diagram that the present invention prevents mirror image to be tampered;
Fig. 2 is the process flow diagram that the present invention uploads mirror image;
Fig. 3 is mirror image proof procedure process flow diagram of the present invention.
Embodiment:
Below in conjunction with accompanying drawing and embodiment, the present invention will be further described:
A kind of method preventing mirror image to be tampered in desktop virtual as shown in Figure 1, comprises the following steps:
(1) for ISO image file creates independently storage domain, the access limit of user under this storage domain is set;
(2) create two system users, one of them user is used for uploading of image file, namely has write permission; Another user is used for carrying out read operation when establishment virtual machine, namely has read right;
(3), when image file is uploaded, the user uploading image file is verified;
(4) for each image file of uploading generates MD5 code and stored in database, the one-to-one relationship of establish mirror image in a database filename and its MD5 code;
(5) first verify whether its MD5 value changes before each use image file, if changed, represent that image file is tampered.
1, for ISO image file creates independently storage domain, the access limit of user under this storage domain is set; The method mainly opens up independently storage space for image file, and we can arrange the user writable authority of this catalogue like this.
2, create two system users, be respectively used to the read and write to mirrored storage territory; The method is mainly separated to the access limit in mirrored storage territory, and a user is used for uploading of mirror image, namely has write permission.Another user is used for carrying out read operation when establishment virtual machine, namely has read right.Each user sets up independently password, protects as first.
3, for each image file generates MD5 code; The method is mainly that each image file generates identity code, because MD5 value calculates according to file content and forms, whether when its content changes, its MD5 value also can change, be tampered so we can carry out detection image file with the following method.
4, mirror image calculates its MD5 value and stored in database, the name of each image file must be unique immediately after uploading, because under they leave same catalogue in, we can establish mirror image the one-to-one relationship of name and its MD5 value in a database like this.
5. first verify whether its MD5 value changes before each use mirror image; The method is the integrality in order to verify mirror image, when the MD5 value of mirror image changes, can eject information to user, and prompting mirror image is tampered.
Wherein, upload mirror image process flow diagram as shown in Figure 2, main operation steps is as follows:
1) user is by ssh client login system, if login user is not the storage domain that the user with upload permissions specified cannot operate ISO, cannot uploads ISO file, return and log in.
2) after user is logged in by the user specified, just can operate ISO storage domain and upload mirror image.
3) upload mirror image complete after the MD5 value write into Databasce of this mirror image of calculating.
4) operated.
As shown in Figure 3, main operation steps is as follows for mirror image checking process flow diagram:
1) create virtual machine by turnkey console, specify the ISO file needed for this virtual machine.
2) determine whether that designated user operates this ISO storage domain, if not then ejecting corresponding prompting.
3) calculate the MD5 value of this ISO mirror image, and compare with the value in database, if consistent, illustrate that ISO mirror image is preserved complete, virtual machine creating success, otherwise illustrate that this ISO file is tampered, eject miscue, virtual machine creating failure.
By reference to the accompanying drawings the specific embodiment of the present invention is described although above-mentioned; but not limiting the scope of the invention; one of ordinary skill in the art should be understood that; on the basis of technical scheme of the present invention, those skilled in the art do not need to pay various amendment or distortion that creative work can make still within protection scope of the present invention.
Claims (4)
1. the method preventing mirror image to be tampered in desktop virtual, is characterized in that, comprise the following steps:
(1) for ISO image file creates independently storage domain, the access limit of user under this storage domain is set;
(2) create two system users, one of them user is used for uploading of image file, namely has write permission; Another user is used for carrying out read operation when establishment virtual machine, namely has read right;
(3), when image file is uploaded, the user uploading image file is verified;
(4) for each image file of uploading generates MD5 code and stored in the database of turnkey console, the one-to-one relationship of establish mirror image in a database filename and its MD5 code;
(5) first verify whether its MD5 value changes before each use image file, if changed, represent that image file is tampered.
2. a kind of method preventing mirror image to be tampered in desktop virtual as claimed in claim 1, it is characterized in that, described step (3) proof procedure to user is specially:
If system client login user is not the user with upload permissions specified, then cannot operate the storage domain of ISO image file, ISO file cannot be uploaded, return log-in interface; User just can operate ISO storage domain by after client user's log-in interface of specifying, and uploads image file.
3. a kind of method preventing mirror image to be tampered in desktop virtual as claimed in claim 1, it is characterized in that, the concrete grammar of described step (5) is:
A. create virtual machine by turnkey console, specify the ISO image file needed for this virtual machine;
B. determine whether that designated user operates this ISO image file storage domain, if not then ejecting corresponding prompting;
C. calculate the MD5 value of this ISO mirror image, and compare with the value in database, if consistent, illustrate that ISO image file is preserved complete, virtual machine creating success, otherwise illustrate that this ISO file is tampered, eject miscue, virtual machine creating failure.
4. a kind of method preventing mirror image to be tampered in desktop virtual as claimed in claim 1, it is characterized in that, in described step (2), each is with arranging independently password per family.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410617959.XA CN104346582A (en) | 2014-11-05 | 2014-11-05 | Method for preventing mirror image from being tampered in desktop virtualization |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410617959.XA CN104346582A (en) | 2014-11-05 | 2014-11-05 | Method for preventing mirror image from being tampered in desktop virtualization |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104346582A true CN104346582A (en) | 2015-02-11 |
Family
ID=52502161
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410617959.XA Pending CN104346582A (en) | 2014-11-05 | 2014-11-05 | Method for preventing mirror image from being tampered in desktop virtualization |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104346582A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104866392A (en) * | 2015-05-20 | 2015-08-26 | 浪潮电子信息产业股份有限公司 | Virtual machine security protection method and apparatus |
| CN105072183A (en) * | 2015-08-10 | 2015-11-18 | 浪潮(北京)电子信息产业有限公司 | Management method and management device for cloud operation system (OS) software repository |
| CN108985097A (en) * | 2018-07-20 | 2018-12-11 | 杭州安恒信息技术股份有限公司 | Projects file is distorted under Linux detection method, device |
| CN109344121A (en) * | 2018-09-27 | 2019-02-15 | 郑州云海信息技术有限公司 | A kind for the treatment of method and apparatus of image file |
| US11641331B2 (en) | 2019-06-04 | 2023-05-02 | Microsoft Technology Licensing, Llc | System and method for blocking distribution of non-acceptable attachments |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7380120B1 (en) * | 2001-12-12 | 2008-05-27 | Guardian Data Storage, Llc | Secured data format for access control |
| CN102024123A (en) * | 2010-12-20 | 2011-04-20 | 北京世纪互联工程技术服务有限公司 | Method and device for importing mirror image of virtual machine in cloud calculation |
| CN102254117A (en) * | 2011-07-07 | 2011-11-23 | 李鹏 | Virtualized technology-based data anti-disclosure system |
| CN102394894A (en) * | 2011-11-28 | 2012-03-28 | 武汉大学 | Network virtual disk file safety management method based on cloud computing |
| CN102880828A (en) * | 2012-09-07 | 2013-01-16 | 普华基础软件股份有限公司 | Intrusion detection and recovery system aiming at virtualization support environment |
| CN103457974A (en) * | 2012-06-01 | 2013-12-18 | 中兴通讯股份有限公司 | Safety control method and device for virtual machine mirror images |
| CN103729603A (en) * | 2014-01-11 | 2014-04-16 | 西安电子科技大学昆山创新研究院 | Secure file management system and method capable of achieving read/write splitting |
-
2014
- 2014-11-05 CN CN201410617959.XA patent/CN104346582A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7380120B1 (en) * | 2001-12-12 | 2008-05-27 | Guardian Data Storage, Llc | Secured data format for access control |
| CN102024123A (en) * | 2010-12-20 | 2011-04-20 | 北京世纪互联工程技术服务有限公司 | Method and device for importing mirror image of virtual machine in cloud calculation |
| CN102254117A (en) * | 2011-07-07 | 2011-11-23 | 李鹏 | Virtualized technology-based data anti-disclosure system |
| CN102394894A (en) * | 2011-11-28 | 2012-03-28 | 武汉大学 | Network virtual disk file safety management method based on cloud computing |
| CN103457974A (en) * | 2012-06-01 | 2013-12-18 | 中兴通讯股份有限公司 | Safety control method and device for virtual machine mirror images |
| CN102880828A (en) * | 2012-09-07 | 2013-01-16 | 普华基础软件股份有限公司 | Intrusion detection and recovery system aiming at virtualization support environment |
| CN103729603A (en) * | 2014-01-11 | 2014-04-16 | 西安电子科技大学昆山创新研究院 | Secure file management system and method capable of achieving read/write splitting |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104866392A (en) * | 2015-05-20 | 2015-08-26 | 浪潮电子信息产业股份有限公司 | Virtual machine security protection method and apparatus |
| CN105072183A (en) * | 2015-08-10 | 2015-11-18 | 浪潮(北京)电子信息产业有限公司 | Management method and management device for cloud operation system (OS) software repository |
| CN105072183B (en) * | 2015-08-10 | 2019-06-21 | 浪潮(北京)电子信息产业有限公司 | The management method and managing device in cloud O/S software warehouse |
| CN108985097A (en) * | 2018-07-20 | 2018-12-11 | 杭州安恒信息技术股份有限公司 | Projects file is distorted under Linux detection method, device |
| CN109344121A (en) * | 2018-09-27 | 2019-02-15 | 郑州云海信息技术有限公司 | A kind for the treatment of method and apparatus of image file |
| US11641331B2 (en) | 2019-06-04 | 2023-05-02 | Microsoft Technology Licensing, Llc | System and method for blocking distribution of non-acceptable attachments |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104346582A (en) | Method for preventing mirror image from being tampered in desktop virtualization | |
| TWI587672B (en) | Login authentication method, client, server and system | |
| IL272846B (en) | Streaming authentication using chained identifiers | |
| JP2015111909A5 (en) | ||
| WO2019179539A3 (en) | Shared blockchain data storage | |
| US10432622B2 (en) | Securing biometric data through template distribution | |
| JP2014199672A5 (en) | ||
| WO2015196890A1 (en) | Security access control method for hard disk, and hard disk | |
| CN105027498A (en) | A method, system and device for securely storing data files at a remote location by splitting and reassembling said files | |
| SG10201800338TA (en) | User authentication systems and methods | |
| JP2014516448A (en) | Secure data storage | |
| US20180288049A1 (en) | Data access interface for clustered devices | |
| WO2015017065A4 (en) | Coerced encryption on connected devices | |
| CN104601555A (en) | Trusted security control method of virtual cloud terminal | |
| CN102571874A (en) | On-line audit method and device in distributed system | |
| CN108229162B (en) | Method for realizing integrity check of cloud platform virtual machine | |
| CN103401906B (en) | A kind of remote configuring method of safety interlock | |
| CN105205416A (en) | Mobile hard disk password module | |
| CN103546574B (en) | A kind of airborne built-in network file access control method based on static configuration table | |
| CN104463510A (en) | Finance management system | |
| CN104021329A (en) | USB storage device with fingerprint identification function and identification method thereof | |
| CN103530169B (en) | Method for protecting virtual machine files and user terminal | |
| CN105205384A (en) | Method for automatically acquiring account information of user side, logging in and storing | |
| CN105608344A (en) | Application program safety management system and method | |
| CN105141665A (en) | Method and device for realizing data mirroring and server cluster system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent of invention or patent application | ||
| CB02 | Change of applicant information |
Address after: Xinluo Avenue high tech Zone of Ji'nan City, Shandong province 250101 silver bearing No. 2008 building B block 1001 Applicant after: Shandong Massclouds Qichuang Information Technology Co., Ltd. Address before: 250101, C, building 401, bank building, Ji'nan hi tech Zone, Shandong, China Applicant before: Shandong Massclouds Qichuang Information Technology Co., Ltd. |
|
| CB02 | Change of applicant information |
Address after: Xinluo Avenue high tech Zone of Ji'nan City, Shandong province 250101 silver bearing No. 2008 building B block 1001 Applicant after: SHANDONG QIANYUN QICHUANG INFORMATION TECHNOLOGY CO., LTD. Address before: Xinluo Avenue high tech Zone of Ji'nan City, Shandong province 250101 silver bearing No. 2008 building B block 1001 Applicant before: Shandong Massclouds Qichuang Information Technology Co., Ltd. |
|
| COR | Change of bibliographic data | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150211 |