CN106126116A - A kind of integrity measurement optimization method of virtual machine image file - Google Patents

A kind of integrity measurement optimization method of virtual machine image file Download PDF

Info

Publication number
CN106126116A
CN106126116A CN201610431636.0A CN201610431636A CN106126116A CN 106126116 A CN106126116 A CN 106126116A CN 201610431636 A CN201610431636 A CN 201610431636A CN 106126116 A CN106126116 A CN 106126116A
Authority
CN
China
Prior art keywords
image
virtual machine
image file
integrity measurement
foundation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610431636.0A
Other languages
Chinese (zh)
Inventor
肖利民
岳喜春
阮利
李书攀
詹维典
徐志罡
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beihang University
Original Assignee
Beihang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beihang University filed Critical Beihang University
Priority to CN201610431636.0A priority Critical patent/CN106126116A/en
Publication of CN106126116A publication Critical patent/CN106126116A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/0614Improving the reliability of storage systems
    • G06F3/0619Improving the reliability of storage systems in relation to data integrity, e.g. data losses, bit errors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0662Virtualisation aspects
    • G06F3/0667Virtualisation aspects at data level, e.g. file, record or object virtualisation

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Human Computer Interaction (AREA)
  • Quality & Reliability (AREA)
  • Computer Security & Cryptography (AREA)
  • Memory System Of A Hierarchy Structure (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The present invention proposes the integrity measurement optimization method of a kind of virtual machine image file, by mirror image is divided into foundation image and increment mirrored storage, and uses SSD as swap, lays a good foundation for follow-up algorithm optimization;By utilizing internal memory mapping and multithreading to solve the problem of frequent reading disk, the calculating speed of algorithm can be significantly improved;Finally foundation image is used different integrity measurement strategies with increment mirror image, the expense of integrity measurement can be reduced.Comprise the following steps: 1 uses foundation image to add the mode storage virtual machine image file of increment mirrored storage;2 utilize the SHA1 algorithm of swap, internal memory mapping mechanism and multithreading to be optimized image file integrity measurement algorithm;Foundation image and increment mirror image are divided different strategies to measure by 3, i.e. foundation image carries out periodicity measurement, and increment mirror image is measured when virtual machine switching on and shutting down.

Description

A kind of integrity measurement optimization method of virtual machine image file
Technical field
The present invention proposes the integrity measurement optimization method of a kind of virtual machine image file, is specifically related to a kind of use and changes The method of the SHA1 algorithm tolerance complete to virtual machine image file after entering, and provide a kind of new Metric policy.Belong to meter The security fields of calculation machine science.
Background technology
Virtual machine image file is used to storage virtual machine operating system and individual's software and the file of personal data, empty The startup of plan machine and operation are required for the support of its image file.If virtual machine image file is tampered, such as implant malice Codes etc., may result in leakage or the loss of personal data, and this for the protection of the properly functioning of virtual machine He privacy of user is Hidden danger greatly, so ensureing that the integrity of virtual machine image file is significant.
Mirror image protection scheme of today has focused largely on mirror image encryption aspect, by being encrypted image file, it is ensured that Even if image file is acquired also cannot read content therein, but this scheme but cannot solve image file destroyed or The problem that person is tampered.Integrity measurement technology is a kind of scheme ensureing file integrality, but integrity measurement typically should It is used in small documents tolerance scene, because integrity measurement needs read whole file and file is calculated an eap-message digest, and Virtual machine image file is general all at more than 10GB, so reads the speed of file i.e. the bandwidth of disk from disk by shadow Ring the performance of whole metric algorithm.
SHA1 (Secure Hash Algorithm 1, Secure Hash Algorithm 1) is the calculation of a kind of calculation document eap-message digest Method, its Calculation bottleneck is also the speed reading data from disk, and common multithreading can not improve calculating speed Degree, on the contrary can be because the switching of magnetic head causes the decline of disk reading speed.Therefore the present invention design a kind of use improvement after The method of SHA1 algorithm tolerance complete to virtual machine image file, and provide a kind of new Metric policy.
Summary of the invention
This method is applicable to the (SuSE) Linux OS of 64.First this method is divided into foundation image and increasing to image file Amount mirrored storage;Then SSD (Solid State Drives, solid state hard disc) is used to arrange physical platform according to application scenarios Jumbo swap (swapace), is simultaneous for the operation under image file integrity measurement application scenarios of SHA1 algorithm SHA1 algorithm is optimized by bottleneck by internal memory mapping mechanism, multithreading;New Metric policy is finally proposed, to base Plinth image file uses different strategies to carry out integrity measurement with increment image file.
Specifically, include according to the integrity measurement optimization method of a kind of virtual machine image file of the present invention:
Step 1, uses foundation image to add the mode storage virtual machine image file of increment mirrored storage;
Step 2, utilizes the SHA1 algorithm of swap, internal memory mapping mechanism and multithreading to calculate image file integrity measurement Method is optimized;
Step 3, divides different strategies to measure foundation image and increment mirror image, i.e. foundation image carries out periodicity degree Amount, increment mirror image is measured when virtual machine switching on and shutting down, thus is reduced integrity measurement expense.
In one embodiment, step 1 includes:
Step 11, creates foundation image file, and foundation image installs operating system and some basic softwares, and foundation image begins Keep constant eventually, can share with multiple virtual machines;
Step 12, selects a foundation image when creating virtual machine, and is virtual machine creating increment image file, increment mirror As storing privately owned software and personal data, the corresponding virtual machine of each increment mirror image, virtual machine is to change all of in mirror image All record inside increment mirror image.
In one embodiment, step 2 includes:
Step 21, using SSD is system creation swap subregion, can utilize swap when physical memory deficiency, uses the SSD to be In order to improve performance;
Step 22, the image file using memory mapping technique to measure is mapped to the address space of process, can solve The certainly problem of frequent reading disk;
Step 23, revises SHA1 algorithm, the image file in address space is divided into N block, creates N number of thread and be successively read One block file carries out integrity measurement, and generates 160bit (position) digest value MD respectively1,MD2...MDn
Step 24, again carries out the N number of digest value generated N-1 SHA1 and calculates, generate the message of final 160bit Summary MD=sha1 (sha1 (MD1,MD2),...MDn)。
In one embodiment, step 3 includes:
Step 31, creates foundation image biTime, use the algorithm optimized in step 2 once to measure, save as mark Quasi-digest valueThe most often cross a cycle T, use the algorithm optimized in step 2 to carry out integrity foundation image file Tolerance, obtains up-to-date digest valueAnd withCompare, can find whether foundation image is tampered;
Step 32, after virtual machine start, increment mirror image can change, so after virtual machine shuts down every time, to its increment mirror image fj Use the algorithm optimized in step 2 to carry out integrity measurement, and be updated to the digest value of standardVirtual machine activation every time Before, again to its increment mirror image fjUse the algorithm optimized in step 2 once to measure, obtain up-to-date digest valueAnd WithCompare, can find whether foundation image is tampered.
Accompanying drawing explanation
Fig. 1 is virtual machine image file integrity measurement overall flow figure.
Fig. 2 is that virtual machine image file internal memory maps piecemeal integrity measurement figure.
Fig. 3 is that foundation image file integrality measures flow chart.
Fig. 4 is increment image file integrity measurement flow chart.
Detailed description of the invention
For making the object, technical solutions and advantages of the present invention express clearer, below in conjunction with the accompanying drawings and specifically The present invention is further described in more detail for embodiment.
Main idea is that and utilize memory mapping technique, multithreading and image file is divided into basis mirror The strategy that picture and increment mirror image are measured respectively, provides integrity protection to virtual machine image file, utilizes the algorithm optimized, energy Enough significantly improve the efficiency of integrity measurement, strengthen the safety of virtual machine.
Illustrate with an example below:
Step 1, uses foundation image to add the mode storage virtual machine image file of increment mirrored storage, virtual machine in example VM1 has a foundation image b1, increment mirror image f1
Step 2, utilizes the SHA1 algorithm of swap, internal memory mapping mechanism and multithreading to calculate image file integrity measurement Method is optimized, such as Fig. 2.
Step 3, divides different strategies to measure foundation image and increment mirror image, i.e. foundation image carries out periodicity degree Amount, increment mirror image is measured when virtual machine switching on and shutting down, thus is reduced integrity measurement expense.
Wherein, step 2 includes:
Step 21, using SSD is system creation swap subregion, can store data in swap when physical memory deficiency In;
Step 22, internal memory mapping function mmap64 is the address space that the image file that will measure is mapped to process, 64 In the system of position, in the virtual memory space of each process, user's space has 128TB, enough maps image file, and mapping function is such as Under:
Ptr=mmap64 (0, len, PROT_READ, MAP_SHARED, fd, 0);
Wherein first parameter 0 represents and makes operating system automatic mapping, and len is the size of file, and PROT_READ represents and reflects Page after penetrating can be read, and MAP_SHARED represents and uses the process of this file to share mapping space, fd with other Being the filec descriptor of the image file opened, last parameter 0 represents the head from image file and starts to map;Return value Ptr is the pointer in mapped district;
Step 23, revises SHA1 algorithm, and in example, main frame has 12 logics CPU, is divided by the image file in address space Becoming 12 pieces, every block file size is len/12, creates 12 threads and is successively read a block file and measures, and generates one respectively Individual 160bit digest value MD1,MD2...MD12
12 digest value generated are carried out 11 SHA1 and calculate by step 24 again, and the message generating final 160bit is plucked Want MD=sha1 (sha1 (sha1 (MD1,MD2),MD3)...MD12)。
Wherein, step 3 includes:
Step 31, such as Fig. 3, creates foundation image b1Time, use the algorithm optimized in step 2 once to measure, and Save as standard digest valueExample sets tolerance cycle T=24 hour, often spends 24 hours, foundation image file is used The algorithm optimized in step 2 carries out an integrity measurement, obtains up-to-date digest valueAnd with initially create image file Time metricCompare.IfThen represent that mirror image was not altered, otherwise, represent foundation image bi? Through being tampered, it is continuing with, potential safety hazard may be brought;
Step 32, such as Fig. 4, after the shutdown of each virtual machine, to its increment mirror image f1The algorithm optimized in step 2 is used to carry out Once measure, and be updated to the digest value of standardEvery time before virtual machine activation, again to its increment mirror image fjUse step 1 The algorithm of middle optimization is once measured, and obtains up-to-date digest valueAnd with standard digest value beforeCompare Relatively.IfThen represent that mirror image was not altered;Otherwise, increment mirror image f is representedjHave been tampered with, at virtual machine In unsafe condition.

Claims (2)

1. an integrity measurement optimization method for virtual machine image file, uses foundation image to add the mode of increment mirrored storage Storage virtual machine image file, it is characterised in that comprise the following steps:
Step 1, utilizes the SHA1 algorithm of swap, internal memory mapping mechanism and multithreading to enter image file integrity measurement algorithm Row optimizes;
Step 2, divides different strategies to measure foundation image and increment mirror image, i.e. foundation image carries out periodicity measurement, Increment mirror image is measured when virtual machine switching on and shutting down, thus reduces integrity measurement expense.
Method the most according to claim 1, wherein step 2 includes:
Step 21, using SSD is system creation swap subregion, and the image file using memory mapping technique to measure is mapped to The address space of process, the problem solving frequent reading disk;
Step 22, revises SHA1 algorithm, the image file in address space is divided into N block, creates N number of thread and be successively read one piece File carries out integrity measurement, and generates 160bit (position) digest value respectively, and the N number of digest value generated is carried out N-again 1 time SHA1 calculates, and generates the eap-message digest of final 160bit.
CN201610431636.0A 2016-06-16 2016-06-16 A kind of integrity measurement optimization method of virtual machine image file Pending CN106126116A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610431636.0A CN106126116A (en) 2016-06-16 2016-06-16 A kind of integrity measurement optimization method of virtual machine image file

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610431636.0A CN106126116A (en) 2016-06-16 2016-06-16 A kind of integrity measurement optimization method of virtual machine image file

Publications (1)

Publication Number Publication Date
CN106126116A true CN106126116A (en) 2016-11-16

Family

ID=57470375

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610431636.0A Pending CN106126116A (en) 2016-06-16 2016-06-16 A kind of integrity measurement optimization method of virtual machine image file

Country Status (1)

Country Link
CN (1) CN106126116A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107169373A (en) * 2017-05-11 2017-09-15 山东超越数控电子有限公司 A kind of virtual machine image file guard method and system
CN107608758A (en) * 2017-08-31 2018-01-19 郑州云海信息技术有限公司 A kind of virtual machine file integrality monitoring method and system
CN108229162A (en) * 2016-12-15 2018-06-29 中标软件有限公司 A kind of implementation method of cloud platform virtual machine completeness check
CN109725983A (en) * 2018-11-22 2019-05-07 海光信息技术有限公司 A kind of method for interchanging data, device, relevant device and system
CN111324497A (en) * 2020-02-20 2020-06-23 杭州涂鸦信息技术有限公司 Linux system partition self-checking method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101593259A (en) * 2009-06-29 2009-12-02 北京航空航天大学 software integrity verification method and system
CN104216743A (en) * 2014-08-27 2014-12-17 中国船舶重工集团公司第七0九研究所 Method and system for maintaining start completeness of configurable virtual machine
CN104517057A (en) * 2014-12-22 2015-04-15 中国人民解放军信息工程大学 Software hybrid measure method based on trusted computing
CN105205391A (en) * 2015-10-15 2015-12-30 中南大学 Clean room real-time monitoring method based on integrity verification

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101593259A (en) * 2009-06-29 2009-12-02 北京航空航天大学 software integrity verification method and system
CN104216743A (en) * 2014-08-27 2014-12-17 中国船舶重工集团公司第七0九研究所 Method and system for maintaining start completeness of configurable virtual machine
CN104517057A (en) * 2014-12-22 2015-04-15 中国人民解放军信息工程大学 Software hybrid measure method based on trusted computing
CN105205391A (en) * 2015-10-15 2015-12-30 中南大学 Clean room real-time monitoring method based on integrity verification

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
林杰 等: "IVirt:基于虚拟机自省的运行环境完整性度量机制", 《计算机学报》 *
邢彬 等: "基于虚拟机监控技术的可信虚拟域", 《信息安全学报》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108229162A (en) * 2016-12-15 2018-06-29 中标软件有限公司 A kind of implementation method of cloud platform virtual machine completeness check
CN108229162B (en) * 2016-12-15 2021-10-08 中标软件有限公司 Method for realizing integrity check of cloud platform virtual machine
CN107169373A (en) * 2017-05-11 2017-09-15 山东超越数控电子有限公司 A kind of virtual machine image file guard method and system
CN107608758A (en) * 2017-08-31 2018-01-19 郑州云海信息技术有限公司 A kind of virtual machine file integrality monitoring method and system
CN109725983A (en) * 2018-11-22 2019-05-07 海光信息技术有限公司 A kind of method for interchanging data, device, relevant device and system
CN109725983B (en) * 2018-11-22 2021-07-27 海光信息技术股份有限公司 Data exchange method, device, related equipment and system
CN111324497A (en) * 2020-02-20 2020-06-23 杭州涂鸦信息技术有限公司 Linux system partition self-checking method and system
CN111324497B (en) * 2020-02-20 2023-10-27 杭州涂鸦信息技术有限公司 Partition self-checking method and system for linux system

Similar Documents

Publication Publication Date Title
CN106126116A (en) A kind of integrity measurement optimization method of virtual machine image file
US7934049B2 (en) Methods used in a secure yet flexible system architecture for secure devices with flash mass storage memory
CN104517057B (en) Software hybrid metric method based on trust computing
CN105993018B (en) Content item encryption in mobile device
EP1934879B1 (en) Secure yet flexible system architecture for secure devices with flash mass storage memory
CN105339912B (en) Measure safety zone
US8839446B2 (en) Protecting archive structure with directory verifiers
CN109690493A (en) System and method for repairing the image in duplicate removal storage device
US10089024B2 (en) Memory deduplication protection for memory pages
US20130081144A1 (en) Storage device and writing device
CN110968554A (en) Block chain storage method, storage system and storage medium based on file chain blocks
CN111967065B (en) Data protection method, processor and electronic equipment
CN104090913B (en) File operation method and device based on thin client
CN111782625A (en) Core intelligence technology embedded remote file system software
CN109683983A (en) A kind of generation of image file and loading method, equipment
CN109684126B (en) Memory verification method for ARM equipment and ARM equipment for executing memory verification
EP2957088B1 (en) Serialization for delta encoding
CN109766688A (en) A kind of Linux program run time verification based on Merkle tree and management-control method and system
US8396837B2 (en) Information processing apparatus
CN106874119A (en) Merging method and device based on the scanning of homogeneity internal memory
JP6201385B2 (en) Storage apparatus and storage control method
CN110298175A (en) A kind of processing method and relevant apparatus of dll file
CN103714286A (en) Method and system for preventing malicious software installation in mobile terminal
EP3952202B1 (en) A device and a method for performing a cryptographic algorithm
CN115080992A (en) Unified electronic seal system and method based on identification

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20161116