CN106126116A - A kind of integrity measurement optimization method of virtual machine image file - Google Patents
A kind of integrity measurement optimization method of virtual machine image file Download PDFInfo
- Publication number
- CN106126116A CN106126116A CN201610431636.0A CN201610431636A CN106126116A CN 106126116 A CN106126116 A CN 106126116A CN 201610431636 A CN201610431636 A CN 201610431636A CN 106126116 A CN106126116 A CN 106126116A
- Authority
- CN
- China
- Prior art keywords
- image
- virtual machine
- image file
- integrity measurement
- foundation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0602—Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
- G06F3/0614—Improving the reliability of storage systems
- G06F3/0619—Improving the reliability of storage systems in relation to data integrity, e.g. data losses, bit errors
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1402—Saving, restoring, recovering or retrying
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0662—Virtualisation aspects
- G06F3/0667—Virtualisation aspects at data level, e.g. file, record or object virtualisation
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Human Computer Interaction (AREA)
- Quality & Reliability (AREA)
- Computer Security & Cryptography (AREA)
- Memory System Of A Hierarchy Structure (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The present invention proposes the integrity measurement optimization method of a kind of virtual machine image file, by mirror image is divided into foundation image and increment mirrored storage, and uses SSD as swap, lays a good foundation for follow-up algorithm optimization;By utilizing internal memory mapping and multithreading to solve the problem of frequent reading disk, the calculating speed of algorithm can be significantly improved;Finally foundation image is used different integrity measurement strategies with increment mirror image, the expense of integrity measurement can be reduced.Comprise the following steps: 1 uses foundation image to add the mode storage virtual machine image file of increment mirrored storage;2 utilize the SHA1 algorithm of swap, internal memory mapping mechanism and multithreading to be optimized image file integrity measurement algorithm;Foundation image and increment mirror image are divided different strategies to measure by 3, i.e. foundation image carries out periodicity measurement, and increment mirror image is measured when virtual machine switching on and shutting down.
Description
Technical field
The present invention proposes the integrity measurement optimization method of a kind of virtual machine image file, is specifically related to a kind of use and changes
The method of the SHA1 algorithm tolerance complete to virtual machine image file after entering, and provide a kind of new Metric policy.Belong to meter
The security fields of calculation machine science.
Background technology
Virtual machine image file is used to storage virtual machine operating system and individual's software and the file of personal data, empty
The startup of plan machine and operation are required for the support of its image file.If virtual machine image file is tampered, such as implant malice
Codes etc., may result in leakage or the loss of personal data, and this for the protection of the properly functioning of virtual machine He privacy of user is
Hidden danger greatly, so ensureing that the integrity of virtual machine image file is significant.
Mirror image protection scheme of today has focused largely on mirror image encryption aspect, by being encrypted image file, it is ensured that
Even if image file is acquired also cannot read content therein, but this scheme but cannot solve image file destroyed or
The problem that person is tampered.Integrity measurement technology is a kind of scheme ensureing file integrality, but integrity measurement typically should
It is used in small documents tolerance scene, because integrity measurement needs read whole file and file is calculated an eap-message digest, and
Virtual machine image file is general all at more than 10GB, so reads the speed of file i.e. the bandwidth of disk from disk by shadow
Ring the performance of whole metric algorithm.
SHA1 (Secure Hash Algorithm 1, Secure Hash Algorithm 1) is the calculation of a kind of calculation document eap-message digest
Method, its Calculation bottleneck is also the speed reading data from disk, and common multithreading can not improve calculating speed
Degree, on the contrary can be because the switching of magnetic head causes the decline of disk reading speed.Therefore the present invention design a kind of use improvement after
The method of SHA1 algorithm tolerance complete to virtual machine image file, and provide a kind of new Metric policy.
Summary of the invention
This method is applicable to the (SuSE) Linux OS of 64.First this method is divided into foundation image and increasing to image file
Amount mirrored storage;Then SSD (Solid State Drives, solid state hard disc) is used to arrange physical platform according to application scenarios
Jumbo swap (swapace), is simultaneous for the operation under image file integrity measurement application scenarios of SHA1 algorithm
SHA1 algorithm is optimized by bottleneck by internal memory mapping mechanism, multithreading;New Metric policy is finally proposed, to base
Plinth image file uses different strategies to carry out integrity measurement with increment image file.
Specifically, include according to the integrity measurement optimization method of a kind of virtual machine image file of the present invention:
Step 1, uses foundation image to add the mode storage virtual machine image file of increment mirrored storage;
Step 2, utilizes the SHA1 algorithm of swap, internal memory mapping mechanism and multithreading to calculate image file integrity measurement
Method is optimized;
Step 3, divides different strategies to measure foundation image and increment mirror image, i.e. foundation image carries out periodicity degree
Amount, increment mirror image is measured when virtual machine switching on and shutting down, thus is reduced integrity measurement expense.
In one embodiment, step 1 includes:
Step 11, creates foundation image file, and foundation image installs operating system and some basic softwares, and foundation image begins
Keep constant eventually, can share with multiple virtual machines;
Step 12, selects a foundation image when creating virtual machine, and is virtual machine creating increment image file, increment mirror
As storing privately owned software and personal data, the corresponding virtual machine of each increment mirror image, virtual machine is to change all of in mirror image
All record inside increment mirror image.
In one embodiment, step 2 includes:
Step 21, using SSD is system creation swap subregion, can utilize swap when physical memory deficiency, uses the SSD to be
In order to improve performance;
Step 22, the image file using memory mapping technique to measure is mapped to the address space of process, can solve
The certainly problem of frequent reading disk;
Step 23, revises SHA1 algorithm, the image file in address space is divided into N block, creates N number of thread and be successively read
One block file carries out integrity measurement, and generates 160bit (position) digest value MD respectively1,MD2...MDn;
Step 24, again carries out the N number of digest value generated N-1 SHA1 and calculates, generate the message of final 160bit
Summary MD=sha1 (sha1 (MD1,MD2),...MDn)。
In one embodiment, step 3 includes:
Step 31, creates foundation image biTime, use the algorithm optimized in step 2 once to measure, save as mark
Quasi-digest valueThe most often cross a cycle T, use the algorithm optimized in step 2 to carry out integrity foundation image file
Tolerance, obtains up-to-date digest valueAnd withCompare, can find whether foundation image is tampered;
Step 32, after virtual machine start, increment mirror image can change, so after virtual machine shuts down every time, to its increment mirror image fj
Use the algorithm optimized in step 2 to carry out integrity measurement, and be updated to the digest value of standardVirtual machine activation every time
Before, again to its increment mirror image fjUse the algorithm optimized in step 2 once to measure, obtain up-to-date digest valueAnd
WithCompare, can find whether foundation image is tampered.
Accompanying drawing explanation
Fig. 1 is virtual machine image file integrity measurement overall flow figure.
Fig. 2 is that virtual machine image file internal memory maps piecemeal integrity measurement figure.
Fig. 3 is that foundation image file integrality measures flow chart.
Fig. 4 is increment image file integrity measurement flow chart.
Detailed description of the invention
For making the object, technical solutions and advantages of the present invention express clearer, below in conjunction with the accompanying drawings and specifically
The present invention is further described in more detail for embodiment.
Main idea is that and utilize memory mapping technique, multithreading and image file is divided into basis mirror
The strategy that picture and increment mirror image are measured respectively, provides integrity protection to virtual machine image file, utilizes the algorithm optimized, energy
Enough significantly improve the efficiency of integrity measurement, strengthen the safety of virtual machine.
Illustrate with an example below:
Step 1, uses foundation image to add the mode storage virtual machine image file of increment mirrored storage, virtual machine in example
VM1 has a foundation image b1, increment mirror image f1。
Step 2, utilizes the SHA1 algorithm of swap, internal memory mapping mechanism and multithreading to calculate image file integrity measurement
Method is optimized, such as Fig. 2.
Step 3, divides different strategies to measure foundation image and increment mirror image, i.e. foundation image carries out periodicity degree
Amount, increment mirror image is measured when virtual machine switching on and shutting down, thus is reduced integrity measurement expense.
Wherein, step 2 includes:
Step 21, using SSD is system creation swap subregion, can store data in swap when physical memory deficiency
In;
Step 22, internal memory mapping function mmap64 is the address space that the image file that will measure is mapped to process, 64
In the system of position, in the virtual memory space of each process, user's space has 128TB, enough maps image file, and mapping function is such as
Under:
Ptr=mmap64 (0, len, PROT_READ, MAP_SHARED, fd, 0);
Wherein first parameter 0 represents and makes operating system automatic mapping, and len is the size of file, and PROT_READ represents and reflects
Page after penetrating can be read, and MAP_SHARED represents and uses the process of this file to share mapping space, fd with other
Being the filec descriptor of the image file opened, last parameter 0 represents the head from image file and starts to map;Return value
Ptr is the pointer in mapped district;
Step 23, revises SHA1 algorithm, and in example, main frame has 12 logics CPU, is divided by the image file in address space
Becoming 12 pieces, every block file size is len/12, creates 12 threads and is successively read a block file and measures, and generates one respectively
Individual 160bit digest value MD1,MD2...MD12;
12 digest value generated are carried out 11 SHA1 and calculate by step 24 again, and the message generating final 160bit is plucked
Want MD=sha1 (sha1 (sha1 (MD1,MD2),MD3)...MD12)。
Wherein, step 3 includes:
Step 31, such as Fig. 3, creates foundation image b1Time, use the algorithm optimized in step 2 once to measure, and
Save as standard digest valueExample sets tolerance cycle T=24 hour, often spends 24 hours, foundation image file is used
The algorithm optimized in step 2 carries out an integrity measurement, obtains up-to-date digest valueAnd with initially create image file
Time metricCompare.IfThen represent that mirror image was not altered, otherwise, represent foundation image bi?
Through being tampered, it is continuing with, potential safety hazard may be brought;
Step 32, such as Fig. 4, after the shutdown of each virtual machine, to its increment mirror image f1The algorithm optimized in step 2 is used to carry out
Once measure, and be updated to the digest value of standardEvery time before virtual machine activation, again to its increment mirror image fjUse step 1
The algorithm of middle optimization is once measured, and obtains up-to-date digest valueAnd with standard digest value beforeCompare
Relatively.IfThen represent that mirror image was not altered;Otherwise, increment mirror image f is representedjHave been tampered with, at virtual machine
In unsafe condition.
Claims (2)
1. an integrity measurement optimization method for virtual machine image file, uses foundation image to add the mode of increment mirrored storage
Storage virtual machine image file, it is characterised in that comprise the following steps:
Step 1, utilizes the SHA1 algorithm of swap, internal memory mapping mechanism and multithreading to enter image file integrity measurement algorithm
Row optimizes;
Step 2, divides different strategies to measure foundation image and increment mirror image, i.e. foundation image carries out periodicity measurement,
Increment mirror image is measured when virtual machine switching on and shutting down, thus reduces integrity measurement expense.
Method the most according to claim 1, wherein step 2 includes:
Step 21, using SSD is system creation swap subregion, and the image file using memory mapping technique to measure is mapped to
The address space of process, the problem solving frequent reading disk;
Step 22, revises SHA1 algorithm, the image file in address space is divided into N block, creates N number of thread and be successively read one piece
File carries out integrity measurement, and generates 160bit (position) digest value respectively, and the N number of digest value generated is carried out N-again
1 time SHA1 calculates, and generates the eap-message digest of final 160bit.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610431636.0A CN106126116A (en) | 2016-06-16 | 2016-06-16 | A kind of integrity measurement optimization method of virtual machine image file |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610431636.0A CN106126116A (en) | 2016-06-16 | 2016-06-16 | A kind of integrity measurement optimization method of virtual machine image file |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106126116A true CN106126116A (en) | 2016-11-16 |
Family
ID=57470375
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610431636.0A Pending CN106126116A (en) | 2016-06-16 | 2016-06-16 | A kind of integrity measurement optimization method of virtual machine image file |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106126116A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107169373A (en) * | 2017-05-11 | 2017-09-15 | 山东超越数控电子有限公司 | A kind of virtual machine image file guard method and system |
CN107608758A (en) * | 2017-08-31 | 2018-01-19 | 郑州云海信息技术有限公司 | A kind of virtual machine file integrality monitoring method and system |
CN108229162A (en) * | 2016-12-15 | 2018-06-29 | 中标软件有限公司 | A kind of implementation method of cloud platform virtual machine completeness check |
CN109725983A (en) * | 2018-11-22 | 2019-05-07 | 海光信息技术有限公司 | A kind of method for interchanging data, device, relevant device and system |
CN111324497A (en) * | 2020-02-20 | 2020-06-23 | 杭州涂鸦信息技术有限公司 | Linux system partition self-checking method and system |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101593259A (en) * | 2009-06-29 | 2009-12-02 | 北京航空航天大学 | software integrity verification method and system |
CN104216743A (en) * | 2014-08-27 | 2014-12-17 | 中国船舶重工集团公司第七0九研究所 | Method and system for maintaining start completeness of configurable virtual machine |
CN104517057A (en) * | 2014-12-22 | 2015-04-15 | 中国人民解放军信息工程大学 | Software hybrid measure method based on trusted computing |
CN105205391A (en) * | 2015-10-15 | 2015-12-30 | 中南大学 | Clean room real-time monitoring method based on integrity verification |
-
2016
- 2016-06-16 CN CN201610431636.0A patent/CN106126116A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101593259A (en) * | 2009-06-29 | 2009-12-02 | 北京航空航天大学 | software integrity verification method and system |
CN104216743A (en) * | 2014-08-27 | 2014-12-17 | 中国船舶重工集团公司第七0九研究所 | Method and system for maintaining start completeness of configurable virtual machine |
CN104517057A (en) * | 2014-12-22 | 2015-04-15 | 中国人民解放军信息工程大学 | Software hybrid measure method based on trusted computing |
CN105205391A (en) * | 2015-10-15 | 2015-12-30 | 中南大学 | Clean room real-time monitoring method based on integrity verification |
Non-Patent Citations (2)
Title |
---|
林杰 等: "IVirt:基于虚拟机自省的运行环境完整性度量机制", 《计算机学报》 * |
邢彬 等: "基于虚拟机监控技术的可信虚拟域", 《信息安全学报》 * |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108229162A (en) * | 2016-12-15 | 2018-06-29 | 中标软件有限公司 | A kind of implementation method of cloud platform virtual machine completeness check |
CN108229162B (en) * | 2016-12-15 | 2021-10-08 | 中标软件有限公司 | Method for realizing integrity check of cloud platform virtual machine |
CN107169373A (en) * | 2017-05-11 | 2017-09-15 | 山东超越数控电子有限公司 | A kind of virtual machine image file guard method and system |
CN107608758A (en) * | 2017-08-31 | 2018-01-19 | 郑州云海信息技术有限公司 | A kind of virtual machine file integrality monitoring method and system |
CN109725983A (en) * | 2018-11-22 | 2019-05-07 | 海光信息技术有限公司 | A kind of method for interchanging data, device, relevant device and system |
CN109725983B (en) * | 2018-11-22 | 2021-07-27 | 海光信息技术股份有限公司 | Data exchange method, device, related equipment and system |
CN111324497A (en) * | 2020-02-20 | 2020-06-23 | 杭州涂鸦信息技术有限公司 | Linux system partition self-checking method and system |
CN111324497B (en) * | 2020-02-20 | 2023-10-27 | 杭州涂鸦信息技术有限公司 | Partition self-checking method and system for linux system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106126116A (en) | A kind of integrity measurement optimization method of virtual machine image file | |
US7934049B2 (en) | Methods used in a secure yet flexible system architecture for secure devices with flash mass storage memory | |
CN104517057B (en) | Software hybrid metric method based on trust computing | |
CN105993018B (en) | Content item encryption in mobile device | |
EP1934879B1 (en) | Secure yet flexible system architecture for secure devices with flash mass storage memory | |
CN105339912B (en) | Measure safety zone | |
US8839446B2 (en) | Protecting archive structure with directory verifiers | |
CN109690493A (en) | System and method for repairing the image in duplicate removal storage device | |
US10089024B2 (en) | Memory deduplication protection for memory pages | |
US20130081144A1 (en) | Storage device and writing device | |
CN110968554A (en) | Block chain storage method, storage system and storage medium based on file chain blocks | |
CN111967065B (en) | Data protection method, processor and electronic equipment | |
CN104090913B (en) | File operation method and device based on thin client | |
CN111782625A (en) | Core intelligence technology embedded remote file system software | |
CN109683983A (en) | A kind of generation of image file and loading method, equipment | |
CN109684126B (en) | Memory verification method for ARM equipment and ARM equipment for executing memory verification | |
EP2957088B1 (en) | Serialization for delta encoding | |
CN109766688A (en) | A kind of Linux program run time verification based on Merkle tree and management-control method and system | |
US8396837B2 (en) | Information processing apparatus | |
CN106874119A (en) | Merging method and device based on the scanning of homogeneity internal memory | |
JP6201385B2 (en) | Storage apparatus and storage control method | |
CN110298175A (en) | A kind of processing method and relevant apparatus of dll file | |
CN103714286A (en) | Method and system for preventing malicious software installation in mobile terminal | |
EP3952202B1 (en) | A device and a method for performing a cryptographic algorithm | |
CN115080992A (en) | Unified electronic seal system and method based on identification |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20161116 |