The content of the invention
In view of this, it is an object of the invention to propose a kind of host safety protecting method and device, the method and dress
The safe condition that can improve host is put, the security attack behavior of outer bound pair host is found and prevent in time.
Based on above-mentioned purpose, the technical scheme that the present invention is provided is:
A kind of host safety protecting method, it is comprised the following steps:
The virtualization software information in host is obtained, virtualization software information includes the type and version of virtualization software
This;
Corresponding Safeguard tactics are issued to host according to virtualization software information;
The access initiated by virtual machine in virtual machine monitor monitoring host is acted;
Access action to violating Safeguard tactics is intercepted.
Alternatively, Safeguard tactics are safety behavior white list, and safety behavior white list includes each safety behavior institute
Corresponding behavioural information, behavioural information includes process, the end involved by behavior involved by behavioral agent, behavior object, behavior
Service involved by mouth, behavior and the driving involved by behavior.
Safe white list have it is easy to maintain, be easy to upgrading and implementation it is simple the characteristics of, by the way of white list
Judge whether the behavior of virtualization software ensure that safely that deterministic process is simple and reliable, so as to effectively monitor the hair of illegal act
It is raw, and illegal act is prevented in time, fully ensure the security of host and virtualization system.
Alternatively, it is to the mode that the access action for violating Safeguard tactics is intercepted:
It is determined that the action message of access action, main body, object, read-write properties, execution of the action message including access action
Attribute and controlled attribute;
According to action message obtain access action access information, access information include the access action main body, object,
Involved process, involved port, involved service and involved driving;
According to access information, the legitimacy of access action is judged by way of traveling through safety behavior white list;
Illegal access action is intercepted.
Be readily appreciated that, main body refers to the promoter of action, object refers to the effective object of action, process, port, service with
And drive and can be represented with numbering.Additionally, so-called read-write properties include three values such as " read-only ", " only writing ", " read-write ",
So-called execution attribute and controlled attribute all only have " can with " and " cannot " two values, in general, can be by read-write properties
" read-only ", " only writing ", " read-write " three sub- attributes are split into, then " read-only ", " only writing ", " read-write ", " execution attribute ", " control
Attribute " all only 0 and 1 two kind of value.
The interception mode is based on BLP models rule, and BLP (Bell-La-Padula) model is with its presenter David
A kind of security model of the naming of Bell and Leonard La Padula, the model has that logic is rigorous, can formalize
Feature, it is based on self contained navigation and forced symmetric centralization two ways is realized, can process succession, transfer of right etc.
Relation, so that for the access control of large scale system provides safety assurance.The present invention is creatively by BLP models and the peace of host
Full protection is combined, and greatly increases the level of security of host.
Alternatively, also include after the step of being intercepted to the access action for violating Safeguard tactics:
Lawful access action is responded, the access action of Safeguard tactics is not violated in Lawful access action as.
Alternatively, it is to the mode that Lawful access action is responded:
The corresponding safety behavior of Lawful access action is found in safety behavior white list;
The corresponding safety behavior of Lawful access action is mapped as a kind of state change, state change is following ten a kind of
One of:(1) create or virtual machine of moving into, (2) are deleted or virtual machine of moving out, (3) are being turned on and off virtual machine, (4) virtual machine just
Often operation, the daily record of (5) record virtual machine, (6) check virtual machine daily record, (7) pause or recover virtual machine, (8) from pause and hang
Rise or virtual machine, (11) modification virtual machine are restarted in recovery virtual machine, (9) soft reboot virtual machine, (10) firmly from hang-up;
Transformation rule submodule, for finding some transformation rules corresponding to state change according to table 1,
The implication of each transformation rule is as shown in table 2 below in table 1:
Action is performed according to above-mentioned some transformation rules;
The implementing result of action is fed back to the promoter of Lawful access action.
Additionally, the present invention also provides a kind of host safety device, it includes:
Acquisition module, for obtaining the virtualization software information in host, virtualization software information includes that virtualization is soft
The type and version of part;
Module is issued, for issuing corresponding Safeguard tactics to host according to virtualization software information;
Monitoring module, the access for being initiated by virtual machine in virtual machine monitor monitoring host is acted;
Blocking module, for being intercepted to the access action for violating Safeguard tactics.
Alternatively, the present apparatus also includes:
Security baseline module, for storing as the safety behavior white list of Safeguard tactics, safety behavior white list
Including the behavioural information corresponding to each safety behavior, behavioural information includes entering involved by behavioral agent, behavior object, behavior
The service involved by port, behavior involved by journey, behavior and the driving involved by behavior.
Alternatively, blocking module also includes:
Action message submodule, the action message for determining access action, main body of the action message including access action,
Object, read-write properties, execution attribute and controlled attribute;
Access information submodule, the access information for obtaining access action according to action message, access information includes should
Main body, object, involved process, involved port, involved service and involved driving that access is acted;
Judging submodule, for according to access information, judging that access is acted by way of traveling through safety behavior white list
Legitimacy;
Perform and intercept submodule, for being intercepted to illegal access action.
Alternatively, the present apparatus also includes:
Respond module, for being responded to Lawful access action, security protection plan is not violated in Lawful access action as
Access action slightly.
Alternatively, respond module also includes:
Safety behavior submodule, the security row corresponding for finding Lawful access action in safety behavior white list
For;
State change submodule, for the corresponding safety behavior of Lawful access action to be mapped as into a kind of state change,
State change is one of following ten one kind:(1) create or virtual machine of moving into, (2) deletion or virtual machine of moving out, (3) are opened or closed
Close that virtual machine, (4) virtual machine normally run, virtual machine daily record is checked in virtual machine daily record of (5) record, (6), (7) pause or from temporary
Stop recovering virtual machine, (8) hang up or recover from hang-up virtual machine, (9) soft reboot virtual machine, (10) restart firmly virtual machine,
(11) virtual machine is changed;
The some transformation rules corresponding to state change are found according to table 1,
The implication of each transformation rule is as shown in table 2 below in table 1:
Execution acts submodule, for performing action according to some transformation rules;
Feedback submodule, the promoter for the implementing result of action to be fed back to Lawful access action.
As can be seen from the above discussion, the beneficial effects of the present invention are:
Specific embodiment
To make the object, technical solutions and advantages of the present invention become more apparent, below in conjunction with specific embodiment, and reference
Accompanying drawing, the present invention is described in more detail.
It is a kind of host safety protecting method shown in Fig. 1, the method can apply to Hypervisor, and it includes following
Step:
Step 101, obtains the virtualization software information in host, and virtualization software information includes the class of virtualization software
Type and version;
Step 102, corresponding Safeguard tactics are issued to host according to virtualization software information;
Step 103, the access initiated by virtual machine in virtual machine monitor monitoring host is acted;
Step 104, the access action to violating Safeguard tactics is intercepted.
With the type of virtualization software and version number be associated for the access action of virtual machine by the present embodiment method, by prison
Judge the security of the action depending on the mode of virtual machine access action, and intercept unsafe behavior in time, with logic letter
It is single, be easily achieved, the advantage of reliable results, can be in the case where existing Hypervisor codes not be changed to host and void
Planization software provides full protection.
On the basis of upper example, Safeguard tactics can be included using safety behavior white list, and safety behavior white list
Behavioural information corresponding to each safety behavior, specifically, behavioural information is including involved by behavioral agent, behavior object, behavior
And process, the port involved by behavior, the service involved by behavior and the driving involved by behavior.The step of this example flow
It is still as shown in Figure 1.
Safe white list have it is easy to maintain, be easy to upgrading and implementation it is simple the characteristics of, by the way of white list
Judge whether the behavior of virtualization software ensure that safely that deterministic process is simple and reliable, so as to effectively monitor the hair of illegal act
It is raw, and illegal act is prevented in time, fully ensure the security of host and virtualization system.
Fig. 2 is the particular flow sheet of step 104 in Fig. 1, and it includes:
Step 1041, it is determined that the action message of access action, main body, object, read-write of the action message including access action
Attribute, execution attribute and controlled attribute, may also include one for characterizing the item to be filled out whether current rule comes into force in addition;Entirely
Action message can be formatted as [SID, OID, R, A, W, E*, C*, FLAG], and wherein SID and OID represents main body and (initiates respectively
The virtual machine numbering of access) and object No. ID (be accessed for virtual machine numbering), R, A, W, E*, C* represent respectively it is read-only,
The attribute such as write, read and write, perform and control, desirable 0,1 liang of value per attribute, 1 represents and allows, and 0 represents refusal, and FLAG represents current
Whether rule comes into force, and 1 expression comes into force, and 0 represents invalid, and FLAG is now item to be filled out;
Step 1042, the access information of access action is obtained according to action message, and access information includes access action
Main body, object, involved process, involved port, involved service and involved driving;Access information can be formatted as
[SID, OID, PR, PO, S, D, FLAG], wherein SID and OID represent main body (initiating the virtual machine numbering for accessing) and object respectively
No. ID (be accessed for virtual machine numbering), PR, PO, S, D represent this and access respectively needs the process being related to (to be entered with 5 two
Number processed is represented), port (being represented with 5 bits), service (being represented with 5 bits), drive numbering (entered with 5 two
Number processed is represented);
Step 1043, according to access information, judges the legal of access action by way of traveling through safety behavior white list
Property;
Step 1044, intercepts to illegal access action.
In this embodiment, safety behavior white list is the equal of a security baseline, for safety behavior and dangerous row
Clearly divided to make one;Additionally, the interception mode of this example be based on BLP models rule, the model have logic it is rigorous, can
The characteristics of formalization, it is based on self contained navigation and forced symmetric centralization two ways and realizes, can process right succession,
Transfer etc. relation, so that for the access control of large scale system provides safety assurance.
Fig. 3 show another host safety protecting method, and it is comprised the following steps:
Step 301, obtains the virtualization software information in host, and virtualization software information includes the class of virtualization software
Type and version;
Step 302, corresponding safety behavior white list is issued to host according to virtualization software information;
Step 303, the access initiated by virtual machine in virtual machine monitor monitoring host is acted;
Step 304, intercepts to the access action beyond the contained action of safety behavior white list;
Step 305, the Lawful access action to being included in safety behavior white list is responded.
The example further adds response of step so that safety protecting method is more perfect.
Fig. 4 show the idiographic flow of step 305 in Fig. 3, and it includes:
Step 3051, finds the corresponding safety behavior of Lawful access action in safety behavior white list.
Step 3052, a kind of state change is mapped as by the corresponding safety behavior of Lawful access action, and this state becomes
Turn to one of following ten one kind:(1) create or virtual machine of moving into, (2) are deleted or virtual machine of moving out, (3) are turned on and off virtually
Machine, (4) virtual machine normally run, virtual machine daily record, (7) pause are checked in virtual machine daily record of (5) record, (6) or from pause it is extensive
Multiple virtual machine, (8) are hung up or are recovered from hang-up virtual machine, (9) soft reboot virtual machine, (10) and restart virtual machine, (11) firmly and repair
Change virtual machine.
A kind of this ten state change can be attributed to four class State Transferrings:1) virtual machine is from scratch or from having to nothing,
For example:Create/delete virtual machine, virtual machine etc. of moving into/move out;2) change of virtual machine state, for example:Start, shutdown, temporarily
Stop, restart;3) adjustment of resources of virtual machine, for example:Adjust internal memory, hard disk size of virtual machine etc.;4) virtual machine internal hair
The system for going out is called, applies for resource, for example:Virtual machine creating/deletion file, reading daily record.
It can easily be seen that a kind of ten state changes are all well-known to those skilled in the art above, therefore from safety behavior
Mapping to state change is also those skilled in the art according to being made by its knowledge.
Step 3053, some transformation rules corresponding to state change are found according to table 1,
The implication of each transformation rule is as shown in table 2 below in table 1:
It can easily be seen that transformation rule is the action more more specific than state change, can be directly virtualized as instruction
Performed by software.
Step 3054, action is performed according to above-mentioned some transformation rules.
Step 3055, the implementing result of action is fed back to the promoter of Lawful access action.
The present embodiment method acts translation and changes rule as specific shape by the most legal at last access of multiple Mapping and Converting
Then, it is easy to virtualization software to perform corresponding order.
Fig. 5 show a kind of structured flowchart of host safety device, and it includes:
Acquisition module 501, for obtaining the virtualization software information in host, virtualization software information includes virtualization
The type and version of software;
Module 502 is issued, for issuing corresponding Safeguard tactics to host according to virtualization software information;
Monitoring module 503, the access for being initiated by virtual machine in virtual machine monitor monitoring host is acted;
Blocking module 504, for being intercepted to the access action for violating Safeguard tactics.
Used as a new embodiment, still as shown in Figure 5, said apparatus also include:
Security baseline module 505, for storing as the safety behavior white list of Safeguard tactics, the white name of safety behavior
Single behavioural information including corresponding to each safety behavior, behavioural information is including involved by behavioral agent, behavior object, behavior
The service involved by port, behavior involved by process, behavior and the driving involved by behavior.
Fig. 6 is the structured flowchart of blocking module in Fig. 5, and it includes:
Action message submodule 5041, the action message for determining access action, action message includes access action
Main body, object, read-write properties, execution attribute and controlled attribute;
Access information submodule 5042, the access information for obtaining access action according to action message, access information bag
Include main body, object, involved process, involved port, involved service and the involved driving of access action;
Judging submodule 5043, for according to access information, judging to access by way of traveling through safety behavior white list
The legitimacy of action;
Perform and intercept submodule 5044, for being intercepted to illegal access action.
Fig. 7 is the structured flowchart of another host safety device, and it includes:
Acquisition module 701, for obtaining the virtualization software information in host, virtualization software information includes virtualization
The type and version of software;
Module 702 is issued, for issuing corresponding Safeguard tactics to host according to virtualization software information;
Monitoring module 703, the access for being initiated by virtual machine in virtual machine monitor monitoring host is acted;
Blocking module 704, for being intercepted to the access action for violating Safeguard tactics;
Security baseline module 705, for storing as the safety behavior white list of Safeguard tactics;
Respond module 706, for being responded to Lawful access action, security protection is not violated in Lawful access action as
The access action of strategy.
Fig. 8 is the structured flowchart of respond module in Fig. 7, and it includes:
Safety behavior submodule 7051, the safety corresponding for finding Lawful access action in safety behavior white list
Behavior;
State change submodule 7052, becomes for the corresponding safety behavior of Lawful access action to be mapped as into a kind of state
Change, state change is one of following ten one kind:(1) create or virtual machine of moving into, (2) delete or virtual machine of moving out, (3) open or
Close that virtual machine, (4) virtual machine normally run, virtual machine daily record is checked in the daily record of (5) record virtual machine, (6), (7) pause or from
Recover virtual machine, (8) hang-up in pause or recovery virtual machine, (9) soft reboot virtual machine, (10) are restarted virtually firmly from hang-up
Machine, (11) modification virtual machine;
Transformation rule submodule 7053, for finding some transformation rules corresponding to state change according to table 1,
The implication of each transformation rule is as shown in table 2 below in table 1:
Execution acts submodule 7054, for performing action according to some transformation rules;
Feedback submodule 7055, the promoter for the implementing result of action to be fed back to Lawful access action.
The device of above-described embodiment is used to realize corresponding method in previous embodiment, and implements with corresponding method
The beneficial effect of example, will not be repeated here.
Those of ordinary skill in the art should be understood:The discussion of any of the above embodiment is exemplary only, not
It is intended to imply that the scope of the present disclosure (including claim) is limited to these examples;Under thinking of the invention, above example
Or can also be combined between the technical characteristic in different embodiments, step can be realized with random order, and be existed such as
Many other changes of upper described different aspect of the invention, for simplicity, they are provided not in details.
In addition, to simplify explanation and discussing, and in order to obscure the invention, can in the accompanying drawing for being provided
To show or can not show to be connected with the known power ground of integrated circuit (IC) chip and other parts.Furthermore, it is possible to
Device is shown in block diagram form, to avoid obscuring the invention, and this have also contemplated that following facts, i.e., on this
The details of the implementation method of a little block diagram arrangements is to depend highly on to implement platform of the invention (that is, these details should
It is completely in the range of the understanding of those skilled in the art).Elaborating that detail (for example, circuit) is of the invention to describe
In the case of exemplary embodiment, it will be apparent to those skilled in the art that can be without these details
In the case of or implement the present invention in the case that these details are changed.Therefore, these descriptions are considered as explanation
Property rather than restricted.
Embodiments of the invention be intended to fall within the broad range of appended claims it is all such replace,
Modification and modification.Therefore, all any omission, modification, equivalent, improvement within the spirit and principles in the present invention, made
Deng all should be included within protection scope of the present invention.