CN106778258A - A kind of host safety protecting method and device - Google Patents
A kind of host safety protecting method and device Download PDFInfo
- Publication number
- CN106778258A CN106778258A CN201611119134.0A CN201611119134A CN106778258A CN 106778258 A CN106778258 A CN 106778258A CN 201611119134 A CN201611119134 A CN 201611119134A CN 106778258 A CN106778258 A CN 106778258A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- access
- action
- behavior
- safety
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of host safety protecting method and device, belong to technical field of virtualization, the inventive method includes the steps such as virtualization software acquisition of information, Safeguard tactics are issued, virtual machine access acts monitoring and illegal is intercepted.With the type and version of virtualization software be associated for the access action of virtual machine by the present invention, the security of the action is judged by way of monitoring that virtual machine is acted, and unsafe behavior is intercepted in time, have the advantages that logic is simple, be easily achieved, reliable results, in the case where existing Hypervisor codes are not changed full protection can be provided to host and virtualization software, it is to look for another way for prior art, is a kind of significant improvement to prior art.
Description
Technical field
The present invention relates to technical field of virtualization, a kind of host safety protecting method and device are particularly related to.
Background technology
One computer virtual can be many logical computers by Intel Virtualization Technology, so, in a physical computer
On just can simultaneously run multiple logical computers, each logical computer can run different operating systems, and apply journey
Sequence can be run and be independent of each other in separate space, so as to significantly improve the operating efficiency of computer.Virtualization
Technology repartitions computing resource using the mode of software, it is possible to achieve the dynamically distributes of computing resource, flexible dispatching, cross-domain common
Enjoy, improve computing resource utilization rate, computing resource is really turned into social infrastructure, serve in all trades and professions flexibly
Changeable application demand.
Current Intel Virtualization Technology is all commonly used and a kind of is referred to as the software intermediate layer of Hypervisor.
Hypervisor is also virtual machine monitor (Virtual Machine Monitor), be one kind operate in physical server and
Intermediate layer between operating system, it can allow multiple operating systems or a set of underlying physical hardware of Application share, be virtual
" unit " operating system in environment, is responsible for coordinating all physical equipments and virtual machine in access server.Hypervisor is
The core of all Intel Virtualization Technologies.Support that the ability that multiplexing makees load migration is the basic function of Hypervisor in non-interrupted ground.
When startup of server and when performing Hypervisor, it can distribute appropriate internal memory, CPU, network and magnetic to each virtual machine
Disk, and load the client operating system of all virtual machines.Main flow virtualization product in the market has VMware companies
VSphere, the XenServer of Hyper-V, Citrix company of Microsoft, PowerVM, Red Hat companies of IBM Corporation
Virtulization, the FusionSphere of Huawei Company, and KVM, Xen, VirtualBSD for increasing income etc..
The combination of Intel Virtualization Technology and cloud is formed a kind of virtual platform based on server cluster, the cluster
In every server be all a host, this pattern has put into practice IaaS (Infrastructure as a well
Service, infrastructure be service) thought.Although Intel Virtualization Technology can shield the information transmission between different virtual machine,
But due to the intrinsic security breaches of Hypervisor, this virtual platform still has more serious potential safety hazard.
Once invader is able to access that physics host, invader can just carry out various forms of attacks to virtual machine, such as using special
Determine hot key to kill virtual machine process, monitoring resources of virtual machine service condition, close virtual machine, violence deletion virtual machine or utilization
Floppy drive, CD-ROM drive, USB etc. steal virtual machine image file etc..
It can be seen that, in the prior art, the security risk of host is a problem demanding prompt solution.
The content of the invention
In view of this, it is an object of the invention to propose a kind of host safety protecting method and device, the method and dress
The safe condition that can improve host is put, the security attack behavior of outer bound pair host is found and prevent in time.
Based on above-mentioned purpose, the technical scheme that the present invention is provided is:
A kind of host safety protecting method, it is comprised the following steps:
The virtualization software information in host is obtained, virtualization software information includes the type and version of virtualization software
This;
Corresponding Safeguard tactics are issued to host according to virtualization software information;
The access initiated by virtual machine in virtual machine monitor monitoring host is acted;
Access action to violating Safeguard tactics is intercepted.
Alternatively, Safeguard tactics are safety behavior white list, and safety behavior white list includes each safety behavior institute
Corresponding behavioural information, behavioural information includes process, the end involved by behavior involved by behavioral agent, behavior object, behavior
Service involved by mouth, behavior and the driving involved by behavior.
Safe white list have it is easy to maintain, be easy to upgrading and implementation it is simple the characteristics of, by the way of white list
Judge whether the behavior of virtualization software ensure that safely that deterministic process is simple and reliable, so as to effectively monitor the hair of illegal act
It is raw, and illegal act is prevented in time, fully ensure the security of host and virtualization system.
Alternatively, it is to the mode that the access action for violating Safeguard tactics is intercepted:
It is determined that the action message of access action, main body, object, read-write properties, execution of the action message including access action
Attribute and controlled attribute;
According to action message obtain access action access information, access information include the access action main body, object,
Involved process, involved port, involved service and involved driving;
According to access information, the legitimacy of access action is judged by way of traveling through safety behavior white list;
Illegal access action is intercepted.
Be readily appreciated that, main body refers to the promoter of action, object refers to the effective object of action, process, port, service with
And drive and can be represented with numbering.Additionally, so-called read-write properties include three values such as " read-only ", " only writing ", " read-write ",
So-called execution attribute and controlled attribute all only have " can with " and " cannot " two values, in general, can be by read-write properties
" read-only ", " only writing ", " read-write " three sub- attributes are split into, then " read-only ", " only writing ", " read-write ", " execution attribute ", " control
Attribute " all only 0 and 1 two kind of value.
The interception mode is based on BLP models rule, and BLP (Bell-La-Padula) model is with its presenter David
A kind of security model of the naming of Bell and Leonard La Padula, the model has that logic is rigorous, can formalize
Feature, it is based on self contained navigation and forced symmetric centralization two ways is realized, can process succession, transfer of right etc.
Relation, so that for the access control of large scale system provides safety assurance.The present invention is creatively by BLP models and the peace of host
Full protection is combined, and greatly increases the level of security of host.
Alternatively, also include after the step of being intercepted to the access action for violating Safeguard tactics:
Lawful access action is responded, the access action of Safeguard tactics is not violated in Lawful access action as.
Alternatively, it is to the mode that Lawful access action is responded:
The corresponding safety behavior of Lawful access action is found in safety behavior white list;
The corresponding safety behavior of Lawful access action is mapped as a kind of state change, state change is following ten a kind of
One of:(1) create or virtual machine of moving into, (2) are deleted or virtual machine of moving out, (3) are being turned on and off virtual machine, (4) virtual machine just
Often operation, the daily record of (5) record virtual machine, (6) check virtual machine daily record, (7) pause or recover virtual machine, (8) from pause and hang
Rise or virtual machine, (11) modification virtual machine are restarted in recovery virtual machine, (9) soft reboot virtual machine, (10) firmly from hang-up;
Transformation rule submodule, for finding some transformation rules corresponding to state change according to table 1,
The implication of each transformation rule is as shown in table 2 below in table 1:
Action is performed according to above-mentioned some transformation rules;
The implementing result of action is fed back to the promoter of Lawful access action.
Additionally, the present invention also provides a kind of host safety device, it includes:
Acquisition module, for obtaining the virtualization software information in host, virtualization software information includes that virtualization is soft
The type and version of part;
Module is issued, for issuing corresponding Safeguard tactics to host according to virtualization software information;
Monitoring module, the access for being initiated by virtual machine in virtual machine monitor monitoring host is acted;
Blocking module, for being intercepted to the access action for violating Safeguard tactics.
Alternatively, the present apparatus also includes:
Security baseline module, for storing as the safety behavior white list of Safeguard tactics, safety behavior white list
Including the behavioural information corresponding to each safety behavior, behavioural information includes entering involved by behavioral agent, behavior object, behavior
The service involved by port, behavior involved by journey, behavior and the driving involved by behavior.
Alternatively, blocking module also includes:
Action message submodule, the action message for determining access action, main body of the action message including access action,
Object, read-write properties, execution attribute and controlled attribute;
Access information submodule, the access information for obtaining access action according to action message, access information includes should
Main body, object, involved process, involved port, involved service and involved driving that access is acted;
Judging submodule, for according to access information, judging that access is acted by way of traveling through safety behavior white list
Legitimacy;
Perform and intercept submodule, for being intercepted to illegal access action.
Alternatively, the present apparatus also includes:
Respond module, for being responded to Lawful access action, security protection plan is not violated in Lawful access action as
Access action slightly.
Alternatively, respond module also includes:
Safety behavior submodule, the security row corresponding for finding Lawful access action in safety behavior white list
For;
State change submodule, for the corresponding safety behavior of Lawful access action to be mapped as into a kind of state change,
State change is one of following ten one kind:(1) create or virtual machine of moving into, (2) deletion or virtual machine of moving out, (3) are opened or closed
Close that virtual machine, (4) virtual machine normally run, virtual machine daily record is checked in virtual machine daily record of (5) record, (6), (7) pause or from temporary
Stop recovering virtual machine, (8) hang up or recover from hang-up virtual machine, (9) soft reboot virtual machine, (10) restart firmly virtual machine,
(11) virtual machine is changed;
The some transformation rules corresponding to state change are found according to table 1,
The implication of each transformation rule is as shown in table 2 below in table 1:
Execution acts submodule, for performing action according to some transformation rules;
Feedback submodule, the promoter for the implementing result of action to be fed back to Lawful access action.
As can be seen from the above discussion, the beneficial effects of the present invention are:
Generally improved by the way of lifting Hypervisor self-securities or defence capability in the prior art virtual
Change the security of software.But, for the mode for lifting Hypervisor self-securities, either by building lightweight
Hypervisor, or integrity protection is carried out to Hypervisor using trusted technology, have larger in technology realization
Difficulty, what is had even needs to modify Hypervisor, and this is less suitable in large-scale virtualization deployment and protection
With;For the mode for improving Hypervisor defence capabilities, prior art can't carry out comprehensive peace to Hypervisor
Full protection.
With the type of virtualization software and version number be associated for the access action of virtual machine by the present invention, virtual by monitoring
The mode of machine access action judges the security of the action, and intercepts unsafe behavior in time, with logic it is simple, be easy to
Realization, the advantage of reliable results, to host and can virtualize soft in the case where existing Hypervisor codes are not changed
Part provides full protection, is to look for another way for prior art, is a kind of significant improvement to prior art.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
The accompanying drawing to be used needed for having technology description is briefly described, it should be apparent that, drawings in the following description are only this
Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can be with
Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is a kind of flow chart of the inventive method embodiment;
Fig. 2 is the flow chart of step 104 in Fig. 1;
Fig. 3 is another flow chart of the inventive method embodiment;
Fig. 4 is the flow chart of step 305 in Fig. 1;
Fig. 5 is a kind of structured flowchart of apparatus of the present invention embodiment;
Fig. 6 is the structured flowchart of blocking module in Fig. 5;
Fig. 7 is another structured flowchart of apparatus of the present invention embodiment;
Fig. 8 is the structured flowchart of respond module in Fig. 7.
Specific embodiment
To make the object, technical solutions and advantages of the present invention become more apparent, below in conjunction with specific embodiment, and reference
Accompanying drawing, the present invention is described in more detail.
It is a kind of host safety protecting method shown in Fig. 1, the method can apply to Hypervisor, and it includes following
Step:
Step 101, obtains the virtualization software information in host, and virtualization software information includes the class of virtualization software
Type and version;
Step 102, corresponding Safeguard tactics are issued to host according to virtualization software information;
Step 103, the access initiated by virtual machine in virtual machine monitor monitoring host is acted;
Step 104, the access action to violating Safeguard tactics is intercepted.
With the type of virtualization software and version number be associated for the access action of virtual machine by the present embodiment method, by prison
Judge the security of the action depending on the mode of virtual machine access action, and intercept unsafe behavior in time, with logic letter
It is single, be easily achieved, the advantage of reliable results, can be in the case where existing Hypervisor codes not be changed to host and void
Planization software provides full protection.
On the basis of upper example, Safeguard tactics can be included using safety behavior white list, and safety behavior white list
Behavioural information corresponding to each safety behavior, specifically, behavioural information is including involved by behavioral agent, behavior object, behavior
And process, the port involved by behavior, the service involved by behavior and the driving involved by behavior.The step of this example flow
It is still as shown in Figure 1.
Safe white list have it is easy to maintain, be easy to upgrading and implementation it is simple the characteristics of, by the way of white list
Judge whether the behavior of virtualization software ensure that safely that deterministic process is simple and reliable, so as to effectively monitor the hair of illegal act
It is raw, and illegal act is prevented in time, fully ensure the security of host and virtualization system.
Fig. 2 is the particular flow sheet of step 104 in Fig. 1, and it includes:
Step 1041, it is determined that the action message of access action, main body, object, read-write of the action message including access action
Attribute, execution attribute and controlled attribute, may also include one for characterizing the item to be filled out whether current rule comes into force in addition;Entirely
Action message can be formatted as [SID, OID, R, A, W, E*, C*, FLAG], and wherein SID and OID represents main body and (initiates respectively
The virtual machine numbering of access) and object No. ID (be accessed for virtual machine numbering), R, A, W, E*, C* represent respectively it is read-only,
The attribute such as write, read and write, perform and control, desirable 0,1 liang of value per attribute, 1 represents and allows, and 0 represents refusal, and FLAG represents current
Whether rule comes into force, and 1 expression comes into force, and 0 represents invalid, and FLAG is now item to be filled out;
Step 1042, the access information of access action is obtained according to action message, and access information includes access action
Main body, object, involved process, involved port, involved service and involved driving;Access information can be formatted as
[SID, OID, PR, PO, S, D, FLAG], wherein SID and OID represent main body (initiating the virtual machine numbering for accessing) and object respectively
No. ID (be accessed for virtual machine numbering), PR, PO, S, D represent this and access respectively needs the process being related to (to be entered with 5 two
Number processed is represented), port (being represented with 5 bits), service (being represented with 5 bits), drive numbering (entered with 5 two
Number processed is represented);
Step 1043, according to access information, judges the legal of access action by way of traveling through safety behavior white list
Property;
Step 1044, intercepts to illegal access action.
In this embodiment, safety behavior white list is the equal of a security baseline, for safety behavior and dangerous row
Clearly divided to make one;Additionally, the interception mode of this example be based on BLP models rule, the model have logic it is rigorous, can
The characteristics of formalization, it is based on self contained navigation and forced symmetric centralization two ways and realizes, can process right succession,
Transfer etc. relation, so that for the access control of large scale system provides safety assurance.
Fig. 3 show another host safety protecting method, and it is comprised the following steps:
Step 301, obtains the virtualization software information in host, and virtualization software information includes the class of virtualization software
Type and version;
Step 302, corresponding safety behavior white list is issued to host according to virtualization software information;
Step 303, the access initiated by virtual machine in virtual machine monitor monitoring host is acted;
Step 304, intercepts to the access action beyond the contained action of safety behavior white list;
Step 305, the Lawful access action to being included in safety behavior white list is responded.
The example further adds response of step so that safety protecting method is more perfect.
Fig. 4 show the idiographic flow of step 305 in Fig. 3, and it includes:
Step 3051, finds the corresponding safety behavior of Lawful access action in safety behavior white list.
Step 3052, a kind of state change is mapped as by the corresponding safety behavior of Lawful access action, and this state becomes
Turn to one of following ten one kind:(1) create or virtual machine of moving into, (2) are deleted or virtual machine of moving out, (3) are turned on and off virtually
Machine, (4) virtual machine normally run, virtual machine daily record, (7) pause are checked in virtual machine daily record of (5) record, (6) or from pause it is extensive
Multiple virtual machine, (8) are hung up or are recovered from hang-up virtual machine, (9) soft reboot virtual machine, (10) and restart virtual machine, (11) firmly and repair
Change virtual machine.
A kind of this ten state change can be attributed to four class State Transferrings:1) virtual machine is from scratch or from having to nothing,
For example:Create/delete virtual machine, virtual machine etc. of moving into/move out;2) change of virtual machine state, for example:Start, shutdown, temporarily
Stop, restart;3) adjustment of resources of virtual machine, for example:Adjust internal memory, hard disk size of virtual machine etc.;4) virtual machine internal hair
The system for going out is called, applies for resource, for example:Virtual machine creating/deletion file, reading daily record.
It can easily be seen that a kind of ten state changes are all well-known to those skilled in the art above, therefore from safety behavior
Mapping to state change is also those skilled in the art according to being made by its knowledge.
Step 3053, some transformation rules corresponding to state change are found according to table 1,
The implication of each transformation rule is as shown in table 2 below in table 1:
It can easily be seen that transformation rule is the action more more specific than state change, can be directly virtualized as instruction
Performed by software.
Step 3054, action is performed according to above-mentioned some transformation rules.
Step 3055, the implementing result of action is fed back to the promoter of Lawful access action.
The present embodiment method acts translation and changes rule as specific shape by the most legal at last access of multiple Mapping and Converting
Then, it is easy to virtualization software to perform corresponding order.
Fig. 5 show a kind of structured flowchart of host safety device, and it includes:
Acquisition module 501, for obtaining the virtualization software information in host, virtualization software information includes virtualization
The type and version of software;
Module 502 is issued, for issuing corresponding Safeguard tactics to host according to virtualization software information;
Monitoring module 503, the access for being initiated by virtual machine in virtual machine monitor monitoring host is acted;
Blocking module 504, for being intercepted to the access action for violating Safeguard tactics.
Used as a new embodiment, still as shown in Figure 5, said apparatus also include:
Security baseline module 505, for storing as the safety behavior white list of Safeguard tactics, the white name of safety behavior
Single behavioural information including corresponding to each safety behavior, behavioural information is including involved by behavioral agent, behavior object, behavior
The service involved by port, behavior involved by process, behavior and the driving involved by behavior.
Fig. 6 is the structured flowchart of blocking module in Fig. 5, and it includes:
Action message submodule 5041, the action message for determining access action, action message includes access action
Main body, object, read-write properties, execution attribute and controlled attribute;
Access information submodule 5042, the access information for obtaining access action according to action message, access information bag
Include main body, object, involved process, involved port, involved service and the involved driving of access action;
Judging submodule 5043, for according to access information, judging to access by way of traveling through safety behavior white list
The legitimacy of action;
Perform and intercept submodule 5044, for being intercepted to illegal access action.
Fig. 7 is the structured flowchart of another host safety device, and it includes:
Acquisition module 701, for obtaining the virtualization software information in host, virtualization software information includes virtualization
The type and version of software;
Module 702 is issued, for issuing corresponding Safeguard tactics to host according to virtualization software information;
Monitoring module 703, the access for being initiated by virtual machine in virtual machine monitor monitoring host is acted;
Blocking module 704, for being intercepted to the access action for violating Safeguard tactics;
Security baseline module 705, for storing as the safety behavior white list of Safeguard tactics;
Respond module 706, for being responded to Lawful access action, security protection is not violated in Lawful access action as
The access action of strategy.
Fig. 8 is the structured flowchart of respond module in Fig. 7, and it includes:
Safety behavior submodule 7051, the safety corresponding for finding Lawful access action in safety behavior white list
Behavior;
State change submodule 7052, becomes for the corresponding safety behavior of Lawful access action to be mapped as into a kind of state
Change, state change is one of following ten one kind:(1) create or virtual machine of moving into, (2) delete or virtual machine of moving out, (3) open or
Close that virtual machine, (4) virtual machine normally run, virtual machine daily record is checked in the daily record of (5) record virtual machine, (6), (7) pause or from
Recover virtual machine, (8) hang-up in pause or recovery virtual machine, (9) soft reboot virtual machine, (10) are restarted virtually firmly from hang-up
Machine, (11) modification virtual machine;
Transformation rule submodule 7053, for finding some transformation rules corresponding to state change according to table 1,
The implication of each transformation rule is as shown in table 2 below in table 1:
Execution acts submodule 7054, for performing action according to some transformation rules;
Feedback submodule 7055, the promoter for the implementing result of action to be fed back to Lawful access action.
The device of above-described embodiment is used to realize corresponding method in previous embodiment, and implements with corresponding method
The beneficial effect of example, will not be repeated here.
Those of ordinary skill in the art should be understood:The discussion of any of the above embodiment is exemplary only, not
It is intended to imply that the scope of the present disclosure (including claim) is limited to these examples;Under thinking of the invention, above example
Or can also be combined between the technical characteristic in different embodiments, step can be realized with random order, and be existed such as
Many other changes of upper described different aspect of the invention, for simplicity, they are provided not in details.
In addition, to simplify explanation and discussing, and in order to obscure the invention, can in the accompanying drawing for being provided
To show or can not show to be connected with the known power ground of integrated circuit (IC) chip and other parts.Furthermore, it is possible to
Device is shown in block diagram form, to avoid obscuring the invention, and this have also contemplated that following facts, i.e., on this
The details of the implementation method of a little block diagram arrangements is to depend highly on to implement platform of the invention (that is, these details should
It is completely in the range of the understanding of those skilled in the art).Elaborating that detail (for example, circuit) is of the invention to describe
In the case of exemplary embodiment, it will be apparent to those skilled in the art that can be without these details
In the case of or implement the present invention in the case that these details are changed.Therefore, these descriptions are considered as explanation
Property rather than restricted.
Embodiments of the invention be intended to fall within the broad range of appended claims it is all such replace,
Modification and modification.Therefore, all any omission, modification, equivalent, improvement within the spirit and principles in the present invention, made
Deng all should be included within protection scope of the present invention.
Claims (10)
1. a kind of host safety protecting method, it is characterised in that comprise the following steps:
The virtualization software information in host is obtained, the virtualization software information includes the type and version of virtualization software
This;
Corresponding Safeguard tactics are issued to host according to the virtualization software information;
The access initiated by virtual machine in virtual machine monitor monitoring host is acted;
Access action to violating the Safeguard tactics is intercepted.
2. host safety protecting method according to claim 1, it is characterised in that the Safeguard tactics are safety
Behavior white list, the safety behavior white list includes the behavioural information corresponding to each safety behavior, the behavioural information bag
Include behavioral agent, behavior object, the process involved by behavior, the port involved by behavior, the service involved by behavior and row
It is involved driving.
3. host safety protecting method according to claim 2, it is characterised in that described pair is violated the security protection
The access of strategy acts the mode for being intercepted:
Determine the action message of the access action, the action message includes main body, object, the read-write category of access action
Property, perform attribute and controlled attribute;
The access information that the access is acted is obtained according to the action message, the access information includes the master of access action
Body, object, involved process, involved port, involved service and involved driving;
According to the access information, the legal of the access action is judged by way of traveling through the safety behavior white list
Property;
Illegal access action is intercepted.
4. host safety protecting method according to claim 2, it is characterised in that violate the safety at described pair and prevent
Also include after the step of access action for protecting strategy is intercepted:
Lawful access action is responded, the access that the Safeguard tactics are not violated in the Lawful access action as is moved
Make.
5. host safety protecting method according to claim 4, it is characterised in that described to be carried out to Lawful access action
The mode of response is:
The corresponding safety behavior of Lawful access action is found in the safety behavior white list;
The corresponding safety behavior of Lawful access action is mapped as a kind of state change, the state change is following ten a kind of
One of:(1) create or virtual machine of moving into, (2) are deleted or virtual machine of moving out, (3) are being turned on and off virtual machine, (4) virtual machine just
Often operation, the daily record of (5) record virtual machine, (6) check virtual machine daily record, (7) pause or recover virtual machine, (8) from pause and hang
Rise or virtual machine, (11) modification virtual machine are restarted in recovery virtual machine, (9) soft reboot virtual machine, (10) firmly from hang-up;
The some transformation rules corresponding to the state change are found according to table 1,
The implication of each transformation rule is as shown in table 2 below in table 1:
Action is performed according to some transformation rules;
The implementing result of action is fed back to the promoter of the Lawful access action.
6. a kind of host safety device, it is characterised in that including:
Acquisition module, for obtaining the virtualization software information in host, the virtualization software information includes that virtualization is soft
The type and version of part;
Module is issued, for issuing corresponding Safeguard tactics to host according to the virtualization software information;
Monitoring module, the access for being initiated by virtual machine in virtual machine monitor monitoring host is acted;
Blocking module, for being intercepted to the access action for violating the Safeguard tactics.
7. host safety device according to claim 6, it is characterised in that also include:
Security baseline module, for storing as the safety behavior white list of the Safeguard tactics, the safety behavior is white
List includes the behavioural information corresponding to each safety behavior, and the behavioural information includes behavioral agent, behavior object, behavior institute
Port involved by the process that is related to, behavior, the service involved by behavior and the driving involved by behavior.
8. host safety device according to claim 7, it is characterised in that the blocking module also includes:
Action message submodule, the action message for determining the access action, the action message includes that described access is moved
The main body of work, object, read-write properties, execution attribute and controlled attribute;
Access information submodule, for obtaining the access information that the access is acted, the access letter according to the action message
Breath includes main body, object, involved process, involved port, involved service and the involved driving of access action;
Judging submodule, it is described for according to the access information, being judged by way of traveling through the safety behavior white list
The legitimacy of access action;
Perform and intercept submodule, for being intercepted to illegal access action.
9. host safety device according to claim 7, it is characterised in that also include:
Respond module, for being responded to Lawful access action, the Lawful access action is not violated the safety as and is prevented
Protect the access action of strategy.
10. host safety device according to claim 9, it is characterised in that the respond module also includes:
Safety behavior submodule, the security row corresponding for finding Lawful access action in the safety behavior white list
For;
State change submodule, it is described for the corresponding safety behavior of Lawful access action to be mapped as into a kind of state change
State change is one of following ten one kind:(1) create or virtual machine of moving into, (2) deletion or virtual machine of moving out, (3) are opened or closed
Close that virtual machine, (4) virtual machine normally run, virtual machine daily record is checked in virtual machine daily record of (5) record, (6), (7) pause or from temporary
Stop recovering virtual machine, (8) hang up or recover from hang-up virtual machine, (9) soft reboot virtual machine, (10) restart firmly virtual machine,
(11) virtual machine is changed;
Transformation rule submodule, for finding some transformation rules corresponding to the state change according to table 1,
The implication of each transformation rule is as shown in table 2 below in table 1:
Execution acts submodule, for performing action according to some transformation rules;
Feedback submodule, the promoter for the implementing result of action to be fed back to the Lawful access action.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611119134.0A CN106778258A (en) | 2016-12-08 | 2016-12-08 | A kind of host safety protecting method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611119134.0A CN106778258A (en) | 2016-12-08 | 2016-12-08 | A kind of host safety protecting method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106778258A true CN106778258A (en) | 2017-05-31 |
Family
ID=58881259
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611119134.0A Pending CN106778258A (en) | 2016-12-08 | 2016-12-08 | A kind of host safety protecting method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106778258A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109800570A (en) * | 2018-12-29 | 2019-05-24 | 360企业安全技术(珠海)有限公司 | A kind of safety protecting method and device of virtual platform |
| CN110086824A (en) * | 2019-05-08 | 2019-08-02 | 苏州浪潮智能科技有限公司 | A kind of adaptive configuring method, device and the equipment of virtual machine firewall policy |
| CN112748987A (en) * | 2021-01-19 | 2021-05-04 | 北京智仁智信安全技术有限公司 | Behavior security processing method and device based on virtual host |
| CN114462038A (en) * | 2021-12-31 | 2022-05-10 | 北京亿赛通科技发展有限责任公司 | Security protection method, device, equipment and computer readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103645949A (en) * | 2013-12-12 | 2014-03-19 | 浪潮电子信息产业股份有限公司 | Virtual machine dynamic migration security framework |
| CN103902885A (en) * | 2014-03-04 | 2014-07-02 | 重庆邮电大学 | Virtual machine security isolation system and method oriented to multi-security-level virtual desktop system |
| CN106156621A (en) * | 2016-06-30 | 2016-11-23 | 北京奇虎科技有限公司 | A kind of method and device detecting virtual machine escape |
-
2016
- 2016-12-08 CN CN201611119134.0A patent/CN106778258A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103645949A (en) * | 2013-12-12 | 2014-03-19 | 浪潮电子信息产业股份有限公司 | Virtual machine dynamic migration security framework |
| CN103902885A (en) * | 2014-03-04 | 2014-07-02 | 重庆邮电大学 | Virtual machine security isolation system and method oriented to multi-security-level virtual desktop system |
| CN106156621A (en) * | 2016-06-30 | 2016-11-23 | 北京奇虎科技有限公司 | A kind of method and device detecting virtual machine escape |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109800570A (en) * | 2018-12-29 | 2019-05-24 | 360企业安全技术(珠海)有限公司 | A kind of safety protecting method and device of virtual platform |
| CN110086824A (en) * | 2019-05-08 | 2019-08-02 | 苏州浪潮智能科技有限公司 | A kind of adaptive configuring method, device and the equipment of virtual machine firewall policy |
| CN110086824B (en) * | 2019-05-08 | 2021-10-15 | 苏州浪潮智能科技有限公司 | Self-adaptive configuration method, device and equipment for firewall policy of virtual machine |
| CN112748987A (en) * | 2021-01-19 | 2021-05-04 | 北京智仁智信安全技术有限公司 | Behavior security processing method and device based on virtual host |
| CN112748987B (en) * | 2021-01-19 | 2021-08-06 | 北京智仁智信安全技术有限公司 | Behavior security processing method and device based on virtual host |
| CN114462038A (en) * | 2021-12-31 | 2022-05-10 | 北京亿赛通科技发展有限责任公司 | Security protection method, device, equipment and computer readable storage medium |
| CN114462038B (en) * | 2021-12-31 | 2023-03-24 | 北京亿赛通科技发展有限责任公司 | Security protection method, device, equipment and computer readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5981845B2 (en) | Virtual computer system, virtual computer control method, virtual computer control program, and semiconductor integrated circuit | |
| US9971623B2 (en) | Isolation method for management virtual machine and apparatus | |
| KR102189296B1 (en) | Event filtering for virtual machine security applications | |
| CN112384901A (en) | Peripheral device with resource isolation | |
| Nanavati et al. | Cloud security: A gathering storm | |
| US11693952B2 (en) | System and method for providing secure execution environments using virtualization technology | |
| US20170177854A1 (en) | Method and Apparatus for On-Demand Isolated I/O Channels for Secure Applications | |
| CN106778258A (en) | A kind of host safety protecting method and device | |
| CN106970823B (en) | Efficient nested virtualization-based virtual machine security protection method and system | |
| CN107851153A (en) | Use asynchronous abnormal computer safety system and the method for testing oneself | |
| US10552345B2 (en) | Virtual machine memory lock-down | |
| US10621340B2 (en) | Hybrid hypervisor-assisted security model | |
| Afoulki et al. | A security-aware scheduler for virtual machines on iaas clouds | |
| US9824225B1 (en) | Protecting virtual machines processing sensitive information | |
| Oyama et al. | Detecting malware signatures in a thin hypervisor | |
| US10073710B2 (en) | Host-driven application memory protection for virtual machines | |
| US20210342174A1 (en) | Privacy preserving introspection for trusted execution environments | |
| US9792431B1 (en) | Systems and methods for selectively masking data on virtual storage devices | |
| Lie et al. | Using hypervisors to secure commodity operating systems | |
| US20220129593A1 (en) | Limited introspection for trusted execution environments | |
| CN107832606A (en) | Trust chain realization method and system based on SGX | |
| CN104054063B (en) | Locking a system management interrupt (smi) enable register of a chipset | |
| Kanoongo et al. | Exposition of solutions to hypervisor vulnerabilities | |
| Bratus et al. | The cake is a lie: privilege rings as a policy resource | |
| US11842227B2 (en) | Hypervisor secure event handling at a processor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 100070 the 28 tier of fortune Fortune Plaza, No.1, hang Feng Road, Fengtai District, Beijing. Applicant after: BEIJING GUODIANTONG NETWORK TECHNOLOGY Co.,Ltd. Applicant after: STATE GRID LIAONING ELECTRIC POWER Research Institute Applicant after: STATE GRID CORPORATION OF CHINA Applicant after: STATE GRID INFORMATION & TELECOMMUNICATION GROUP Co.,Ltd. Address before: 100070 the 28 tier of fortune Fortune Plaza, No.1, hang Feng Road, Fengtai District, Beijing. Applicant before: BEIJING GUODIANTONG NETWORK TECHNOLOGY Co.,Ltd. Applicant before: STATE GRID LIAONING ELECTRIC POWER Research Institute Applicant before: State Grid Corporation of China Applicant before: STATE GRID INFORMATION & TELECOMMUNICATION GROUP Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20190611 Address after: 100085 Beijing city Haidian District Qinghe small Camp Road No. 15 Applicant after: BEIJING CHINA POWER INFORMATION TECHNOLOGY Co.,Ltd. Applicant after: STATE GRID LIAONING ELECTRIC POWER Research Institute Applicant after: STATE GRID CORPORATION OF CHINA Applicant after: STATE GRID INFORMATION & TELECOMMUNICATION GROUP Co.,Ltd. Address before: 100070 the 28 tier of fortune Fortune Plaza, No.1, hang Feng Road, Fengtai District, Beijing. Applicant before: BEIJING GUODIANTONG NETWORK TECHNOLOGY Co.,Ltd. Applicant before: STATE GRID LIAONING ELECTRIC POWER Research Institute Applicant before: STATE GRID CORPORATION OF CHINA Applicant before: STATE GRID INFORMATION & TELECOMMUNICATION GROUP Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170531 |
|
| RJ01 | Rejection of invention patent application after publication |