CN108229191A - The document protection method and device of a kind of virtual machine - Google Patents

The document protection method and device of a kind of virtual machine Download PDF

Info

Publication number
CN108229191A
CN108229191A CN201810004364.5A CN201810004364A CN108229191A CN 108229191 A CN108229191 A CN 108229191A CN 201810004364 A CN201810004364 A CN 201810004364A CN 108229191 A CN108229191 A CN 108229191A
Authority
CN
China
Prior art keywords
virtual machine
controlled
file
user domain
file system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810004364.5A
Other languages
Chinese (zh)
Inventor
林皓
李健波
周子皓
张泽云
党艳平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Shenzhouxinyuan System Engineering Co Ltd
Original Assignee
Jiangsu Shenzhouxinyuan System Engineering Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Shenzhouxinyuan System Engineering Co Ltd filed Critical Jiangsu Shenzhouxinyuan System Engineering Co Ltd
Priority to CN201810004364.5A priority Critical patent/CN108229191A/en
Publication of CN108229191A publication Critical patent/CN108229191A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses the document protection method and device of a kind of virtual machine, including:Create the controlled file system that user domain virtual machine uses;Controlled file is moved in controlled file system;The file system permission of user domain virtual machine is configured on controlled data channel;User domain virtual machine is connected to by controlled data channel.The document protection method of virtual machine proposed by the present invention can improve protecting effect, the resource occupation for reducing user domain with device and have better wide usage.

Description

The document protection method and device of a kind of virtual machine
Technical field
The present invention relates to computer realm, more specifically, particularly relating to the document protection method and device of a kind of virtual machine.
Background technology
Recently as the rapid development of software science technology, more and more individuals, groups or tissue begin to focus on a People's privacy information.Stealing or distorting for privacy information is also of interest by more and more criminals, and means also become more Diversification, is simplified extensiveization.Therefore the protection of privacy information also becomes growing important point of information security field one Branch.
The currently popular Malwares such as virus of extorting are usually using tampering with a document, delete the means such as file to destroy user Storage document entity on computers so that user can not normal use these files, so as to achieve the purpose that malicious attack; Or user is extorted, and therefrom make a profit.Currently in information security field, the following two kinds method is commonly used to protect user file, is made File is from malicious attack:
Method one is encrypted file with encryption software by encryption method so that encrypted file becomes a kind of Unrecognizable file type.This encrypted file can be identified that decryption software uses key by mating decryption software Encrypted file is decrypted, be reduced to again after file decryption it is common, can with identified generic-document, so as to It is used by a user.Since encrypted file is the unrecognizable file of a type, so Malware cannot generally also be known Other this document, and then the attack to this document is abandoned, so as to achieve the effect that protect file.But there are two lack for this method Point:On the one hand, must install encryption/decryption software on the user computer using this document protection method could be to user's text Part is protected, and this method cannot be used on the computer for be fitted without encryption/decryption software;On the other hand, this file Guard method 100% cannot protect user file not to be tampered.Encrypted user file is still that can be edited, changed , although the content of encrypted file cannot be identified or read that Malware still can add this by Malware File content after close is arbitrarily changed, so as to destroy the structure of the encryption file so that decryption software can not be decrypted.Or Person, Malware can also directly delete encrypted file so that user can not reuse this document.
Method two, using cloud storage technology by subscriber computer local file remote backup to public cloud storage server. The entity of file is stored on the cloud storage service device of distal end, and subscriber computer local file can be gone back after being tampered from high in the clouds It is former.But this method needs subscriber computer to have the ability of network connection and can use public cloud storage server Network service.If subscriber computer cannot be damaged using network or network service by malicious attack, user cannot make Local file is restored with the file of high in the clouds backup.
For virtual machine file protecting effect of the prior art is poor, occupancy resource, wide usage is low and relies on local soft The problem of part coordinates, there has been no effective solutions at present.
Invention content
In view of this, the purpose of the embodiment of the present invention is to propose the document protection method and device of a kind of virtual machine, energy Virtual machine file protection enough is carried out for different user domain virtual machines or different types of user domain virtual machine, improves protection effect Fruit, the resource occupation for reducing user domain and with better wide usage.
Based on above-mentioned purpose, the one side of the embodiment of the present invention provides a kind of document protection method of virtual machine, application In management domain, include the following steps:
Create the controlled file system that user domain virtual machine uses;
Controlled file is moved in controlled file system;
The file system permission of user domain virtual machine is configured on controlled data channel;
User domain virtual machine is connected to by controlled data channel.
In some embodiments, before the controlled file system that user domain virtual machine uses is created, management domain deployment Empowerment management program and controlled data channel, wherein, empowerment management program manages and controls user by controlled data channel Access of the domain virtual machine to controlled file system.
In some embodiments, the controlled file system that user domain virtual machine uses is created to include:
Virtual disk image file is created in management domain;
The establishment file system in virtual disk image file;
File system is defined to controlled file system.
In some embodiments, controlled file is moved to controlled file system to include:
Verification needs the file protected in management domain;
Document to be protected will be needed to be moved in controlled file system;
Document to be protected will be needed to be defined to controlled file.
In some embodiments, the permission that user domain virtual machine reads controlled file is configured on controlled data channel, Wherein, authority configuration is sent to controlled data channel and is performed by controlled data channel.
In some embodiments, the controlled file system of management domain is connected by controlled data channel according to the permission of configuration It is connected to user domain virtual machine.
The another aspect of the embodiment of the present invention additionally provides a kind of file protection device of virtual machine, has used above-mentioned side Method.
The another aspect of the embodiment of the present invention additionally provides a kind of computer equipment, including memory, at least one processing Device and the computer program that can be run on the memory and on the processor is stored in, described in the processor performs Above-mentioned method is performed during program.
The another aspect of the embodiment of the present invention additionally provides a kind of computer readable storage medium, described computer-readable Storage medium is stored with computer program, and the computer program performs above-mentioned method when being executed by processor.
The another aspect of the embodiment of the present invention additionally provides a kind of computer program product, the computer program product Including the calculation procedure being stored on computer readable storage medium, the calculation procedure includes instruction, when described instruction is counted When calculation machine performs, the computer is made to perform the above method.
The present invention has following advantageous effects:The document protection method and dress of virtual machine provided in an embodiment of the present invention Put, controlled file is moved in controlled file system by the controlled file system used by creating user domain virtual machine, by The file system permission that user domain virtual machine is configured in data channel is controlled, and passes through controlled data channel to be connected to user domain virtual The technical solution of machine can carry out virtual machine file protection, improve protecting effect, reduce the resource occupation of user domain and have Better wide usage.The method of the present invention has the characteristics of cross operating system type, that is, it is different that Same Way can be used for protection User file in operating system does not need to use different methods to different operating system.
Description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below will to embodiment required attached drawing It is briefly described, it should be apparent that, the accompanying drawings in the following description is only some embodiments of the present invention, general for this field For logical technical staff, without creative efforts, other attached drawings are can also be obtained according to these attached drawings.
Fig. 1 is the flow diagram of one embodiment of the document protection method of virtual machine provided by the invention;
Fig. 2 is the flow diagram of second embodiment of the document protection method of virtual machine provided by the invention;
Fig. 3 is one embodiment of the computer equipment of the document protection method provided by the invention for performing the virtual machine Hardware architecture diagram.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with specific embodiment, and reference The embodiment of the present invention is further described in attached drawing.
It should be noted that all statements for using " first " and " second " are for differentiation two in the embodiment of the present invention The non-equal entity of a same names or non-equal parameter, it is seen that " first " " second " should not only for the convenience of statement The restriction to the embodiment of the present invention is interpreted as, subsequent embodiment no longer illustrates this one by one.
Based on above-mentioned purpose, the first aspect of the embodiment of the present invention, it is proposed that a kind of to be directed to different user domain Virtual machine or different types of user domain virtual machine carry out one embodiment of the method for virtual machine file protection.Fig. 1 is shown Be virtual machine provided by the invention document protection method one embodiment flow diagram.
The document protection method of the virtual machine optionally, applied to management domain, includes the following steps:
Step S101 creates the controlled file system that user domain virtual machine uses;
Controlled file is moved in controlled file system by step S103;
The file system permission of user domain virtual machine is configured in step S105 on controlled data channel;
Step S107 is connected to user domain virtual machine by controlled data channel.
In some embodiments, before the controlled file system that user domain virtual machine uses is created, management domain deployment Empowerment management program and controlled data channel, wherein, empowerment management program manages and controls user by controlled data channel Access of the domain virtual machine to controlled file system.
Wherein, optionally, the managing controlled data channel of empowerment management program is equal between managing user domain and management domain All interactions.
In some embodiments, the controlled file system that user domain virtual machine uses is created to include:
Virtual disk image file is created in management domain;
The establishment file system in virtual disk image file;
File system is defined to controlled file system.
Wherein, optionally, controlled file system construction in virtual disk image file for virtual machine use.Virtual disk The entity of image file can only be by managing domain browsing, and user domain virtual machine does not have the power of operation virtual disk image file Limit.
In some embodiments, controlled file is moved to controlled file system to include:
Verification needs the file protected in management domain;
Document to be protected will be needed to be moved in controlled file system;
Document to be protected will be needed to be defined to controlled file.
Wherein, optionally, file, which is divided into, needs document to be protected and is not required to document to be protected, and the present invention will only need to protect The file of shield is defined to controlled file and is isolated with user domain virtual machine, and is then not necessarily to hold for being not required to document to be protected The step of the row present invention.For user domain virtual machine, the file system used is all built upon virtual disk image file On, and user file entity is stored in the file system of user domain virtual machine.
In some embodiments, the permission that user domain virtual machine reads controlled file is configured on controlled data channel, Wherein, authority configuration is sent to controlled data channel and is performed by controlled data channel.
Wherein, optionally, the empowerment management program of user domain virtual disk image file operates in management domain, passes through operation The interface of hypervisor controls access of the user domain virtual machine to virtual disk image file.
In some embodiments, the controlled file system of management domain is connected by controlled data channel according to the permission of configuration It is connected to user domain virtual machine.
Wherein, optionally, controlled data channel is user domain and management when system formally operates in document protection method The unique interface channel in domain.
From above-described embodiment as can be seen that the document protection method of virtual machine provided in an embodiment of the present invention, passes through establishment The controlled file system that user domain virtual machine uses, controlled file is moved in controlled file system, in controlled data channel The file system permission of upper configuration user domain virtual machine, and pass through the technical side that controlled data channel is connected to user domain virtual machine Case can carry out virtual machine file protection, the entity of the file on user domain virtual machine is protected on management domain, is not required to Any software or application program are installed or run on user domain virtual machine;Protect user's domain file required on management domain Permission is higher than the permission of user domain virtual machine internal program, and the Malware in user domain virtual machine does not have the limiting operation shielded The entity of file 100% can protect document entity not to be maliciously tampered;The operation of controlled file is protected to be completed in management domain, Any software or application program are not installed or run on user domain virtual machine, are not limited by user domain VME operating system System does not consume the resource of user domain virtual machine;All operations of controlled file is protected all to be completed in management domain, are not needed to and user Domain carries out any type of interaction (including network interaction), does not depend on the network-connectivity of user domain virtual machine.
The embodiment of the present invention, which also proposed, a kind of can be directed to different user domain virtual machines or different types of user domain Virtual machine carries out second embodiment of the method for virtual machine file protection.Fig. 2 shows be virtual machine provided by the invention The flow diagram of second embodiment of document protection method.
As shown in Fig. 2, virtual machine file guard method is related to three parts:User domain operating system, virtual Domain operation system System and virtual platform, wherein, virtual platform is logically independent, but can also may be physically independent It is arranged in virtual Domain, but virtual platform is set to where, existing user domain does not all need to make any variation.
Under virtualized environment, disk/hard disk that user domain virtual machine uses all is virtual disk image file.Virtual magnetic The entity of disk mirroring file can only be accessed by management domain, and user domain virtual machine does not have operation virtual disk image file Permission.The file system that user domain virtual machine uses all is built upon in virtual disk image file.On user domain virtual machine The entity of user file is stored in the file system of user domain virtual machine.This user file entity by user domain virtual machine It is separated to the isolation characteristic that the technical know-how outside user domain virtual machine is referred to as virtualization storage.
The virtual disk operate interface that the present invention is provided using the isolation characteristic and virtual platform of virtualization storage Hypervisor, the permission of the file system by controlling user domain virtual machine access virtual disk image file on management domain Entity to protect user file is not tampered.Further, for needing shielded user file (i.e. controlled file), pipe Reason domain is granted to only the permission of user domain virtual machine reading, without authorizing the permission of modification or deletion, and operates hypervisor's Permission is higher than the operation permission of all application programs (including Malware) in user domain virtual machine and user domain virtual machine, therefore All operations for distorting user file entity will all be virtualized platform and refuse and interrupt on user domain virtual machine.In the implementation, The file system of user domain is divided into generic file system and controlled file system by this method.Institute's protected file in need is all It is stored in controlled file system, referred to as controlled file.Accordingly, other are not required to document to be protected and are stored in ordinary file In system, referred to as ordinary file.Generic file system and ordinary file are deposited according to the prior art in user domain virtual machine, It is not exposed to the influence of this method.
This method using the isolation characteristic of virtualization storage on management domain by controlling the access right of controlled file system It limits to realize the protection to the user file entity on user domain virtual machine.It does not need to install or run on user domain virtual machine Any software or application program, thus it is unrelated with the OS Type of user domain virtual machine, user domain virtual machine is not consumed yet Resource.The permission of the virtual disk of user domain virtual machine is operated on management domain higher than power possessed by user domain virtual machine Limit, therefore the Malware run in user domain virtual machine does not have the entity that permission distorts controlled file, 100% protection of energy is controlled File is not maliciously tampered.Management domain protection user's domain file process do not need to user domain virtual machine interact (including Network interaction), therefore do not depend on the network-connectivity of user domain virtual machine yet.
The specific embodiment that one this method performs step is as follows:
1. empowerment management program and controlled data channel are disposed on management domain.Empowerment management program is by operating controlled number Rights management and control to user domain virtual machine access-controlled file system are realized according to channel.
2. virtual disk image file is created on management domain, and the establishment file system in the virtual disk image file System, and this document system is defined as controlled file system.
3. verification needs shielded file, confirm that file is moved into the controlled text that step 2 creates after correct In part system, and this document is defined as controlled file.
4. step 3 is repeated until institute's shielded file in need is all moved to controlled file system.
5. the permission of the controlled file of user domain virtual machine reading is configured by empowerment management program.The configuration of the permission is final Controlled data channel is transmitted to, and is performed by controlled data channel.
It is virtual that 6. controlled file system is connected to user domain according to the permission that step 5 is configured by controlled data channel Machine.
7. the application program in user domain virtual machine uses controlled file according to the permission that step 5 is configured.All steps 5 are matched Operation (such as distorting controlled file) outside the permission put will all be refused and interrupted by controlled data channel.
From above-described embodiment as can be seen that the document protection method of virtual machine provided in an embodiment of the present invention, passes through establishment The controlled file system that user domain virtual machine uses, controlled file is moved in controlled file system, in controlled data channel The file system permission of upper configuration user domain virtual machine, and pass through the technical side that controlled data channel is connected to user domain virtual machine Case can carry out virtual machine file protection, the entity of the file on user domain virtual machine is protected on management domain, is not required to Any software or application program are installed or run on user domain virtual machine;Protect user's domain file required on management domain Permission is higher than the permission of user domain virtual machine internal program, and the Malware in user domain virtual machine does not have the limiting operation shielded The entity of file 100% can protect document entity not to be maliciously tampered;The operation of controlled file is protected to be completed in management domain, Any software or application program are not installed or run on user domain virtual machine, are not limited by user domain VME operating system System does not consume the resource of user domain virtual machine;All operations of controlled file is protected all to be completed in management domain, are not needed to and user Domain carries out any type of interaction (including network interaction), does not depend on the network-connectivity of user domain virtual machine.
It is important to note that each step in each embodiment of the document protection method of above-mentioned virtual machine Intersecting, replacing, increasing, deleting, therefore, these rational permutation and combination become alternatively in the document protection method of virtual machine It should also be as belonging to the scope of protection of the present invention, and protection scope of the present invention should not be confined on the embodiment.
Based on above-mentioned purpose, the second aspect of the embodiment of the present invention, it is proposed that a kind of to be directed to different user domain Virtual machine or different types of user domain virtual machine carry out one embodiment of the device of file protection.The text of the virtual machine Part protective device has used the document protection method of above-mentioned virtual machine.
The file protection device of virtual machine provided in an embodiment of the present invention, by create user domain virtual machine use it is controlled Controlled file is moved in controlled file system by file system, and the text of user domain virtual machine is configured on controlled data channel Part system permission, and pass through the technical solution that controlled data channel is connected to user domain virtual machine, virtual machine file can be carried out Protection, protects the entity of the file on user domain virtual machine on management domain, does not need to pacify on user domain virtual machine Fill or run any software or application program;The required permission of user's domain file is protected to be higher than user domain virtual machine on management domain The permission of internal program, the Malware in user domain virtual machine do not have the entity of the shielded file of limiting operation, can 100% Document entity is protected not to be maliciously tampered;The operation of controlled file is protected to be completed in management domain, is not pacified on user domain virtual machine Any software or application program are filled or run, is not limited by user domain VME operating system, it is virtual not consume user domain The resource of machine;All operations of controlled file is protected all to be completed in management domain, do not need to carry out any type of friendship with user domain Mutually (including network interaction), the network-connectivity of user domain virtual machine is not depended on.
It is important to note that the embodiment of the file protection device of above-mentioned virtual machine employs the text of the virtual machine The embodiment of part guard method illustrates the course of work of each module, and those skilled in the art can be it is readily conceivable that will In these module applications to the other embodiment of the document protection method of the virtual machine.Certainly, due to the text of the virtual machine Each step in part guard method embodiment can be intersected, replaces, increases, be deleted, therefore, these rational arrangements The file protection device in the virtual machine of combined transformation should also be as belonging to the scope of protection of the present invention, and should not send out this Bright protection domain is confined on the embodiment.
Based on above-mentioned purpose, a kind of third aspect of the embodiment of the present invention, it is proposed that file for performing the virtual machine One embodiment of the computer equipment of guard method.
The computer equipment of the document protection method for performing the virtual machine includes memory, at least one processor And the computer program that can be run on a memory and on a processor is stored, processor performs above-mentioned arbitrary when performing program A kind of method.
As shown in figure 3, one of computer equipment for the document protection method provided by the invention for performing the virtual machine The hardware architecture diagram of a embodiment.
By taking computer equipment as shown in Figure 3 as an example, include a processor 301 and one in the computer equipment Memory 302, and can also include:Input unit 303 and output device 304.
Processor 301, memory 302, input unit 303 and output device 304 can pass through bus or other modes It connects, in Fig. 3 for being connected by bus.
Memory 302 is used as a kind of non-volatile computer readable storage medium storing program for executing, available for storing non-volatile software journey Sequence, non-volatile computer executable program and module, such as the file protection side of the virtual machine in the embodiment of the present application Corresponding program instruction/the module of method.Processor 301 is by running storage non-volatile software program in the memory 302, referring to Order and module, the void of various function application and data processing so as to execute server, i.e. realization above method embodiment The document protection method of plan machine.
Memory 302 can include storing program area and storage data field, wherein, storing program area can store operation system System, the required application program of at least one function;Storage data field can be stored to be made according to the file protection device of virtual machine With data created etc..In addition, memory 302 can include high-speed random access memory, can also include non-volatile Memory, for example, at least a disk memory, flush memory device or other non-volatile solid state memory parts.In some realities It applies in example, memory 302 is optional including relative to the remotely located memory of processor 301, these remote memories can lead to Network connection is crossed to local module.The example of above-mentioned network includes but not limited to internet, intranet, LAN, movement Communication network and combinations thereof.
Input unit 303 can receive the number of input or character information and generate and the file protection device of virtual machine User setting and function control it is related key signals input.Output device 304 may include that display screen etc. shows equipment.
Corresponding program instruction/the module of document protection method of one or more of virtual machines is stored in the storage In device 302, when being performed by the processor 301, the file protection side of the virtual machine in above-mentioned any means embodiment is performed Method.
Any one embodiment of the computer equipment of the document protection method for performing the virtual machine, can reach The identical or similar effect of corresponding aforementioned any means embodiment.
Based on above-mentioned purpose, the 4th aspect of the embodiment of the present invention, it is proposed that a kind of computer readable storage medium, institute Stating computer-readable recording medium storage has computer program, which performs above-mentioned arbitrary side when being executed by processor The document protection method of virtual machine in method embodiment and the file for realizing the virtual machine in above-mentioned any device/system embodiment Protective device/system.The embodiment of the computer readable storage medium, can reach corresponding aforementioned any means with The identical or similar effect of device/system embodiment.
Based on above-mentioned purpose, the 5th aspect of the embodiment of the present invention, it is proposed that a kind of computer program product, the calculating Machine program product includes the calculation procedure being stored on computer readable storage medium, which includes instruction, when this refers to When order is computer-executed, the document protection method and reality of virtual machine that the computer is made to perform in above-mentioned any means embodiment File protection device/system of virtual machine in existing above-mentioned any device/system embodiment.The reality of the computer program product Example is applied, can achieve the effect that corresponding aforementioned any means are identical or similar with device/system embodiment.
Finally it should be noted that one of ordinary skill in the art will appreciate that realizing the whole in above-described embodiment method Or part flow, it can be completed by computer program to instruct related hardware, the program can be stored in a computer In read/write memory medium, the program is when being executed, it may include such as the flow of the embodiment of above-mentioned each method.Wherein, it is described Storage medium can be magnetic disc, CD, read-only memory (Read-Only Memory, ROM) or random access memory (Random Access Memory, RAM) etc..The embodiment of the computer program can reach corresponding aforementioned The identical or similar effect of embodiment of the method for anticipating.
In addition, typically, it can be various electric terminal equipments that the embodiment of the present invention, which discloses described device, equipment etc., example Such as mobile phone, personal digital assistant (PDA), tablet computer (PAD), smart television or large-scale terminal device, such as service Device etc., therefore protection domain disclosed by the embodiments of the present invention should not limit as certain certain types of device, equipment.It is of the invention real It can be applied to above-mentioned arbitrary with the combining form of electronic hardware, computer software or both to apply example and disclose the client In a kind of electric terminal equipment.
In addition, disclosed method is also implemented as the computer program performed by CPU according to embodiments of the present invention, it should Computer program can store in a computer-readable storage medium.When the computer program is performed by CPU, the present invention is performed The above-mentioned function of being limited in method disclosed in embodiment.
In addition, above method step and system unit can also utilize controller and for storing so that controller is real The computer readable storage medium of the computer program of existing above-mentioned steps or Elementary Function is realized.
In addition, it should be appreciated that computer readable storage medium (for example, memory) as described herein can be volatile Property memory or nonvolatile memory can include both volatile memory and nonvolatile memory.As example And not restrictive, nonvolatile memory can include read-only memory (ROM), programming ROM (PROM), electrically programmable to son ROM (EPROM), electrically erasable programmable ROM (EEPROM) or flash memory.Volatile memory can include arbitrary access Memory (RAM), the RAM can serve as external cache.As an example and not restrictive, RAM can be with more Kind form obtains, such as synchronous random access memory (DRAM), dynamic ram (DRAM), synchronous dram (SDRAM), double data rate SDRAM (DDR SDRAM), enhancing SDRAM (ESDRAM), synchronization link DRAM (SLDRAM) and directly Rambus RAM (DRRAM). The storage device of disclosed aspect is intended to the memory of including but not limited to these and other suitable type.
Those skilled in the art will also understand is that, with reference to the described various illustrative logical blocks of disclosure herein, mould Block, circuit and algorithm steps may be implemented as the combination of electronic hardware, computer software or both.It is hard in order to clearly demonstrate This interchangeability of part and software, with regard to various exemplary components, square, module, circuit and step function to its into General description is gone.This function is implemented as software and is also implemented as hardware depending on concrete application and application To the design constraint of whole system.Those skilled in the art can in various ways realize described for each concrete application Function, but this realize determines to should not be interpreted as causing a departure from range disclosed by the embodiments of the present invention.
It can utilize and be designed to reference to the described various illustrative logical blocks of disclosure herein, module and circuit The following component of function described here is performed to realize or perform:General processor, digital signal processor (DSP), special collection Into circuit (ASIC), field programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, divide Any combinations of vertical hardware component or these components.General processor can be microprocessor, but alternatively, processing Device can be any conventional processors, controller, microcontroller or state machine.Processor can also be implemented as computing device Combination, for example, the combination of DSP and microprocessor, multi-microprocessor, one or more microprocessors combination DSP and/or any Other this configurations.
It can be directly contained in hardware with reference to the step of described method of disclosure herein or algorithm, be held by processor In capable software module or in combination of the two.Software module may reside within RAM memory, flash memory, ROM storages Device, eprom memory, eeprom memory, register, hard disk, removable disk, CD-ROM or known in the art it is any its In the storage medium of its form.Illustrative storage medium is coupled to processor so that processor can be from the storage medium Information is written to the storage medium in middle reading information.In an alternative, the storage medium can be with processor collection Into together.Pocessor and storage media may reside in ASIC.ASIC may reside in user terminal.In a replacement In scheme, pocessor and storage media can be resident in the user terminal as discrete assembly.
In one or more exemplary designs, the function can be real in hardware, software, firmware or its arbitrary combination It is existing.If realized in software, can be stored in using the function as one or more instruction or code computer-readable It is transmitted on medium or by computer-readable medium.Computer-readable medium includes computer storage media and communication media, The communication media includes helping for computer program to be transmitted to any medium of another position from a position.Storage medium It can be any usable medium that can be accessed by a general purpose or special purpose computer.As an example and not restrictive, the computer Readable medium can include RAM, ROM, EEPROM, CD-ROM or other optical disc memory apparatus, disk storage equipment or other magnetic Property storage device or can be used for carry storage form be instruct or data structure required program code and can Any other medium accessed by general or specialized computer or general or specialized processor.In addition, any connection can It is properly termed as computer-readable medium.If for example, use coaxial cable, fiber optic cable, twisted-pair feeder, digital subscriber line (DSL) or such as wireless technology of infrared ray, radio and microwave to send software from website, server or other remote sources, Then above-mentioned coaxial cable, fiber optic cable, twisted-pair feeder, DSL or such as wireless technology of infrared ray, radio and microwave are included in The definition of medium.As used herein, disk and CD include compact disk (CD), laser disk, CD, digital versatile disc (DVD), floppy disk, Blu-ray disc, wherein disk usually magnetically reproduce data, and CD using laser optics reproduce data.On The combination for stating content should also be as being included in the range of computer-readable medium.
It is exemplary embodiment disclosed by the invention above, it should be noted that in the sheet limited without departing substantially from claim Under the premise of inventive embodiments scope of disclosure, it may be many modifications and change.According to open embodiment described herein The function of claim to a method, step and/or action be not required to perform with any particular order.In addition, although the present invention is implemented Element disclosed in example can be described or be required in the form of individual, but be unless explicitly limited odd number, it is understood that be multiple.
It should be understood that it is used in the present context, unless context clearly supports exception, singulative " one It is a " (" a ", " an ", " the ") be intended to also include plural form.It is to be further understood that "and/or" used herein is Finger includes one or the arbitrary and all possible combinations of more than one project listed in association.
The embodiments of the present invention disclose that embodiment sequence number is for illustration only, do not represent the quality of embodiment.
One of ordinary skill in the art will appreciate that hardware can be passed through by realizing all or part of step of above-described embodiment It completes, relevant hardware can also be instructed to complete by program, the program can be stored in a kind of computer-readable In storage medium, storage medium mentioned above can be read-only memory, disk or CD etc..
Those of ordinary skills in the art should understand that:The discussion of any of the above embodiment is exemplary only, not It is intended to imply that range disclosed by the embodiments of the present invention is limited to these examples (including claim);In the think of of the embodiment of the present invention Under road, it can also be combined between the technical characteristic in above example or different embodiments, and exist as described above Many other variations of the different aspect of the embodiment of the present invention, for simplicity, they are not provided in details.Therefore, it is all at this Spiritual and any omission within principle, made, modification, equivalent replacement, improvement of inventive embodiments etc., should be included in this hair Within the protection domain of bright embodiment.

Claims (10)

1. a kind of document protection method of virtual machine, which is characterized in that applied to management domain, include the following steps:
Create the controlled file system that user domain virtual machine uses;
Controlled file is moved in the controlled file system;
The file system permission of the user domain virtual machine is configured on controlled data channel;
The user domain virtual machine is connected to by the controlled data channel.
2. it according to the method described in claim 1, it is characterized in that, is used in the establishment user domain virtual machine described controlled Before file system, the management domain deployment empowerment management program and the controlled data channel, wherein, the empowerment management journey Sequence is managed and is controlled access of the user domain virtual machine to the controlled file system by the controlled data channel.
3. according to the method described in claim 1, it is characterized in that, create the controlled text that the user domain virtual machine uses Part system includes:
Virtual disk image file is created in the management domain;
The establishment file system in the virtual disk image file;
The file system is defined to the controlled file system.
4. according to the method described in claim 1, it is characterized in that, the controlled file is moved to the controlled file system Include:
Verification needs the file protected in management domain;
Document to be protected is needed to be moved in the controlled file system by described;
Document to be protected is needed to be defined to the controlled file by described.
5. according to the method described in claim 1, it is characterized in that, the user domain void is configured on the controlled data channel Intend the machine-readable permission for taking the controlled file, wherein, the authority configuration is sent to the controlled data channel and by described Controlled data channel performs.
6. according to the method described in claim 5, it is characterized in that, the controlled file system of the management domain pass through it is described Controlled data channel is connected to the user domain virtual machine according to the permission of configuration.
7. a kind of file protection device of virtual machine, which is characterized in that use side as claimed in any one of claims 1 to 6 Method.
8. a kind of computer equipment, including memory, at least one processor and it is stored on the memory and can be in institute State the computer program run on processor, which is characterized in that the processor performs such as claim when performing described program Method described in 1-6 any one.
9. a kind of computer readable storage medium, the computer-readable recording medium storage has computer program, and feature exists In the method when computer program is executed by processor described in perform claim requirement 1-6 any one.
10. a kind of computer program product, which is characterized in that the computer program product includes being stored in computer-readable deposit Calculation procedure on storage media, the calculation procedure include instruction, when described instruction is computer-executed, make the computer Method described in perform claim requirement 1-6 any one.
CN201810004364.5A 2018-01-03 2018-01-03 The document protection method and device of a kind of virtual machine Pending CN108229191A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810004364.5A CN108229191A (en) 2018-01-03 2018-01-03 The document protection method and device of a kind of virtual machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810004364.5A CN108229191A (en) 2018-01-03 2018-01-03 The document protection method and device of a kind of virtual machine

Publications (1)

Publication Number Publication Date
CN108229191A true CN108229191A (en) 2018-06-29

Family

ID=62642665

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810004364.5A Pending CN108229191A (en) 2018-01-03 2018-01-03 The document protection method and device of a kind of virtual machine

Country Status (1)

Country Link
CN (1) CN108229191A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103365700A (en) * 2013-06-28 2013-10-23 福建师范大学 Cloud computing virtualization environment-oriented resource monitoring and adjustment system
CN105184147A (en) * 2015-09-08 2015-12-23 成都博元科技有限公司 User security management method for cloud computing platform
CN107463427A (en) * 2017-06-29 2017-12-12 北京北信源软件股份有限公司 The acquisition methods and device of a kind of VME operating system type and version
CN107463369A (en) * 2017-06-30 2017-12-12 北京北信源软件股份有限公司 The access device control method and device of a kind of virtual desktop
US20180113999A1 (en) * 2016-10-25 2018-04-26 Flexera Software Llc Incorporating license management data into a virtual machine

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103365700A (en) * 2013-06-28 2013-10-23 福建师范大学 Cloud computing virtualization environment-oriented resource monitoring and adjustment system
CN105184147A (en) * 2015-09-08 2015-12-23 成都博元科技有限公司 User security management method for cloud computing platform
US20180113999A1 (en) * 2016-10-25 2018-04-26 Flexera Software Llc Incorporating license management data into a virtual machine
CN107463427A (en) * 2017-06-29 2017-12-12 北京北信源软件股份有限公司 The acquisition methods and device of a kind of VME operating system type and version
CN107463369A (en) * 2017-06-30 2017-12-12 北京北信源软件股份有限公司 The access device control method and device of a kind of virtual desktop

Similar Documents

Publication Publication Date Title
JP6055989B1 (en) Computer program, secret management method and system
US8856521B2 (en) Methods and systems for performing secure operations on an encrypted file
CN103403669B (en) App is made to become safe method and the method preventing app damage equipment
JP5588781B2 (en) Secure module and information processing apparatus
CN109918919A (en) Authenticate the management of variable
JP2012150803A (en) Efficient volume encryption
US10275593B2 (en) Secure computing device using different central processing resources
CN109992987B (en) Script file protection method and device based on Nginx and terminal equipment
JP2023014306A (en) Storage device and control method
CN105612715A (en) Security processing unit with configurable access control
CN105095771A (en) Method and apparatus for protecting shared target file
JP2018523208A (en) Techniques for data monitoring to mitigate transition problems in object-oriented contexts
US10303885B2 (en) Methods and systems for securely executing untrusted software
US10642984B2 (en) Secure drive and method for booting to known good-state
CN108171067A (en) A kind of hard disk encryption method and device
JP2013214135A (en) Information storage device, information storage device control program, and information storage device control method
CN108171043A (en) A kind of computer interface communications protection and abnormality alarming method and device
CN109033850A (en) A kind of processing method of screenshot picture, device, terminal and computer storage medium
CN101132275A (en) Safety system for implementing use right of digital content
CN111143879A (en) Android platform SD card file protection method, terminal device and storage medium
CN111104693A (en) Android platform software data cracking method, terminal device and storage medium
Chen et al. The block-based mobile pde systems are not secure-experimental attacks
CN108229191A (en) The document protection method and device of a kind of virtual machine
CN110516468B (en) Method and device for encrypting memory snapshot of virtual machine
WO2016095506A1 (en) Ciphertext data decryption method, system and computer storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180629