CN108229191A - The document protection method and device of a kind of virtual machine - Google Patents
The document protection method and device of a kind of virtual machine Download PDFInfo
- Publication number
- CN108229191A CN108229191A CN201810004364.5A CN201810004364A CN108229191A CN 108229191 A CN108229191 A CN 108229191A CN 201810004364 A CN201810004364 A CN 201810004364A CN 108229191 A CN108229191 A CN 108229191A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- controlled
- file
- user domain
- file system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses the document protection method and device of a kind of virtual machine, including:Create the controlled file system that user domain virtual machine uses;Controlled file is moved in controlled file system;The file system permission of user domain virtual machine is configured on controlled data channel;User domain virtual machine is connected to by controlled data channel.The document protection method of virtual machine proposed by the present invention can improve protecting effect, the resource occupation for reducing user domain with device and have better wide usage.
Description
Technical field
The present invention relates to computer realm, more specifically, particularly relating to the document protection method and device of a kind of virtual machine.
Background technology
Recently as the rapid development of software science technology, more and more individuals, groups or tissue begin to focus on a
People's privacy information.Stealing or distorting for privacy information is also of interest by more and more criminals, and means also become more
Diversification, is simplified extensiveization.Therefore the protection of privacy information also becomes growing important point of information security field one
Branch.
The currently popular Malwares such as virus of extorting are usually using tampering with a document, delete the means such as file to destroy user
Storage document entity on computers so that user can not normal use these files, so as to achieve the purpose that malicious attack;
Or user is extorted, and therefrom make a profit.Currently in information security field, the following two kinds method is commonly used to protect user file, is made
File is from malicious attack:
Method one is encrypted file with encryption software by encryption method so that encrypted file becomes a kind of
Unrecognizable file type.This encrypted file can be identified that decryption software uses key by mating decryption software
Encrypted file is decrypted, be reduced to again after file decryption it is common, can with identified generic-document, so as to
It is used by a user.Since encrypted file is the unrecognizable file of a type, so Malware cannot generally also be known
Other this document, and then the attack to this document is abandoned, so as to achieve the effect that protect file.But there are two lack for this method
Point:On the one hand, must install encryption/decryption software on the user computer using this document protection method could be to user's text
Part is protected, and this method cannot be used on the computer for be fitted without encryption/decryption software;On the other hand, this file
Guard method 100% cannot protect user file not to be tampered.Encrypted user file is still that can be edited, changed
, although the content of encrypted file cannot be identified or read that Malware still can add this by Malware
File content after close is arbitrarily changed, so as to destroy the structure of the encryption file so that decryption software can not be decrypted.Or
Person, Malware can also directly delete encrypted file so that user can not reuse this document.
Method two, using cloud storage technology by subscriber computer local file remote backup to public cloud storage server.
The entity of file is stored on the cloud storage service device of distal end, and subscriber computer local file can be gone back after being tampered from high in the clouds
It is former.But this method needs subscriber computer to have the ability of network connection and can use public cloud storage server
Network service.If subscriber computer cannot be damaged using network or network service by malicious attack, user cannot make
Local file is restored with the file of high in the clouds backup.
For virtual machine file protecting effect of the prior art is poor, occupancy resource, wide usage is low and relies on local soft
The problem of part coordinates, there has been no effective solutions at present.
Invention content
In view of this, the purpose of the embodiment of the present invention is to propose the document protection method and device of a kind of virtual machine, energy
Virtual machine file protection enough is carried out for different user domain virtual machines or different types of user domain virtual machine, improves protection effect
Fruit, the resource occupation for reducing user domain and with better wide usage.
Based on above-mentioned purpose, the one side of the embodiment of the present invention provides a kind of document protection method of virtual machine, application
In management domain, include the following steps:
Create the controlled file system that user domain virtual machine uses;
Controlled file is moved in controlled file system;
The file system permission of user domain virtual machine is configured on controlled data channel;
User domain virtual machine is connected to by controlled data channel.
In some embodiments, before the controlled file system that user domain virtual machine uses is created, management domain deployment
Empowerment management program and controlled data channel, wherein, empowerment management program manages and controls user by controlled data channel
Access of the domain virtual machine to controlled file system.
In some embodiments, the controlled file system that user domain virtual machine uses is created to include:
Virtual disk image file is created in management domain;
The establishment file system in virtual disk image file;
File system is defined to controlled file system.
In some embodiments, controlled file is moved to controlled file system to include:
Verification needs the file protected in management domain;
Document to be protected will be needed to be moved in controlled file system;
Document to be protected will be needed to be defined to controlled file.
In some embodiments, the permission that user domain virtual machine reads controlled file is configured on controlled data channel,
Wherein, authority configuration is sent to controlled data channel and is performed by controlled data channel.
In some embodiments, the controlled file system of management domain is connected by controlled data channel according to the permission of configuration
It is connected to user domain virtual machine.
The another aspect of the embodiment of the present invention additionally provides a kind of file protection device of virtual machine, has used above-mentioned side
Method.
The another aspect of the embodiment of the present invention additionally provides a kind of computer equipment, including memory, at least one processing
Device and the computer program that can be run on the memory and on the processor is stored in, described in the processor performs
Above-mentioned method is performed during program.
The another aspect of the embodiment of the present invention additionally provides a kind of computer readable storage medium, described computer-readable
Storage medium is stored with computer program, and the computer program performs above-mentioned method when being executed by processor.
The another aspect of the embodiment of the present invention additionally provides a kind of computer program product, the computer program product
Including the calculation procedure being stored on computer readable storage medium, the calculation procedure includes instruction, when described instruction is counted
When calculation machine performs, the computer is made to perform the above method.
The present invention has following advantageous effects:The document protection method and dress of virtual machine provided in an embodiment of the present invention
Put, controlled file is moved in controlled file system by the controlled file system used by creating user domain virtual machine, by
The file system permission that user domain virtual machine is configured in data channel is controlled, and passes through controlled data channel to be connected to user domain virtual
The technical solution of machine can carry out virtual machine file protection, improve protecting effect, reduce the resource occupation of user domain and have
Better wide usage.The method of the present invention has the characteristics of cross operating system type, that is, it is different that Same Way can be used for protection
User file in operating system does not need to use different methods to different operating system.
Description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below will to embodiment required attached drawing
It is briefly described, it should be apparent that, the accompanying drawings in the following description is only some embodiments of the present invention, general for this field
For logical technical staff, without creative efforts, other attached drawings are can also be obtained according to these attached drawings.
Fig. 1 is the flow diagram of one embodiment of the document protection method of virtual machine provided by the invention;
Fig. 2 is the flow diagram of second embodiment of the document protection method of virtual machine provided by the invention;
Fig. 3 is one embodiment of the computer equipment of the document protection method provided by the invention for performing the virtual machine
Hardware architecture diagram.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with specific embodiment, and reference
The embodiment of the present invention is further described in attached drawing.
It should be noted that all statements for using " first " and " second " are for differentiation two in the embodiment of the present invention
The non-equal entity of a same names or non-equal parameter, it is seen that " first " " second " should not only for the convenience of statement
The restriction to the embodiment of the present invention is interpreted as, subsequent embodiment no longer illustrates this one by one.
Based on above-mentioned purpose, the first aspect of the embodiment of the present invention, it is proposed that a kind of to be directed to different user domain
Virtual machine or different types of user domain virtual machine carry out one embodiment of the method for virtual machine file protection.Fig. 1 is shown
Be virtual machine provided by the invention document protection method one embodiment flow diagram.
The document protection method of the virtual machine optionally, applied to management domain, includes the following steps:
Step S101 creates the controlled file system that user domain virtual machine uses;
Controlled file is moved in controlled file system by step S103;
The file system permission of user domain virtual machine is configured in step S105 on controlled data channel;
Step S107 is connected to user domain virtual machine by controlled data channel.
In some embodiments, before the controlled file system that user domain virtual machine uses is created, management domain deployment
Empowerment management program and controlled data channel, wherein, empowerment management program manages and controls user by controlled data channel
Access of the domain virtual machine to controlled file system.
Wherein, optionally, the managing controlled data channel of empowerment management program is equal between managing user domain and management domain
All interactions.
In some embodiments, the controlled file system that user domain virtual machine uses is created to include:
Virtual disk image file is created in management domain;
The establishment file system in virtual disk image file;
File system is defined to controlled file system.
Wherein, optionally, controlled file system construction in virtual disk image file for virtual machine use.Virtual disk
The entity of image file can only be by managing domain browsing, and user domain virtual machine does not have the power of operation virtual disk image file
Limit.
In some embodiments, controlled file is moved to controlled file system to include:
Verification needs the file protected in management domain;
Document to be protected will be needed to be moved in controlled file system;
Document to be protected will be needed to be defined to controlled file.
Wherein, optionally, file, which is divided into, needs document to be protected and is not required to document to be protected, and the present invention will only need to protect
The file of shield is defined to controlled file and is isolated with user domain virtual machine, and is then not necessarily to hold for being not required to document to be protected
The step of the row present invention.For user domain virtual machine, the file system used is all built upon virtual disk image file
On, and user file entity is stored in the file system of user domain virtual machine.
In some embodiments, the permission that user domain virtual machine reads controlled file is configured on controlled data channel,
Wherein, authority configuration is sent to controlled data channel and is performed by controlled data channel.
Wherein, optionally, the empowerment management program of user domain virtual disk image file operates in management domain, passes through operation
The interface of hypervisor controls access of the user domain virtual machine to virtual disk image file.
In some embodiments, the controlled file system of management domain is connected by controlled data channel according to the permission of configuration
It is connected to user domain virtual machine.
Wherein, optionally, controlled data channel is user domain and management when system formally operates in document protection method
The unique interface channel in domain.
From above-described embodiment as can be seen that the document protection method of virtual machine provided in an embodiment of the present invention, passes through establishment
The controlled file system that user domain virtual machine uses, controlled file is moved in controlled file system, in controlled data channel
The file system permission of upper configuration user domain virtual machine, and pass through the technical side that controlled data channel is connected to user domain virtual machine
Case can carry out virtual machine file protection, the entity of the file on user domain virtual machine is protected on management domain, is not required to
Any software or application program are installed or run on user domain virtual machine;Protect user's domain file required on management domain
Permission is higher than the permission of user domain virtual machine internal program, and the Malware in user domain virtual machine does not have the limiting operation shielded
The entity of file 100% can protect document entity not to be maliciously tampered;The operation of controlled file is protected to be completed in management domain,
Any software or application program are not installed or run on user domain virtual machine, are not limited by user domain VME operating system
System does not consume the resource of user domain virtual machine;All operations of controlled file is protected all to be completed in management domain, are not needed to and user
Domain carries out any type of interaction (including network interaction), does not depend on the network-connectivity of user domain virtual machine.
The embodiment of the present invention, which also proposed, a kind of can be directed to different user domain virtual machines or different types of user domain
Virtual machine carries out second embodiment of the method for virtual machine file protection.Fig. 2 shows be virtual machine provided by the invention
The flow diagram of second embodiment of document protection method.
As shown in Fig. 2, virtual machine file guard method is related to three parts:User domain operating system, virtual Domain operation system
System and virtual platform, wherein, virtual platform is logically independent, but can also may be physically independent
It is arranged in virtual Domain, but virtual platform is set to where, existing user domain does not all need to make any variation.
Under virtualized environment, disk/hard disk that user domain virtual machine uses all is virtual disk image file.Virtual magnetic
The entity of disk mirroring file can only be accessed by management domain, and user domain virtual machine does not have operation virtual disk image file
Permission.The file system that user domain virtual machine uses all is built upon in virtual disk image file.On user domain virtual machine
The entity of user file is stored in the file system of user domain virtual machine.This user file entity by user domain virtual machine
It is separated to the isolation characteristic that the technical know-how outside user domain virtual machine is referred to as virtualization storage.
The virtual disk operate interface that the present invention is provided using the isolation characteristic and virtual platform of virtualization storage
Hypervisor, the permission of the file system by controlling user domain virtual machine access virtual disk image file on management domain
Entity to protect user file is not tampered.Further, for needing shielded user file (i.e. controlled file), pipe
Reason domain is granted to only the permission of user domain virtual machine reading, without authorizing the permission of modification or deletion, and operates hypervisor's
Permission is higher than the operation permission of all application programs (including Malware) in user domain virtual machine and user domain virtual machine, therefore
All operations for distorting user file entity will all be virtualized platform and refuse and interrupt on user domain virtual machine.In the implementation,
The file system of user domain is divided into generic file system and controlled file system by this method.Institute's protected file in need is all
It is stored in controlled file system, referred to as controlled file.Accordingly, other are not required to document to be protected and are stored in ordinary file
In system, referred to as ordinary file.Generic file system and ordinary file are deposited according to the prior art in user domain virtual machine,
It is not exposed to the influence of this method.
This method using the isolation characteristic of virtualization storage on management domain by controlling the access right of controlled file system
It limits to realize the protection to the user file entity on user domain virtual machine.It does not need to install or run on user domain virtual machine
Any software or application program, thus it is unrelated with the OS Type of user domain virtual machine, user domain virtual machine is not consumed yet
Resource.The permission of the virtual disk of user domain virtual machine is operated on management domain higher than power possessed by user domain virtual machine
Limit, therefore the Malware run in user domain virtual machine does not have the entity that permission distorts controlled file, 100% protection of energy is controlled
File is not maliciously tampered.Management domain protection user's domain file process do not need to user domain virtual machine interact (including
Network interaction), therefore do not depend on the network-connectivity of user domain virtual machine yet.
The specific embodiment that one this method performs step is as follows:
1. empowerment management program and controlled data channel are disposed on management domain.Empowerment management program is by operating controlled number
Rights management and control to user domain virtual machine access-controlled file system are realized according to channel.
2. virtual disk image file is created on management domain, and the establishment file system in the virtual disk image file
System, and this document system is defined as controlled file system.
3. verification needs shielded file, confirm that file is moved into the controlled text that step 2 creates after correct
In part system, and this document is defined as controlled file.
4. step 3 is repeated until institute's shielded file in need is all moved to controlled file system.
5. the permission of the controlled file of user domain virtual machine reading is configured by empowerment management program.The configuration of the permission is final
Controlled data channel is transmitted to, and is performed by controlled data channel.
It is virtual that 6. controlled file system is connected to user domain according to the permission that step 5 is configured by controlled data channel
Machine.
7. the application program in user domain virtual machine uses controlled file according to the permission that step 5 is configured.All steps 5 are matched
Operation (such as distorting controlled file) outside the permission put will all be refused and interrupted by controlled data channel.
From above-described embodiment as can be seen that the document protection method of virtual machine provided in an embodiment of the present invention, passes through establishment
The controlled file system that user domain virtual machine uses, controlled file is moved in controlled file system, in controlled data channel
The file system permission of upper configuration user domain virtual machine, and pass through the technical side that controlled data channel is connected to user domain virtual machine
Case can carry out virtual machine file protection, the entity of the file on user domain virtual machine is protected on management domain, is not required to
Any software or application program are installed or run on user domain virtual machine;Protect user's domain file required on management domain
Permission is higher than the permission of user domain virtual machine internal program, and the Malware in user domain virtual machine does not have the limiting operation shielded
The entity of file 100% can protect document entity not to be maliciously tampered;The operation of controlled file is protected to be completed in management domain,
Any software or application program are not installed or run on user domain virtual machine, are not limited by user domain VME operating system
System does not consume the resource of user domain virtual machine;All operations of controlled file is protected all to be completed in management domain, are not needed to and user
Domain carries out any type of interaction (including network interaction), does not depend on the network-connectivity of user domain virtual machine.
It is important to note that each step in each embodiment of the document protection method of above-mentioned virtual machine
Intersecting, replacing, increasing, deleting, therefore, these rational permutation and combination become alternatively in the document protection method of virtual machine
It should also be as belonging to the scope of protection of the present invention, and protection scope of the present invention should not be confined on the embodiment.
Based on above-mentioned purpose, the second aspect of the embodiment of the present invention, it is proposed that a kind of to be directed to different user domain
Virtual machine or different types of user domain virtual machine carry out one embodiment of the device of file protection.The text of the virtual machine
Part protective device has used the document protection method of above-mentioned virtual machine.
The file protection device of virtual machine provided in an embodiment of the present invention, by create user domain virtual machine use it is controlled
Controlled file is moved in controlled file system by file system, and the text of user domain virtual machine is configured on controlled data channel
Part system permission, and pass through the technical solution that controlled data channel is connected to user domain virtual machine, virtual machine file can be carried out
Protection, protects the entity of the file on user domain virtual machine on management domain, does not need to pacify on user domain virtual machine
Fill or run any software or application program;The required permission of user's domain file is protected to be higher than user domain virtual machine on management domain
The permission of internal program, the Malware in user domain virtual machine do not have the entity of the shielded file of limiting operation, can 100%
Document entity is protected not to be maliciously tampered;The operation of controlled file is protected to be completed in management domain, is not pacified on user domain virtual machine
Any software or application program are filled or run, is not limited by user domain VME operating system, it is virtual not consume user domain
The resource of machine;All operations of controlled file is protected all to be completed in management domain, do not need to carry out any type of friendship with user domain
Mutually (including network interaction), the network-connectivity of user domain virtual machine is not depended on.
It is important to note that the embodiment of the file protection device of above-mentioned virtual machine employs the text of the virtual machine
The embodiment of part guard method illustrates the course of work of each module, and those skilled in the art can be it is readily conceivable that will
In these module applications to the other embodiment of the document protection method of the virtual machine.Certainly, due to the text of the virtual machine
Each step in part guard method embodiment can be intersected, replaces, increases, be deleted, therefore, these rational arrangements
The file protection device in the virtual machine of combined transformation should also be as belonging to the scope of protection of the present invention, and should not send out this
Bright protection domain is confined on the embodiment.
Based on above-mentioned purpose, a kind of third aspect of the embodiment of the present invention, it is proposed that file for performing the virtual machine
One embodiment of the computer equipment of guard method.
The computer equipment of the document protection method for performing the virtual machine includes memory, at least one processor
And the computer program that can be run on a memory and on a processor is stored, processor performs above-mentioned arbitrary when performing program
A kind of method.
As shown in figure 3, one of computer equipment for the document protection method provided by the invention for performing the virtual machine
The hardware architecture diagram of a embodiment.
By taking computer equipment as shown in Figure 3 as an example, include a processor 301 and one in the computer equipment
Memory 302, and can also include:Input unit 303 and output device 304.
Processor 301, memory 302, input unit 303 and output device 304 can pass through bus or other modes
It connects, in Fig. 3 for being connected by bus.
Memory 302 is used as a kind of non-volatile computer readable storage medium storing program for executing, available for storing non-volatile software journey
Sequence, non-volatile computer executable program and module, such as the file protection side of the virtual machine in the embodiment of the present application
Corresponding program instruction/the module of method.Processor 301 is by running storage non-volatile software program in the memory 302, referring to
Order and module, the void of various function application and data processing so as to execute server, i.e. realization above method embodiment
The document protection method of plan machine.
Memory 302 can include storing program area and storage data field, wherein, storing program area can store operation system
System, the required application program of at least one function;Storage data field can be stored to be made according to the file protection device of virtual machine
With data created etc..In addition, memory 302 can include high-speed random access memory, can also include non-volatile
Memory, for example, at least a disk memory, flush memory device or other non-volatile solid state memory parts.In some realities
It applies in example, memory 302 is optional including relative to the remotely located memory of processor 301, these remote memories can lead to
Network connection is crossed to local module.The example of above-mentioned network includes but not limited to internet, intranet, LAN, movement
Communication network and combinations thereof.
Input unit 303 can receive the number of input or character information and generate and the file protection device of virtual machine
User setting and function control it is related key signals input.Output device 304 may include that display screen etc. shows equipment.
Corresponding program instruction/the module of document protection method of one or more of virtual machines is stored in the storage
In device 302, when being performed by the processor 301, the file protection side of the virtual machine in above-mentioned any means embodiment is performed
Method.
Any one embodiment of the computer equipment of the document protection method for performing the virtual machine, can reach
The identical or similar effect of corresponding aforementioned any means embodiment.
Based on above-mentioned purpose, the 4th aspect of the embodiment of the present invention, it is proposed that a kind of computer readable storage medium, institute
Stating computer-readable recording medium storage has computer program, which performs above-mentioned arbitrary side when being executed by processor
The document protection method of virtual machine in method embodiment and the file for realizing the virtual machine in above-mentioned any device/system embodiment
Protective device/system.The embodiment of the computer readable storage medium, can reach corresponding aforementioned any means with
The identical or similar effect of device/system embodiment.
Based on above-mentioned purpose, the 5th aspect of the embodiment of the present invention, it is proposed that a kind of computer program product, the calculating
Machine program product includes the calculation procedure being stored on computer readable storage medium, which includes instruction, when this refers to
When order is computer-executed, the document protection method and reality of virtual machine that the computer is made to perform in above-mentioned any means embodiment
File protection device/system of virtual machine in existing above-mentioned any device/system embodiment.The reality of the computer program product
Example is applied, can achieve the effect that corresponding aforementioned any means are identical or similar with device/system embodiment.
Finally it should be noted that one of ordinary skill in the art will appreciate that realizing the whole in above-described embodiment method
Or part flow, it can be completed by computer program to instruct related hardware, the program can be stored in a computer
In read/write memory medium, the program is when being executed, it may include such as the flow of the embodiment of above-mentioned each method.Wherein, it is described
Storage medium can be magnetic disc, CD, read-only memory (Read-Only Memory, ROM) or random access memory
(Random Access Memory, RAM) etc..The embodiment of the computer program can reach corresponding aforementioned
The identical or similar effect of embodiment of the method for anticipating.
In addition, typically, it can be various electric terminal equipments that the embodiment of the present invention, which discloses described device, equipment etc., example
Such as mobile phone, personal digital assistant (PDA), tablet computer (PAD), smart television or large-scale terminal device, such as service
Device etc., therefore protection domain disclosed by the embodiments of the present invention should not limit as certain certain types of device, equipment.It is of the invention real
It can be applied to above-mentioned arbitrary with the combining form of electronic hardware, computer software or both to apply example and disclose the client
In a kind of electric terminal equipment.
In addition, disclosed method is also implemented as the computer program performed by CPU according to embodiments of the present invention, it should
Computer program can store in a computer-readable storage medium.When the computer program is performed by CPU, the present invention is performed
The above-mentioned function of being limited in method disclosed in embodiment.
In addition, above method step and system unit can also utilize controller and for storing so that controller is real
The computer readable storage medium of the computer program of existing above-mentioned steps or Elementary Function is realized.
In addition, it should be appreciated that computer readable storage medium (for example, memory) as described herein can be volatile
Property memory or nonvolatile memory can include both volatile memory and nonvolatile memory.As example
And not restrictive, nonvolatile memory can include read-only memory (ROM), programming ROM (PROM), electrically programmable to son
ROM (EPROM), electrically erasable programmable ROM (EEPROM) or flash memory.Volatile memory can include arbitrary access
Memory (RAM), the RAM can serve as external cache.As an example and not restrictive, RAM can be with more
Kind form obtains, such as synchronous random access memory (DRAM), dynamic ram (DRAM), synchronous dram (SDRAM), double data rate SDRAM
(DDR SDRAM), enhancing SDRAM (ESDRAM), synchronization link DRAM (SLDRAM) and directly Rambus RAM (DRRAM).
The storage device of disclosed aspect is intended to the memory of including but not limited to these and other suitable type.
Those skilled in the art will also understand is that, with reference to the described various illustrative logical blocks of disclosure herein, mould
Block, circuit and algorithm steps may be implemented as the combination of electronic hardware, computer software or both.It is hard in order to clearly demonstrate
This interchangeability of part and software, with regard to various exemplary components, square, module, circuit and step function to its into
General description is gone.This function is implemented as software and is also implemented as hardware depending on concrete application and application
To the design constraint of whole system.Those skilled in the art can in various ways realize described for each concrete application
Function, but this realize determines to should not be interpreted as causing a departure from range disclosed by the embodiments of the present invention.
It can utilize and be designed to reference to the described various illustrative logical blocks of disclosure herein, module and circuit
The following component of function described here is performed to realize or perform:General processor, digital signal processor (DSP), special collection
Into circuit (ASIC), field programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, divide
Any combinations of vertical hardware component or these components.General processor can be microprocessor, but alternatively, processing
Device can be any conventional processors, controller, microcontroller or state machine.Processor can also be implemented as computing device
Combination, for example, the combination of DSP and microprocessor, multi-microprocessor, one or more microprocessors combination DSP and/or any
Other this configurations.
It can be directly contained in hardware with reference to the step of described method of disclosure herein or algorithm, be held by processor
In capable software module or in combination of the two.Software module may reside within RAM memory, flash memory, ROM storages
Device, eprom memory, eeprom memory, register, hard disk, removable disk, CD-ROM or known in the art it is any its
In the storage medium of its form.Illustrative storage medium is coupled to processor so that processor can be from the storage medium
Information is written to the storage medium in middle reading information.In an alternative, the storage medium can be with processor collection
Into together.Pocessor and storage media may reside in ASIC.ASIC may reside in user terminal.In a replacement
In scheme, pocessor and storage media can be resident in the user terminal as discrete assembly.
In one or more exemplary designs, the function can be real in hardware, software, firmware or its arbitrary combination
It is existing.If realized in software, can be stored in using the function as one or more instruction or code computer-readable
It is transmitted on medium or by computer-readable medium.Computer-readable medium includes computer storage media and communication media,
The communication media includes helping for computer program to be transmitted to any medium of another position from a position.Storage medium
It can be any usable medium that can be accessed by a general purpose or special purpose computer.As an example and not restrictive, the computer
Readable medium can include RAM, ROM, EEPROM, CD-ROM or other optical disc memory apparatus, disk storage equipment or other magnetic
Property storage device or can be used for carry storage form be instruct or data structure required program code and can
Any other medium accessed by general or specialized computer or general or specialized processor.In addition, any connection can
It is properly termed as computer-readable medium.If for example, use coaxial cable, fiber optic cable, twisted-pair feeder, digital subscriber line
(DSL) or such as wireless technology of infrared ray, radio and microwave to send software from website, server or other remote sources,
Then above-mentioned coaxial cable, fiber optic cable, twisted-pair feeder, DSL or such as wireless technology of infrared ray, radio and microwave are included in
The definition of medium.As used herein, disk and CD include compact disk (CD), laser disk, CD, digital versatile disc
(DVD), floppy disk, Blu-ray disc, wherein disk usually magnetically reproduce data, and CD using laser optics reproduce data.On
The combination for stating content should also be as being included in the range of computer-readable medium.
It is exemplary embodiment disclosed by the invention above, it should be noted that in the sheet limited without departing substantially from claim
Under the premise of inventive embodiments scope of disclosure, it may be many modifications and change.According to open embodiment described herein
The function of claim to a method, step and/or action be not required to perform with any particular order.In addition, although the present invention is implemented
Element disclosed in example can be described or be required in the form of individual, but be unless explicitly limited odd number, it is understood that be multiple.
It should be understood that it is used in the present context, unless context clearly supports exception, singulative " one
It is a " (" a ", " an ", " the ") be intended to also include plural form.It is to be further understood that "and/or" used herein is
Finger includes one or the arbitrary and all possible combinations of more than one project listed in association.
The embodiments of the present invention disclose that embodiment sequence number is for illustration only, do not represent the quality of embodiment.
One of ordinary skill in the art will appreciate that hardware can be passed through by realizing all or part of step of above-described embodiment
It completes, relevant hardware can also be instructed to complete by program, the program can be stored in a kind of computer-readable
In storage medium, storage medium mentioned above can be read-only memory, disk or CD etc..
Those of ordinary skills in the art should understand that:The discussion of any of the above embodiment is exemplary only, not
It is intended to imply that range disclosed by the embodiments of the present invention is limited to these examples (including claim);In the think of of the embodiment of the present invention
Under road, it can also be combined between the technical characteristic in above example or different embodiments, and exist as described above
Many other variations of the different aspect of the embodiment of the present invention, for simplicity, they are not provided in details.Therefore, it is all at this
Spiritual and any omission within principle, made, modification, equivalent replacement, improvement of inventive embodiments etc., should be included in this hair
Within the protection domain of bright embodiment.
Claims (10)
1. a kind of document protection method of virtual machine, which is characterized in that applied to management domain, include the following steps:
Create the controlled file system that user domain virtual machine uses;
Controlled file is moved in the controlled file system;
The file system permission of the user domain virtual machine is configured on controlled data channel;
The user domain virtual machine is connected to by the controlled data channel.
2. it according to the method described in claim 1, it is characterized in that, is used in the establishment user domain virtual machine described controlled
Before file system, the management domain deployment empowerment management program and the controlled data channel, wherein, the empowerment management journey
Sequence is managed and is controlled access of the user domain virtual machine to the controlled file system by the controlled data channel.
3. according to the method described in claim 1, it is characterized in that, create the controlled text that the user domain virtual machine uses
Part system includes:
Virtual disk image file is created in the management domain;
The establishment file system in the virtual disk image file;
The file system is defined to the controlled file system.
4. according to the method described in claim 1, it is characterized in that, the controlled file is moved to the controlled file system
Include:
Verification needs the file protected in management domain;
Document to be protected is needed to be moved in the controlled file system by described;
Document to be protected is needed to be defined to the controlled file by described.
5. according to the method described in claim 1, it is characterized in that, the user domain void is configured on the controlled data channel
Intend the machine-readable permission for taking the controlled file, wherein, the authority configuration is sent to the controlled data channel and by described
Controlled data channel performs.
6. according to the method described in claim 5, it is characterized in that, the controlled file system of the management domain pass through it is described
Controlled data channel is connected to the user domain virtual machine according to the permission of configuration.
7. a kind of file protection device of virtual machine, which is characterized in that use side as claimed in any one of claims 1 to 6
Method.
8. a kind of computer equipment, including memory, at least one processor and it is stored on the memory and can be in institute
State the computer program run on processor, which is characterized in that the processor performs such as claim when performing described program
Method described in 1-6 any one.
9. a kind of computer readable storage medium, the computer-readable recording medium storage has computer program, and feature exists
In the method when computer program is executed by processor described in perform claim requirement 1-6 any one.
10. a kind of computer program product, which is characterized in that the computer program product includes being stored in computer-readable deposit
Calculation procedure on storage media, the calculation procedure include instruction, when described instruction is computer-executed, make the computer
Method described in perform claim requirement 1-6 any one.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810004364.5A CN108229191A (en) | 2018-01-03 | 2018-01-03 | The document protection method and device of a kind of virtual machine |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810004364.5A CN108229191A (en) | 2018-01-03 | 2018-01-03 | The document protection method and device of a kind of virtual machine |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108229191A true CN108229191A (en) | 2018-06-29 |
Family
ID=62642665
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810004364.5A Pending CN108229191A (en) | 2018-01-03 | 2018-01-03 | The document protection method and device of a kind of virtual machine |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108229191A (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103365700A (en) * | 2013-06-28 | 2013-10-23 | 福建师范大学 | Cloud computing virtualization environment-oriented resource monitoring and adjustment system |
CN105184147A (en) * | 2015-09-08 | 2015-12-23 | 成都博元科技有限公司 | User security management method for cloud computing platform |
CN107463427A (en) * | 2017-06-29 | 2017-12-12 | 北京北信源软件股份有限公司 | The acquisition methods and device of a kind of VME operating system type and version |
CN107463369A (en) * | 2017-06-30 | 2017-12-12 | 北京北信源软件股份有限公司 | The access device control method and device of a kind of virtual desktop |
US20180113999A1 (en) * | 2016-10-25 | 2018-04-26 | Flexera Software Llc | Incorporating license management data into a virtual machine |
-
2018
- 2018-01-03 CN CN201810004364.5A patent/CN108229191A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103365700A (en) * | 2013-06-28 | 2013-10-23 | 福建师范大学 | Cloud computing virtualization environment-oriented resource monitoring and adjustment system |
CN105184147A (en) * | 2015-09-08 | 2015-12-23 | 成都博元科技有限公司 | User security management method for cloud computing platform |
US20180113999A1 (en) * | 2016-10-25 | 2018-04-26 | Flexera Software Llc | Incorporating license management data into a virtual machine |
CN107463427A (en) * | 2017-06-29 | 2017-12-12 | 北京北信源软件股份有限公司 | The acquisition methods and device of a kind of VME operating system type and version |
CN107463369A (en) * | 2017-06-30 | 2017-12-12 | 北京北信源软件股份有限公司 | The access device control method and device of a kind of virtual desktop |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6055989B1 (en) | Computer program, secret management method and system | |
US8856521B2 (en) | Methods and systems for performing secure operations on an encrypted file | |
CN103403669B (en) | App is made to become safe method and the method preventing app damage equipment | |
JP5588781B2 (en) | Secure module and information processing apparatus | |
CN109918919A (en) | Authenticate the management of variable | |
JP2012150803A (en) | Efficient volume encryption | |
US10275593B2 (en) | Secure computing device using different central processing resources | |
CN109992987B (en) | Script file protection method and device based on Nginx and terminal equipment | |
JP2023014306A (en) | Storage device and control method | |
CN105612715A (en) | Security processing unit with configurable access control | |
CN105095771A (en) | Method and apparatus for protecting shared target file | |
JP2018523208A (en) | Techniques for data monitoring to mitigate transition problems in object-oriented contexts | |
US10303885B2 (en) | Methods and systems for securely executing untrusted software | |
US10642984B2 (en) | Secure drive and method for booting to known good-state | |
CN108171067A (en) | A kind of hard disk encryption method and device | |
JP2013214135A (en) | Information storage device, information storage device control program, and information storage device control method | |
CN108171043A (en) | A kind of computer interface communications protection and abnormality alarming method and device | |
CN109033850A (en) | A kind of processing method of screenshot picture, device, terminal and computer storage medium | |
CN101132275A (en) | Safety system for implementing use right of digital content | |
CN111143879A (en) | Android platform SD card file protection method, terminal device and storage medium | |
CN111104693A (en) | Android platform software data cracking method, terminal device and storage medium | |
Chen et al. | The block-based mobile pde systems are not secure-experimental attacks | |
CN108229191A (en) | The document protection method and device of a kind of virtual machine | |
CN110516468B (en) | Method and device for encrypting memory snapshot of virtual machine | |
WO2016095506A1 (en) | Ciphertext data decryption method, system and computer storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180629 |