CN110516468B - Method and device for encrypting memory snapshot of virtual machine - Google Patents
Method and device for encrypting memory snapshot of virtual machine Download PDFInfo
- Publication number
- CN110516468B CN110516468B CN201910651596.4A CN201910651596A CN110516468B CN 110516468 B CN110516468 B CN 110516468B CN 201910651596 A CN201910651596 A CN 201910651596A CN 110516468 B CN110516468 B CN 110516468B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- memory
- information
- processing function
- content
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000015654 memory Effects 0.000 title claims abstract description 158
- 238000000034 method Methods 0.000 title claims abstract description 55
- 230000006870 function Effects 0.000 claims abstract description 72
- 230000005055 memory storage Effects 0.000 claims abstract description 24
- 238000007781 pre-processing Methods 0.000 claims abstract description 19
- 238000012545 processing Methods 0.000 claims description 20
- 238000012805 post-processing Methods 0.000 claims description 13
- 238000004088 simulation Methods 0.000 claims description 6
- 238000011084 recovery Methods 0.000 claims 2
- 238000004590 computer program Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 238000011161 development Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000001360 synchronised effect Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a method for encrypting memory snapshots of a virtual machine, which comprises the following steps: adding an encryption algorithm to a memory storage pre-processing function in a virtual machine equipment state linked list in the analog processor; reading the virtual machine content stored in the Libvirt, encrypting the content, and storing the encrypted content in a memory snapshot file; reading and traversing a virtual machine equipment state linked list to obtain a memory storage preprocessing function, reading configuration information and memory information of the virtual machine equipment through the memory storage preprocessing function and encrypting the information into encrypted information; and encrypting other information stored in the analog processor into encrypted information, and storing all the encrypted information into the memory snapshot file. The method and the device solve the problem that the memory snapshot file plaintext stores the virtual machine sensitive information, improve the security of the memory snapshot of the virtual machine of the cloud product, and prevent the confidential information of the virtual machine from being leaked.
Description
Technical Field
The present invention relates to the field of computers, and in particular, to a method and an apparatus for encrypting a memory snapshot of a virtual machine.
Background
With the development of cloud computing and virtualization technologies, the concept of cloud computing is accepted by vast enterprises and public institutions and common consumers, and as the basis of IaaS, the development of virtualization technologies is also changing and developing rapidly. In the process of rapid development of cloud computing, the security problem of cloud computing is also highlighted day by day. In a conventional virtualization platform, a memory snapshot of a virtual machine is a relatively common function, but this function has a relatively large potential safety hazard, as shown in fig. 1, there is no security processing function of a memory snapshot file in Libvirt and Qemu, and the memory content of the virtual machine is stored in the snapshot file in a plaintext manner in a specific format. Therefore, as long as the memory snapshot file of the virtual machine is obtained, the related configuration of the virtual machine and the running information of the virtual machine can be easily obtained, and the unsafe memory information storage mode inevitably has great potential safety hazard.
Disclosure of Invention
In view of this, an object of the embodiments of the present invention is to provide a method for encrypting a snapshot of a virtual machine memory, where snapshot contents related to the virtual machine memory are encrypted and decrypted when the snapshot is recovered, and the entire process ensures that the snapshot information contents are kept confidential without affecting the snapshot function of the existing virtual machine memory.
Based on the above object, an aspect of the embodiments of the present invention provides a method for encrypting a memory snapshot of a virtual machine, including the following steps:
adding an encryption algorithm to a memory storage pre-processing function in a virtual machine equipment state linked list in the analog processor;
reading the virtual machine content stored in the Libvirt, encrypting the content, and storing the encrypted content in a memory snapshot file;
reading and traversing the virtual machine equipment state linked list to acquire the memory storage preprocessing function, reading the configuration information and the memory information of the virtual machine equipment through the memory storage preprocessing function and encrypting the information into encrypted information;
and encrypting other information stored in the analog processor into encrypted information, and storing all the encrypted information into the memory snapshot file.
In some embodiments, the adding an encryption algorithm to a pre-memory-save processing function in a virtual machine device state linked list in the simulation processor further comprises:
and adding a decryption algorithm corresponding to the encryption algorithm to the memory loading post-processing function in the linked list.
In some embodiments, the method encrypts the virtual machine content information using an AES encryption algorithm.
In some embodiments, the method further comprises:
and after the memory snapshot file is obtained, decrypting the file through a corresponding decryption algorithm.
In some embodiments, after the obtaining the memory snapshot file, decrypting the file through a corresponding decryption algorithm further includes:
firstly, decrypting the encrypted Libvirt content stored in the memory snapshot file, and starting a virtual machine through the decrypted Libvirt content.
In some embodiments, after the obtaining the memory snapshot file, decrypting the file through a corresponding decryption algorithm further includes:
decrypting other information stored in the analog processor;
traversing the virtual machine device state linked list of the simulation processor stored in the memory snapshot file to obtain the memory loading post-processing function of each virtual machine device in the linked list, and decrypting the configuration information and the memory information of the virtual machine device through the memory loading post-processing function;
and loading the information into the memory of the virtual machine.
In some embodiments, the method is used for virtual machine memory snapshot encryption under KVM virtualization.
In some embodiments, the analog processor is Qemu.
Another aspect of the embodiments of the present invention provides a device for encrypting a memory snapshot of a virtual machine, including:
at least one processor; and
a memory storing program code executable by the processor, the program code implementing the following steps when executed by the processor:
adding an encryption algorithm to a memory storage pre-processing function in a virtual machine equipment state linked list in the analog processor;
reading the virtual machine content stored in the Libvirt, encrypting the content, and storing the encrypted content in a memory snapshot file;
reading and traversing the virtual machine equipment state linked list to acquire the memory storage preprocessing function, reading the configuration information and the memory information of the virtual machine equipment through the memory storage preprocessing function and encrypting the information into encrypted information;
and encrypting other information stored in the analog processor into encrypted information, and storing all the encrypted information into the memory snapshot file.
In some embodiments, the adding an encryption algorithm to a pre-memory-save processing function in a virtual machine device state linked list in the simulation processor further comprises:
and adding a decryption algorithm corresponding to the encryption algorithm to the memory loading post-processing function in the linked list.
The invention has the following beneficial technical effects: according to the method and the device for encrypting the virtual machine memory snapshot, provided by the embodiment of the invention, the snapshot content related to the virtual machine memory is encrypted, and the content is decrypted when the snapshot is recovered, so that the problem that the virtual machine sensitive information is stored in the memory snapshot file in a plaintext mode is solved, the security of the cloud product virtual machine memory snapshot is improved, and the leakage of the virtual machine sensitive information is prevented; the whole process ensures that the memory snapshot function of the existing virtual machine is not influenced under the condition that the snapshot information content is kept confidential.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other embodiments can be obtained by using the drawings without creative efforts.
FIG. 1 is a diagram illustrating a prior art method for storing and retrieving virtual machine information via a virtual machine memory snapshot;
FIG. 2 is a schematic diagram of storing and retrieving virtual machine information via a virtual machine memory snapshot in accordance with the present invention;
FIG. 3 is a flow chart of a method for encrypting a snapshot of virtual machine memory in accordance with the present invention;
FIG. 4 is a cryptographic module processing flow diagram according to an embodiment of the invention;
FIG. 5 is a decryption module processing flow diagram according to an embodiment of the invention;
fig. 6 is a schematic hardware structure diagram of an apparatus for encrypting a snapshot of a virtual machine memory according to the present invention.
Detailed Description
Embodiments of the present invention are described below. However, it is to be understood that the disclosed embodiments are merely examples and that other embodiments may take various and alternative forms. The figures are not necessarily to scale; certain features may be exaggerated or minimized to show details of particular components. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a representative basis for teaching one skilled in the art to variously employ the present invention. As one of ordinary skill in the art will appreciate, various features illustrated and described with reference to any one of the figures may be combined with features illustrated in one or more other figures to produce embodiments that are not explicitly illustrated or described. The combination of features shown provides a representative embodiment for a typical application. However, various combinations and modifications of the features consistent with the teachings of the present invention may be desired for certain specific applications or implementations.
In order to make the objects, technical solutions and advantages of the present invention more apparent, the following embodiments of the present invention are described in further detail with reference to the accompanying drawings.
In the prior art, the virtual machine memory snapshot is stored in a specific format and a plaintext manner, and this unsafe memory information storage manner inevitably has a great potential safety hazard, so that it is necessary to encrypt the snapshot content related to the virtual machine memory and decrypt the content when the snapshot is recovered, as shown in fig. 2, to ensure the security of the virtual machine memory snapshot file.
Based on the above object, an embodiment of the present invention provides a method for encrypting a memory snapshot of a virtual machine, as shown in fig. 3, including the following steps:
step S301: adding an encryption algorithm to a memory storage pre-processing function in a virtual machine equipment state linked list in the analog processor;
step S302: reading the virtual machine content stored in the Libvirt, encrypting the content, and storing the encrypted content in a memory snapshot file;
step S303: reading and traversing the virtual machine equipment state linked list to obtain the modified memory storage preprocessing function, reading the configuration information and the memory information of the virtual machine equipment through the memory storage preprocessing function and encrypting the information into encrypted information;
step S304: and encrypting other information stored in the analog processor into encrypted information, and storing all the encrypted information into the memory snapshot file.
In some embodiments, adding the encryption algorithm to a pre-memory save processing function (pre _ save function) in a virtual machine device state linked list in an analog processor (e.g., Qemu) further comprises: adding a decryption algorithm to a post-memory-loading processing function (post _ load function) in the linked list, wherein the modified pre-memory-storage processing function can encrypt read information through an encryption algorithm, and the modified post-memory-loading processing function can decrypt the encrypted information through a decryption algorithm corresponding to the encryption algorithm. In some embodiments, the method encrypts the virtual machine content information using an AES encryption algorithm.
In some embodiments, the method further comprises: and after the memory snapshot file is obtained, decrypting the file through a corresponding decryption algorithm.
In some embodiments, after the memory snapshot file is obtained, decrypting the file through a corresponding decryption algorithm includes: firstly, decrypting the encrypted Libvirt content stored in the memory snapshot file, and starting a virtual machine through the decrypted Libvirt content. In other embodiments, other information stored in the analog processor is then decrypted; traversing the virtual machine device state linked list of the analog processor stored in the memory snapshot file to obtain the memory loading post-processing function of each virtual machine device in the linked list, and decrypting the configuration information and the memory information of the virtual machine device through the memory loading post-processing function; and loading the information into the memory of the virtual machine.
In some embodiments, the method is used for virtual machine memory snapshot encryption under KVM virtualization.
In an embodiment according to the present invention, the virtual machine memory snapshot includes two parts, one part is the configuration file and the runtime content of the virtual machine stored by Libvirt, and the other part is the content of Qemu runtime. As shown in fig. 4, it is first required to obtain the virtual machine configuration file and content stored in Libvirt during the encryption process, and the virtual machine configuration file and content are stored in a specific format. And reading the virtual machine content stored in the Libvirt by a specific format, and encrypting the content by using an encryption algorithm such as AES (advanced encryption standard) after the reading is finished.
The method comprises the steps of obtaining runtime information of a virtual machine in Qemu, wherein the runtime information comprises information of Qemu software, configuration information of virtual machine equipment, and memory allocation conditions and contents of the equipment in runtime. Wherein, Qemu provides a virtual machine device state linked list (i.e. vmState linked list), and names and positions of all devices of the virtual machine and a memory storage pre-processing function (pre _ save function) and a memory loading post-processing function (post _ load function) corresponding to the devices are registered in the linked list. And modifying a pre _ save function and a post _ load function in advance, wherein the modified pre _ save function can encrypt the read information through an encryption algorithm, and the modified post _ load function can decrypt the encrypted information through a decryption algorithm corresponding to the encryption algorithm. The method comprises the steps of acquiring a pre _ save function after modification of devices needing encryption by traversing the linked list, acquiring configuration information of virtual machine devices and memory allocation conditions and contents in the memories when the devices run by executing the pre _ save function, encrypting the acquired contents by a proper encryption algorithm (such as an AES algorithm), and storing the encrypted data in a vmState linked list.
And after other information stored in Qemu is encrypted, all data stored in Qemu and the content of Libvirt are stored in the memory snapshot file together.
In one embodiment according to the present invention, Libvirt configuration and runtime information about the virtual machine, and Qemu configuration and runtime information are stored in the memory snapshot file. As shown in fig. 5, in the process of recovering the virtual machine, it is necessary to first designate a corresponding memory snapshot file, and decrypt the content of Libvirt in the memory snapshot file to obtain a plaintext configuration file and runtime information; and starting a virtual machine through the configuration file and the running information of the Libvirt, wherein the virtual machine is in a waiting state and is not really in normal running until new memory information is loaded again.
Traversing a qmeu vmState linked list to obtain information of equipment to be decrypted and a memory, wherein the obtained information is ciphertext content; and executing a post _ load function of each device in the vmState linked list, decrypting the ciphertext information, acquiring plaintext information, and loading the plaintext information into the memory of the virtual machine. And finishing the memory loading of the virtual machine, and enabling the virtual machine to run normally.
Where technically feasible, the technical features listed above for the different embodiments may be combined with each other or changed, added, omitted, etc. to form further embodiments within the scope of the invention.
As can be seen from the foregoing embodiments, the method for encrypting the virtual machine memory snapshot according to the embodiments of the present invention encrypts the snapshot content related to the virtual machine memory, and decrypts the content when the snapshot is recovered, so as to solve the problem that the memory snapshot file stores the virtual machine sensitive information in the plaintext, improve the security of the cloud product virtual machine memory snapshot, and prevent the leakage of the virtual machine sensitive information; the whole process ensures that the memory snapshot function of the existing virtual machine is not influenced under the condition that the snapshot information content is kept confidential.
In view of the foregoing, another aspect of the embodiments of the present invention provides an embodiment of an apparatus for encrypting a memory snapshot of a virtual machine.
The device for encrypting the memory snapshot of the virtual machine comprises a storage and at least one processor, wherein the storage stores a computer program capable of running on the processor, and the processor executes any one of the methods when executing the computer program.
Fig. 6 is a schematic hardware structure diagram of an embodiment of a device for encrypting a memory snapshot of a virtual machine according to the present invention.
Taking the computer device shown in fig. 6 as an example, the computer device includes a processor 601 and a memory 602, and may further include: an input device 603 and an output device 604.
The processor 601, the memory 602, the input device 603 and the output device 604 may be connected by a bus or other means, and fig. 6 illustrates the connection by a bus as an example.
The memory 602, serving as a non-volatile computer-readable storage medium, may be used to store non-volatile software programs, non-volatile computer-executable programs, and modules, such as program instructions/modules corresponding to the method for encrypting the snapshot of the virtual machine memory in the embodiment of the present application. The processor 601 executes various functional applications and data processing of the server by running the nonvolatile software program, instructions and modules stored in the storage 602, that is, the method for encrypting the memory snapshot of the virtual machine according to the above-described method embodiment is implemented.
The memory 602 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area can store data and the like created according to the virtual machine memory snapshot encryption method. Further, the memory 602 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, memory 602 optionally includes memory located remotely from processor 601, which may be connected to local modules via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 603 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the computer apparatus of the method for encrypting the memory snapshot of the virtual machine. The output device 604 may include a display device such as a display screen.
Program instructions/modules corresponding to the one or more methods for encrypting the memory snapshot of the virtual machine are stored in the storage 602, and when executed by the processor 601, the method for encrypting the memory snapshot of the virtual machine in any of the above-described method embodiments is executed.
Any embodiment of the computer device executing the method for encrypting the memory snapshot of the virtual machine may achieve the same or similar effects as any corresponding embodiment of the foregoing method.
Finally, it should be noted that, as will be understood by those skilled in the art, all or part of the processes in the methods of the above embodiments may be implemented by a computer program, which may be stored in a computer-readable storage medium, and when executed, may include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), a Random Access Memory (RAM), or the like.
In addition, the apparatuses, devices and the like disclosed in the embodiments of the present invention may be various electronic terminal devices, such as a mobile phone, a Personal Digital Assistant (PDA), a tablet computer (PAD), a smart television and the like, or may be a large terminal device, such as a server and the like, and therefore the scope of protection disclosed in the embodiments of the present invention should not be limited to a specific type of apparatus, device. The client disclosed in the embodiment of the present invention may be applied to any one of the above electronic terminal devices in the form of electronic hardware, computer software, or a combination of both.
Furthermore, the method disclosed according to an embodiment of the present invention may also be implemented as a computer program executed by a CPU, and the computer program may be stored in a computer-readable storage medium. The computer program, when executed by the CPU, performs the above-described functions defined in the method disclosed in the embodiments of the present invention.
Further, the above method steps and system elements may also be implemented using a controller and a computer readable storage medium for storing a computer program for causing the controller to implement the functions of the above steps or elements.
Further, it should be appreciated that the computer-readable storage media (e.g., memory) described herein can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. By way of example, and not limitation, nonvolatile memory can include Read Only Memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM), which can act as external cache memory. By way of example and not limitation, RAM is available in a variety of forms such as synchronous RAM (DRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), and Direct Rambus RAM (DRRAM). The storage devices of the disclosed aspects are intended to comprise, without being limited to, these and other suitable types of memory.
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as software or hardware depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the disclosed embodiments of the present invention.
The various illustrative logical blocks, modules, and circuits described in connection with the disclosure herein may be implemented or performed with the following components designed to perform the functions described herein: a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination of these components. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP, and/or any other such configuration.
The steps of a method or algorithm described in connection with the disclosure herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. The ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.
In one or more exemplary designs, the functions may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer. By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a general-purpose or special-purpose computer, or a general-purpose or special-purpose processor. Also, any connection is properly termed a computer-readable medium. For example, if the software is transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. Disk and disc, as used herein, includes Compact Disc (CD), laser disc, optical disc, Digital Versatile Disc (DVD), floppy disk, blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.
It should be understood that, as used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly supports the exception. It should also be understood that "and/or" as used herein is meant to include any and all possible combinations of one or more of the associated listed items.
The numbers of the embodiments disclosed in the embodiments of the present invention are merely for description, and do not represent the merits of the embodiments.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk, an optical disk, or the like.
The above-described embodiments are possible examples of implementations and are presented merely for a clear understanding of the principles of the invention. Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, of embodiments of the invention is limited to these examples; within the idea of an embodiment of the invention, also technical features in the above embodiment or in different embodiments may be combined and there are many other variations of the different aspects of an embodiment of the invention as described above, which are not provided in detail for the sake of brevity. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of the embodiments of the present invention are intended to be included within the scope of the embodiments of the present invention.
Claims (10)
1. A method for encrypting a memory snapshot of a virtual machine is characterized by comprising the following steps:
adding an encryption algorithm to a memory storage pre-processing function in a virtual machine equipment state linked list in the analog processor;
pre-modifying a pre-memory storage processing function and a post-memory loading processing function, wherein the modified pre-memory storage processing function can encrypt read information through an encryption algorithm, and the modified post-memory loading processing function can decrypt the encrypted information through a decryption algorithm corresponding to the encryption algorithm;
reading the virtual machine content stored in the Libvirt, encrypting the virtual machine content, and storing the encrypted virtual machine content in a memory snapshot file;
reading and traversing the virtual machine equipment state linked list to acquire the memory storage preprocessing function, reading the configuration information and the memory information of the virtual machine equipment through the memory storage preprocessing function, and encrypting the configuration information and the memory information into encrypted information;
encrypting the analog processor software information stored in the analog processor into encrypted information, and storing all the encrypted information into the memory snapshot file;
the virtual machine memory snapshot file comprises two parts of contents, wherein one part of the contents is a configuration file and a running content of the virtual machine stored by Libvirt, the other part of the contents is a content of a simulation processor running, in the recovery process of the virtual machine, the corresponding memory snapshot file needs to be appointed first, and the Libvirt contents in the memory snapshot file are decrypted to obtain a plaintext configuration file and a running information; starting a virtual machine through a configuration file and running information of Libvirt, wherein the virtual machine is in a waiting state and is not really running normally until new memory information is loaded again;
traversing a virtual machine equipment state linked list of the analog processor to acquire equipment and memory information to be decrypted, wherein the acquired information is ciphertext content; executing the memory loading post-processing function of each device in the virtual machine device state linked list, decrypting the ciphertext information, acquiring plaintext information, and loading the plaintext information into the virtual machine memory; and finishing the memory loading of the virtual machine, and enabling the virtual machine to run normally.
2. The method of claim 1, wherein adding an encryption algorithm to a pre-memory-save processing function in a virtual machine device state linked list in an analog processor further comprises:
and adding a decryption algorithm corresponding to the encryption algorithm to the memory loading post-processing function in the linked list.
3. The method of claim 2, wherein the method encrypts the virtual machine content information using an AES encryption algorithm.
4. The method of claim 2, further comprising:
and after the memory snapshot file is obtained, decrypting the file through the corresponding decryption algorithm.
5. The method according to claim 4, wherein after the obtaining of the memory snapshot file, decrypting the file through the corresponding decryption algorithm further comprises:
firstly, the encrypted virtual machine content stored in the memory snapshot file is decrypted, and the virtual machine is started through the decrypted virtual machine content.
6. The method according to claim 5, wherein after the obtaining of the memory snapshot file, decrypting the file through the corresponding decryption algorithm further comprises:
decrypting the analog processor software information stored in the analog processor;
traversing the virtual machine device state linked list of the simulation processor stored in the memory snapshot file to obtain the memory loading post-processing function of each virtual machine device in the linked list, and decrypting the configuration information and the memory information of the virtual machine device through the memory loading post-processing function;
and loading the decrypted configuration information and the decrypted memory information into the memory of the virtual machine.
7. The method of claim 1, wherein the method is used for virtual machine memory snapshot encryption under KVM virtualization.
8. The method of claim 1, wherein the analog processor is Qemu.
9. An apparatus for encrypting a memory snapshot of a virtual machine, comprising:
at least one processor; and
a memory storing program code executable by the processor, the program code implementing the following steps when executed by the processor:
adding an encryption algorithm to a memory storage pre-processing function in a virtual machine equipment state linked list in the analog processor;
pre-modifying a pre-memory storage processing function and a post-memory loading processing function, wherein the modified pre-memory storage processing function can encrypt read information through an encryption algorithm, and the modified post-memory loading processing function can decrypt the encrypted information through a decryption algorithm corresponding to the encryption algorithm;
reading the virtual machine content stored in the Libvirt, encrypting the virtual machine content, and storing the encrypted virtual machine content in a memory snapshot file;
reading and traversing the virtual machine equipment state linked list to acquire the memory storage preprocessing function, reading the configuration information and the memory information of the virtual machine equipment through the memory storage preprocessing function, and encrypting the configuration information and the memory information into encrypted information;
encrypting the analog processor software information stored in the analog processor into encrypted information, and storing all the encrypted information into the memory snapshot file;
the virtual machine memory snapshot file comprises two parts of contents, wherein one part of the contents is a configuration file and a running content of the virtual machine stored by Libvirt, the other part of the contents is a content of a simulation processor running, in the recovery process of the virtual machine, the corresponding memory snapshot file needs to be appointed first, and the Libvirt contents in the memory snapshot file are decrypted to obtain a plaintext configuration file and a running information; starting a virtual machine through a configuration file and running information of Libvirt, wherein the virtual machine is in a waiting state and is not really running normally until new memory information is loaded again;
traversing a virtual machine equipment state linked list of the analog processor to acquire equipment and memory information to be decrypted, wherein the acquired information is ciphertext content; executing the memory loading post-processing function of each device in the virtual machine device state linked list, decrypting the ciphertext information, acquiring plaintext information, and loading the plaintext information into the virtual machine memory; and finishing the memory loading of the virtual machine, and enabling the virtual machine to run normally.
10. The apparatus of claim 9, wherein adding an encryption algorithm to a pre-memory-save processing function in a virtual machine device state linked list in an analog processor further comprises:
and adding a decryption algorithm corresponding to the encryption algorithm to the memory loading post-processing function in the linked list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910651596.4A CN110516468B (en) | 2019-07-18 | 2019-07-18 | Method and device for encrypting memory snapshot of virtual machine |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910651596.4A CN110516468B (en) | 2019-07-18 | 2019-07-18 | Method and device for encrypting memory snapshot of virtual machine |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110516468A CN110516468A (en) | 2019-11-29 |
| CN110516468B true CN110516468B (en) | 2021-07-06 |
Family
ID=68622770
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910651596.4A Active CN110516468B (en) | 2019-07-18 | 2019-07-18 | Method and device for encrypting memory snapshot of virtual machine |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110516468B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111158954A (en) * | 2019-12-29 | 2020-05-15 | 北京浪潮数据技术有限公司 | Cloud host snapshot method, system, equipment and computer readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8166477B1 (en) * | 2007-03-23 | 2012-04-24 | Parallels IP Holdings GmbH | System and method for restoration of an execution environment from hibernation into a virtual or physical machine |
| CN104199909A (en) * | 2014-08-28 | 2014-12-10 | 上海爱数软件有限公司 | Method for recovering NTFS advanced encryption file in VMware scene |
| CN106681858A (en) * | 2015-11-10 | 2017-05-17 | 中国电信股份有限公司 | Virtual machine data disaster tolerance method and management device |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102521071B (en) * | 2011-11-24 | 2013-12-11 | 广州杰赛科技股份有限公司 | Private cloud-based virtual machine maintaining method |
| CN106648827A (en) * | 2016-09-20 | 2017-05-10 | 国云科技股份有限公司 | Method for online adding virtual machine resources |
| EP3516573A1 (en) * | 2016-09-22 | 2019-07-31 | Telefonaktiebolaget LM Ericsson (PUBL) | Version control for trusted computing |
| CN109376119B (en) * | 2018-10-30 | 2021-10-26 | 郑州云海信息技术有限公司 | Method for creating disk image file encrypted snapshot, method for using disk image file encrypted snapshot and storage medium |
| CN109582443A (en) * | 2018-12-06 | 2019-04-05 | 国网江西省电力有限公司信息通信分公司 | Virtual machine standby system based on distributed storage technology |
-
2019
- 2019-07-18 CN CN201910651596.4A patent/CN110516468B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8166477B1 (en) * | 2007-03-23 | 2012-04-24 | Parallels IP Holdings GmbH | System and method for restoration of an execution environment from hibernation into a virtual or physical machine |
| CN104199909A (en) * | 2014-08-28 | 2014-12-10 | 上海爱数软件有限公司 | Method for recovering NTFS advanced encryption file in VMware scene |
| CN106681858A (en) * | 2015-11-10 | 2017-05-17 | 中国电信股份有限公司 | Virtual machine data disaster tolerance method and management device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110516468A (en) | 2019-11-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108932297B (en) | Data query method, data sharing method, device and equipment | |
| US20170295013A1 (en) | Method for fulfilling a cryptographic request requiring a value of a private key | |
| US10917394B2 (en) | Data operations using a proxy encryption key | |
| CN109564553B (en) | Multi-stage memory integrity method and apparatus | |
| US20220006617A1 (en) | Method and apparatus for data storage and verification | |
| EP2803009B1 (en) | Virtual machine device having key driven obfuscation and method | |
| US8175268B2 (en) | Generating and securing archive keys | |
| CN106599629B (en) | Android application program reinforcing method and device | |
| US10452564B2 (en) | Format preserving encryption of object code | |
| JP2014528602A (en) | Method, computer program, device and apparatus for provisioning an operating system image to an untrusted user terminal | |
| CN107579962A (en) | A kind of method and device of source code encryption and decryption | |
| CN108229144B (en) | Verification method of application program, terminal equipment and storage medium | |
| CN105678192A (en) | Smart card based secret key application method and application apparatus | |
| US20150071442A1 (en) | Data-encrypting method and decrypting method for a mobile phone | |
| US11934539B2 (en) | Method and apparatus for storing and processing application program information | |
| US11809603B2 (en) | Systems and methods for real-time encryption of sensitive data | |
| US10043015B2 (en) | Method and apparatus for applying a customer owned encryption | |
| WO2016112799A1 (en) | File processing method and apparatus | |
| Park et al. | A methodology for the decryption of encrypted smartphone backup data on android platform: A case study on the latest samsung smartphone backup system | |
| CN110516468B (en) | Method and device for encrypting memory snapshot of virtual machine | |
| WO2015154469A1 (en) | Database operation method and device | |
| US20180101485A1 (en) | Method and apparatus for accessing private data in physical memory of electronic device | |
| CN111104693A (en) | Android platform software data cracking method, terminal device and storage medium | |
| CN111143879A (en) | Android platform SD card file protection method, terminal device and storage medium | |
| KR20140089703A (en) | Method and apparatus for security of mobile data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |