CN113067809A - Environment safety detection system and method of cloud platform - Google Patents
Environment safety detection system and method of cloud platform Download PDFInfo
- Publication number
- CN113067809A CN113067809A CN202110277784.2A CN202110277784A CN113067809A CN 113067809 A CN113067809 A CN 113067809A CN 202110277784 A CN202110277784 A CN 202110277784A CN 113067809 A CN113067809 A CN 113067809A
- Authority
- CN
- China
- Prior art keywords
- detection
- detection result
- virtual machines
- security
- cloud platform
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Alarm Systems (AREA)
Abstract
The invention provides an environmental security detection system and method of a cloud platform, which relate to the field of network security, wherein a plurality of virtual machines are deployed on the cloud platform, and run on the same host machine, and the environmental security detection system comprises the following steps: the selection module is used for the user to select the cloud platform to be detected; the safety detection module is used for respectively carrying out virtualization vulnerability detection, CPU safety isolation detection, memory isolation and memory residual information detection on the cloud platform, carrying out network safety isolation detection on a plurality of virtual machines on the selected cloud platform, carrying out disk safety isolation and disk residual information detection on the plurality of virtual machines on the selected cloud platform, and carrying out data transmission safety detection on the plurality of virtual machines on the selected cloud platform; and the result output module is connected with the safety detection module and used for forming and outputting an integral detection result. According to the technical scheme, the safety state of the selected cloud platform can be accurately and comprehensively displayed, and the safety of the selected cloud platform is effectively guaranteed.
Description
Technical Field
The invention relates to the field of network security, in particular to an environment security detection system and method of a cloud platform.
Background
The cloud computing platform is also called a cloud platform, and is a service based on hardware resources and software resources, and provides computing, network and storage capabilities. Cloud computing platforms can be divided into 3 classes: the cloud computing platform comprises a storage type cloud platform taking data storage as a main part, a computing type cloud platform taking data processing as a main part and a comprehensive cloud computing platform taking computing and data storage processing into consideration.
Cloud computing technology has gained rapid development as a new service model. Due to a series of advantages of cloud services, more and more users choose to migrate an information system to the cloud, so cloud service providers who provide various cloud services also come up, a cloud computing platform provided by an infrastructure service provider is the most basic mode, and the cloud computing platform security is also the basis for the safe operation of the information system.
At present, the environmental security detection of a cloud platform is always in a deficient state: the existing technical scheme can not effectively solve the problems of how to guarantee the non-safety of a host of the cloud platform, the safety isolation between tenants, the safety isolation between the cloud platform and the tenants, the protection of residual information, the data safety during the environmental migration of the cloud platform and the like. Therefore, a technical solution is needed to implement environmental security detection for a cloud platform.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides an environmental security detection system of a cloud platform, wherein a plurality of virtual machines are deployed on the cloud platform and run on the same host machine, and the environmental security detection system comprises:
the selection module is used for the user to select the cloud platform to be detected;
the safety detection module is connected with the selection module and comprises:
the first detection unit is used for performing virtualization vulnerability detection on the selected cloud platform to obtain a first detection result;
the second detection unit is used for carrying out CPU safety isolation detection on the selected cloud platform to obtain a second detection result;
the third detection unit is used for carrying out memory isolation and memory residual information detection on the selected multiple virtual machines on the cloud platform to obtain a third detection result;
the fourth detection unit is used for carrying out network security isolation detection on the selected multiple virtual machines on the cloud platform to obtain a fourth detection result;
the fifth detection unit is used for carrying out disk security isolation and disk residual information detection on the selected multiple virtual machines on the cloud platform to obtain a fifth detection result;
the sixth detection unit is used for carrying out data transmission safety detection on the selected multiple virtual machines on the cloud platform to obtain a sixth detection result;
and the result output module is connected with the safety detection module and is used for selecting one or more of the first detection result, the second detection result, the third detection result, the fourth detection result, the fifth detection result and the sixth detection result to form an integral detection result and output the integral detection result.
Preferably, the cloud platform includes:
KVM, and/or VMware, and/or Xen.
Preferably, the second detection unit includes:
the genetic relationship detection subunit is used for monitoring the CPU genetic relationships of the plurality of virtual machines on the same host machine to obtain a genetic relationship detection result;
the mapping relation detection subunit is used for detecting the CPU mapping relation between the plurality of virtual machines and the host machine to obtain a mapping relation detection result;
the CPU security vulnerability detection subunit is used for detecting the CPU security vulnerabilities of the plurality of virtual machines to obtain a CPU security vulnerability detection result;
and the genetic relationship detection result, the mapping relationship detection result and the CPU security vulnerability detection result form the second detection result.
Preferably, the third detecting unit includes:
the memory security isolation detection subunit is configured to detect whether memories of the multiple virtual machines on the same host are isolated and whether memory data is leaked, so as to obtain a memory security isolation detection result;
a memory remaining information detection subunit, configured to detect whether the host clears the memory data in each of the virtual machines when the plurality of virtual machines return the memory to the host and reallocate the memory to the host, so as to obtain a memory remaining information detection result;
and the memory security isolation detection result and the memory residual information detection result form the third detection result.
Preferably, the fifth detecting unit includes:
the disk security isolation detection subunit is used for detecting whether the disks of the multiple virtual machines on the same host machine are isolated and whether the disk data are leaked, so as to obtain a disk security isolation detection result;
a disk remaining information detection subunit, configured to detect whether the host clears the disk data in each virtual machine when the multiple virtual machines return the disks to the host and redistribute the disks to the host, so as to obtain a disk remaining information detection result;
and the disk security isolation detection result and the disk residual information detection result form the fifth detection result.
Preferably, the sixth detecting unit includes:
the security policy detection subunit is configured to detect whether the security policies of the plurality of virtual machines are changed when the plurality of virtual machines perform live migration, so as to obtain a security policy detection result;
the data integrity detection subunit is configured to detect the integrity of the memory data and the disk data in the multiple virtual machines when the multiple virtual machines perform live migration, so as to obtain a data integrity detection result;
the data confidentiality detection subunit is used for detecting whether data transmission is performed by the plurality of virtual machines in an encryption mode during live migration to obtain a data confidentiality detection result;
and the security policy detection result, the data integrity detection result and the data confidentiality detection result form the sixth detection result.
An environmental security detection method of a cloud platform is applied to the environmental security detection system, and comprises the following steps:
step S1, the environmental safety detection system is used for a user to select the cloud platform to be detected;
step S2, the environment security detection system performs virtualization vulnerability detection on the selected cloud platform to obtain a first detection result;
step S3, the environment safety detection system carries out CPU safety isolation detection on the selected cloud platform to obtain a second detection result;
step S4, the environmental security detection system performs memory isolation and memory remaining information detection on the selected multiple virtual machines on the cloud platform to obtain a third detection result;
step S5, the environment security detection system performs network security isolation detection on the plurality of selected virtual machines on the cloud platform to obtain a fourth detection result;
step S6, the environment safety detection system carries out disk safety isolation and disk residual information detection on the plurality of selected virtual machines on the cloud platform to obtain a fifth detection result;
step S7, the environment safety detection system performs data transmission safety detection on the plurality of selected virtual machines on the cloud platform to obtain a sixth detection result;
step S8, the environmental safety detection system selects one or more of the first detection result, the second detection result, the third detection result, the fourth detection result, the fifth detection result and the sixth detection result to form an integrated detection result and output the integrated detection result.
Preferably, the step S3 includes:
step S31, the environmental safety detection system monitors the CPU genetic relationship of the multiple virtual machines on the same host machine to obtain a genetic relationship detection result;
step S32, the environmental safety detection system detects the CPU mapping relation between the virtual machines and the host machine to obtain a mapping relation detection result;
and step S33, the environment security detection system detects the CPU security vulnerabilities of the virtual machines to obtain a CPU security vulnerability detection result.
Preferably, the step S4 includes:
step S41, the environmental security detection system detects whether memories of the multiple virtual machines on the same host are isolated and whether memory data is leaked, so as to obtain a memory security isolation detection result;
step S42, when the plurality of virtual machines return the memory to the host and the host redistributes the memory, the environmental security detection system detects whether the host clears the memory data in each virtual machine, and obtains a memory remaining information detection result.
The technical scheme has the following advantages or beneficial effects:
according to the technical scheme, a user can select different cloud platforms, the environmental security of the cloud platforms is detected according to angles such as virtualization flaws, CPUs (central processing units), memories, networks, disks and data transmission of the cloud platforms, and the overall detection result of the cloud platforms is obtained. According to the technical scheme, the safety state of the selected cloud platform can be accurately and comprehensively displayed, the safety of the selected cloud platform is effectively guaranteed, and the popularization is facilitated.
Drawings
FIG. 1 is a schematic diagram of the general structure of an environmental security detection system according to a preferred embodiment of the present invention;
FIG. 2 is a flow chart of a method for detecting environmental security in accordance with a preferred embodiment of the present invention;
FIG. 3 is a sub-flowchart of a method for detecting environmental security in accordance with a preferred embodiment of the present invention;
FIG. 4 is a sub-flowchart of the environmental security detection method according to the preferred embodiment of the present invention.
Detailed Description
The invention is described in detail below with reference to the figures and specific embodiments. The present invention is not limited to the embodiment, and other embodiments may be included in the scope of the present invention as long as the gist of the present invention is satisfied.
In a preferred embodiment of the present invention, based on the above problems in the prior art, an environmental security detection system is provided, as shown in fig. 1, a cloud platform is deployed with a plurality of virtual machines, the plurality of virtual machines operate on a same host, and the environmental security detection system includes:
the selection module 1 is used for a user to select a cloud platform to be detected;
the safety detection module 2 is connected with the selection module 1 and comprises:
the first detection unit 21 is configured to perform virtualization vulnerability detection on the selected cloud platform to obtain a first detection result;
the second detection unit 22 is configured to perform CPU security isolation detection on the selected cloud platform to obtain a second detection result;
the third detection unit 23 is configured to perform memory isolation and memory remaining information detection on the selected multiple virtual machines on the cloud platform to obtain a third detection result;
the fourth detection unit 24 is configured to perform network security isolation detection on the selected multiple virtual machines on the cloud platform to obtain a fourth detection result;
a fifth detection unit 25, configured to perform disk security isolation and disk residual information detection on the multiple virtual machines on the selected cloud platform, so as to obtain a fifth detection result;
the sixth detection unit 26 is configured to perform data transmission security detection on the selected multiple virtual machines on the cloud platform to obtain a sixth detection result;
and the result output module 3 is connected with the safety detection module 2 and is used for selecting one or more of the first detection result, the second detection result, the third detection result, the fourth detection result, the fifth detection result and the sixth detection result to form an integral detection result and outputting the integral detection result.
Specifically, in this embodiment, the selection module 1 may select the cloud platform to be detected according to different cloud platforms deployed by a cloud service provider, where the cloud platform includes: KVM, and/or VMware, and/or Xen. The technical scheme comprehensively considers the characteristics of the cloud platform and the service characteristics of the cloud platform. For the self characteristics of the cloud platform: the bottom layer of the cloud platform is a virtual machine management program, and the virtual machine management program is positioned at the bottommost layer in the whole virtualization platform software stack and directly interacts with hardware. Once the hypervisor of a virtual machine is hijacked, all virtual machines running on top of the hypervisor of the virtual machine will fall through. For the service characteristics on the cloud platform: the bottom layer equipment of the cloud platform is a plurality of hosts, and the hosts provide all resources such as CPUs (central processing units), memories, disks and the like required by the cloud platform. Various tenants exist in the cloud platform environment, different tenants own different virtual machines and execute different services, and the virtual machines share resources such as a CPU (central processing unit), a memory, a disk, a network and the like provided by the cloud platform environment. Virtual machine live migration is also an important feature on cloud platforms. Aiming at the self characteristics of the cloud platform environment and the service characteristics of the cloud platform environment, the safety detection module 2 in the technical scheme comprises functions of virtualization vulnerability detection, CPU safety isolation detection, memory safety isolation and memory residual information detection, network safety isolation detection, disk safety isolation and disk residual information detection, data transmission safety detection and the like, and can be combined according to actual requirements in actual detection.
In the technical scheme, one or more of a first detection result, a second detection result, a third detection result, a fourth detection result, a fifth detection result and a sixth detection result which are detected by the safety detection module 2 are selected by the result output module 3, so that an integral detection result is formed and output to be displayed for a user.
According to the technical scheme, from the perspective of a CPU, a memory and a disk shared by a cloud platform, safety detection is performed on multiple aspects such as virtualization loopholes, CPU safety isolation, memory safety isolation and memory residual information protection, network safety isolation, disk safety isolation and disk residual information protection, data transmission safety and the like, so that the safety problem of the cloud platform can be comprehensively and deeply analyzed, the safety of the cloud platform is effectively improved, and the cloud platform is favorable for popularization.
Further, in this embodiment, the security detection module 2 performs virtualization vulnerability detection, CPU security isolation detection, memory security isolation and memory surplus information detection, network security isolation detection, disk security isolation and disk surplus information detection, and data transmission security detection through the first detection unit 21, the second detection unit 22, the third detection unit 23, the fourth detection unit 24, the fifth detection unit 25, and the sixth detection unit 26, respectively.
Further, the first detection unit 21 detects a virtualization vulnerability of the cloud platform, and obtains a first detection result of the virtualization vulnerability, where the first detection result can perform detailed analysis on the virtualization vulnerability and give a modification suggestion.
Further, virtualization vulnerabilities include security vulnerabilities of the virtual machine hypervisor and the single host or platform.
Further, the fourth detecting unit 24 detects network connectivity between the virtual machines on the cloud platform, and obtains a fourth detection result representing a network security isolation result between the virtual machines on the cloud platform.
In a preferred embodiment of the present invention, the second detecting unit 22 includes:
the genetic relationship detection subunit 223 is configured to monitor CPU genetic relationships of multiple virtual machines on the same host computer to obtain a genetic relationship detection result;
the mapping relation detection subunit 221 is configured to detect mapping relations between CPUs of the multiple virtual machines and CPUs of the host machines, and obtain a mapping relation detection result;
a CPU security vulnerability detection subunit 222, configured to detect CPU security vulnerabilities of multiple virtual machines to obtain a CPU security vulnerability detection result;
and forming a second detection result by the genetic relationship detection result, the mapping relationship detection result and the CPU security vulnerability detection result.
Specifically, in this embodiment, the CPUs of all the virtual machines share the CPU resource of the host, and the CPU scheduling of the virtual machines is implemented by the virtual machine management program. Each core of the host machine is represented as a physical CPU by the virtual machine management program, and each physical CPU manages a virtual CPU queue, namely, the computing resources of the physical CPU are shared by all virtual CPU instances in the virtual CPU queue, and all virtual machines share the virtual CPU instances. When the virtual CPU queue is scheduled by the virtual machine management program, the virtual CPU is switched to operate, the information of the former virtual CPU instance is cleared from the physical CPU, and then the information of the latter virtual CPU instance is loaded to the physical CPU to operate, so that the virtual CPU isolation is realized on the software level. However, currently, the exposed spectrum bug and the exposed Meltdown bug may cause failure of CPU isolation between virtual machines, thereby causing information leakage; meanwhile, because the virtual machines share the virtual CPU instances, when the CPU utilization rate of one virtual machine is too high, the CPU scheduling of other virtual machines is possibly abnormal, namely the CPU isolation fails. In the present technical solution, by setting the genetic relationship detection subunit 223 to analyze the sharing manner between the virtual CPU shared by the virtual machine and the physical CPU of the host, it can be detected whether the virtual CPU of the virtual machine shares multiple physical CPUs of the host or a single physical CPU. Meanwhile, the method can also detect the relationship between the multiple virtual machines on the same host machine and the CPU of the host machine, and further judge the virtual machine which is possibly failed in CPU isolation.
In the technical scheme, the mapping relation detection subunit 221 is arranged to analyze the specific mapping relation between the virtual CPU of the virtual machine and the physical CPU of the host at different time slices, so as to further detect whether the virtual CPU of the virtual machine and the physical CPU of the host are bound, that is, whether the virtual CPU of the virtual machine solely shares the physical CPU of the host, and further determine the virtual machine which may fail in CPU isolation.
In the technical scheme, the CPU security loophole detection subunit 222 is arranged to detect and analyze the CPU security loopholes of the multiple virtual machines so as to judge whether the multiple virtual machines have the CPU security loopholes, and the CPU security isolation result on the cloud platform is analyzed from the perspective of the CPU security loopholes. And forming a second detection result representing the CPU safety isolation result by the mapping relation detection result and the CPU safety loophole detection result.
In a preferred embodiment of the present invention, the third detecting unit 23 includes:
the memory security isolation detection subunit 231 is configured to detect whether memories of multiple virtual machines on the same host are isolated and whether memory data is leaked, so as to obtain a memory security isolation detection result;
a memory remaining information detection subunit 232, configured to detect whether the host clears the memory data in each virtual machine when the multiple virtual machines return the memory to the host and reallocate the memory to the host, so as to obtain a memory remaining information detection result;
and forming a third detection result by the memory security isolation detection result and the memory residual information detection result.
Specifically, in this embodiment, from the perspective of the virtual memory, each virtual machine monopolizes the entire memory addressing space, and multiple virtual machines are completely isolated from each other; from the physical memory perspective, multiple virtual machines access respective virtual address spaces, but may eventually reference the same physical memory address on the host. In addition, when the virtual machine dies, the occupied memory address is released, at this time, data in the memory of the virtual machine which may be died is not cleared and is directly returned to the host machine, and the host machine may allocate the memory to the virtual machine of the next application. All of the above situations cause memory data leakage. Therefore, in the present technical solution, by setting the memory security isolation detection subunit 231 to detect whether the memories between the virtual machines on the same host are completely isolated and whether there is memory data leakage, it is avoided that the memories are not completely isolated and memory data leakage is caused, which leads to data security hidden danger. When the virtual machine is deleted, restarted or shut down, the virtualization platform returns the memory of the virtual machine to the host machine. By setting the memory residual information detection subunit 232, when the virtual machine returns the memory to the host machine or the host machine redistributes the memory released by the virtual machine, whether the host machine clears the memory data in each virtual machine is detected, and whether the virtualization platform has a memory leakage problem is further determined. And combining the memory security isolation detection result and the memory residual information detection result to form a third detection result.
In a preferred embodiment of the present invention, the fifth detecting unit 25 includes:
a disk security isolation detection subunit 251, configured to detect whether disks of multiple virtual machines on the same host are isolated and whether disk data is leaked, so as to obtain a disk security isolation detection result;
a disk remaining information detection subunit 252, configured to detect whether the host clears the disk data in each virtual machine when the multiple virtual machines return the disks to the host and reallocate the disks to the host, to obtain a disk remaining information detection result;
and forming a fifth detection result by the disk security isolation detection result and the disk residual information detection result.
Specifically, in this embodiment, from the perspective of the virtual machines, each virtual machine monopolizes the entire disk, and multiple virtual machines are completely isolated from each other; from the host, all the virtual machines share the disk space of the host, and the disks of the multiple virtual machines may refer to the same disk space on the host. In addition, when the virtual machine dies, occupied disk resources are released, at this time, data in a disk of the virtual machine which is possibly died is not cleared and is directly returned to the host machine, and the host machine may allocate the disk to the virtual machine of the next application. The above situation may cause the leakage of the disk data. Therefore, in the present technical solution, by setting the disk security isolation detection subunit 251 to detect whether the disks of multiple virtual machines on the same host are isolated and whether the disk data is leaked, it is avoided that the disk data is leaked due to incomplete isolation of the disks, which causes data security hidden troubles. When the virtual machine on the virtualization platform is deleted, restarted or shut down, the disk of the virtual machine is returned to the host machine. By setting the disk remaining information detecting subunit 252, when the multiple virtual machines return the disks to the host and redistribute the disks to the host, whether the host clears the disk data in each virtual machine is detected, and whether the virtualization platform has the problem of disk information leakage is further determined. Combined disk security isolation test results
And the disk residual information detection result forms a fifth detection result.
In a preferred embodiment of the present invention, the sixth detecting unit 26 includes:
a security policy detection subunit 261, configured to detect whether the security policies of the multiple virtual machines are changed when the multiple virtual machines perform live migration, so as to obtain a security policy detection result;
the data integrity detection subunit 262 is configured to, when the plurality of virtual machines perform live migration, detect integrity of memory data and disk data in the plurality of virtual machines to obtain a data integrity detection result;
the data confidentiality detecting subunit 263 is configured to detect whether data transmission is performed in an encryption manner during live migration of multiple virtual machines, so as to obtain a data confidentiality detecting result;
and the security policy detection result, the data integrity detection result and the data confidentiality detection result form a sixth detection result.
Specifically, in this embodiment, when a virtual machine migrates on a cloud platform, a user service borne by the virtual machine may be interrupted and an important configuration may be lost, thereby causing a user service loss and a virtual machine unavailability. In addition, if the transmission protocol adopted in the migration process of the virtual machine is unsafe, important information of the virtual machine may be further leaked. Therefore, in the present technical solution, by setting the security policy detection subunit 261 to detect whether the security policies of the multiple virtual machines are changed when the multiple virtual machines are performing live migration, it is avoided that the user service terminal is caused by the change of the security policies, and the stability of the present technical solution is effectively improved. By setting the data integrity detection subunit 262, when the plurality of virtual machines are in live migration, the integrity of the memory data and the disk data in the plurality of virtual machines is detected, so that the loss of user services caused by the incomplete memory data and disk data in the virtual machines is avoided. By arranging the data confidentiality detection subunit 263, whether data transmission is performed by the multiple virtual machines in a cryptographic manner during live migration is detected, so that important configuration is prevented from being stolen due to non-encryption during data transmission, and the data transmission safety of the virtual machines during live migration is effectively improved. And combining the security policy detection result, the data integrity detection result and the data confidentiality detection result to form a sixth detection result.
An environmental security detection method of a cloud platform is applied to the environmental security detection system, as shown in fig. 2, and includes:
step S1, the environmental safety detection system is used for the user to select the cloud platform to be detected;
step S2, the environment safety detection system carries out virtualization vulnerability detection on the selected cloud platform to obtain a first detection result;
step S3, the environmental security detection system carries out CPU security isolation detection on the selected cloud platform to obtain a second detection result;
step S4, the environmental security detection system performs memory isolation and memory residual information detection on the plurality of virtual machines on the selected cloud platform to obtain a third detection result;
step S5, the environmental security detection system performs network security isolation detection on the plurality of virtual machines on the selected cloud platform to obtain a fourth detection result;
step S6, the environment safety detection system carries out disk safety isolation and disk residual information detection on the multiple virtual machines on the selected cloud platform to obtain a fifth detection result;
step S7, the environmental security detection system performs data transmission security detection on the plurality of virtual machines on the selected cloud platform to obtain a sixth detection result;
in step S8, the environmental safety detection system selects one or more of the first detection result, the second detection result, the third detection result, the fourth detection result, the fifth detection result and the sixth detection result to form an integrated detection result and output the integrated detection result.
In a preferred embodiment of the present invention, as shown in fig. 3, step S3 includes:
step S31, the environmental safety detection system monitors the CPU genetic relationship of the multiple virtual machines on the same host machine to obtain a genetic relationship detection result;
step S32, the environmental safety detection system detects the CPU mapping relation between the virtual machines and the host machine to obtain a mapping relation detection result;
and step S33, the environment security detection system detects the CPU security vulnerabilities of the virtual machines to obtain a CPU security vulnerability detection result.
In a preferred embodiment of the present invention, as shown in fig. 4, step S4 includes:
step S41, the environmental security detection system detects whether memories of multiple virtual machines on the same host machine are isolated and whether memory data are leaked, and a memory security isolation detection result is obtained;
step S42, when the plurality of virtual machines return the memory to the host and the host reallocates the memory, the environmental security detection system detects whether the host clears the memory data in each virtual machine, and obtains a memory remaining information detection result.
While the invention has been described with reference to a preferred embodiment, it will be understood by those skilled in the art that various changes in form and detail may be made therein without departing from the spirit and scope of the invention.
Claims (9)
1. The environmental safety detection system of the cloud platform is characterized in that a plurality of virtual machines are deployed on the cloud platform, the virtual machines run on the same host machine, and the environmental safety detection system comprises:
the selection module is used for the user to select the cloud platform to be detected;
the safety detection module is connected with the selection module and comprises:
the first detection unit is used for performing virtualization vulnerability detection on the selected cloud platform to obtain a first detection result;
the second detection unit is used for carrying out CPU safety isolation detection on the selected cloud platform to obtain a second detection result;
the third detection unit is used for carrying out memory isolation and memory residual information detection on the selected multiple virtual machines on the cloud platform to obtain a third detection result;
the fourth detection unit is used for carrying out network security isolation detection on the selected multiple virtual machines on the cloud platform to obtain a fourth detection result;
the fifth detection unit is used for carrying out disk security isolation and disk residual information detection on the selected multiple virtual machines on the cloud platform to obtain a fifth detection result;
the sixth detection unit is used for carrying out data transmission safety detection on the selected multiple virtual machines on the cloud platform to obtain a sixth detection result;
and the result output module is connected with the safety detection module and is used for selecting one or more of the first detection result, the second detection result, the third detection result, the fourth detection result, the fifth detection result and the sixth detection result to form an integral detection result and output the integral detection result.
2. The environmental security detection system of claim 1, wherein the cloud platform comprises:
KVM, and/or VMware, and/or Xen.
3. The environmental security detection system of claim 1, wherein the second detection unit comprises:
the genetic relationship detection subunit is used for monitoring the CPU genetic relationships of the plurality of virtual machines on the same host machine to obtain a genetic relationship detection result;
the mapping relation detection subunit is used for detecting the CPU mapping relation between the plurality of virtual machines and the host machine to obtain a mapping relation detection result;
the CPU security vulnerability detection subunit is used for detecting the CPU security vulnerabilities of the plurality of virtual machines to obtain a CPU security vulnerability detection result;
and the genetic relationship detection result, the mapping relationship detection result and the CPU security vulnerability detection result form the second detection result.
4. The environmental security detection system of claim 1, wherein the third detection unit comprises:
the memory security isolation detection subunit is configured to detect whether memories of the multiple virtual machines on the same host are isolated and whether memory data is leaked, so as to obtain a memory security isolation detection result;
a memory remaining information detection subunit, configured to detect whether the host clears the memory data in each of the virtual machines when the plurality of virtual machines return the memory to the host and reallocate the memory to the host, so as to obtain a memory remaining information detection result;
and the memory security isolation detection result and the memory residual information detection result form the third detection result.
5. The environmental security detection system of claim 4, wherein the fifth detection unit comprises:
the disk security isolation detection subunit is used for detecting whether the disks of the multiple virtual machines on the same host machine are isolated and whether the disk data are leaked, so as to obtain a disk security isolation detection result;
a disk remaining information detection subunit, configured to detect whether the host clears the disk data in each virtual machine when the multiple virtual machines return the disks to the host and redistribute the disks to the host, so as to obtain a disk remaining information detection result;
and the disk security isolation detection result and the disk residual information detection result form the fifth detection result.
6. The environmental security detection system according to claim 5, wherein the sixth detection unit comprises:
the security policy detection subunit is configured to detect whether the security policies of the plurality of virtual machines are changed when the plurality of virtual machines perform live migration, so as to obtain a security policy detection result;
the data integrity detection subunit is configured to detect the integrity of the memory data and the disk data in the multiple virtual machines when the multiple virtual machines perform live migration, so as to obtain a data integrity detection result;
the data confidentiality detection subunit is used for detecting whether data transmission is performed by the plurality of virtual machines in an encryption mode during live migration to obtain a data confidentiality detection result;
and the security policy detection result, the data integrity detection result and the data confidentiality detection result form the sixth detection result.
7. An environmental security detection method of a cloud platform, applied to the environmental security detection system of claims 1 to 6, comprising:
step S1, the environmental safety detection system is used for a user to select the cloud platform to be detected;
step S2, the environment security detection system performs virtualization vulnerability detection on the selected cloud platform to obtain a first detection result;
step S3, the environment safety detection system carries out CPU safety isolation detection on the selected cloud platform to obtain a second detection result;
step S4, the environmental security detection system performs memory isolation and memory remaining information detection on the selected multiple virtual machines on the cloud platform to obtain a third detection result;
step S5, the environment security detection system performs network security isolation detection on the plurality of selected virtual machines on the cloud platform to obtain a fourth detection result;
step S6, the environment safety detection system carries out disk safety isolation and disk residual information detection on the plurality of selected virtual machines on the cloud platform to obtain a fifth detection result;
step S7, the environment safety detection system performs data transmission safety detection on the plurality of selected virtual machines on the cloud platform to obtain a sixth detection result;
step S8, the environmental safety detection system selects one or more of the first detection result, the second detection result, the third detection result, the fourth detection result, the fifth detection result and the sixth detection result to form an integrated detection result and output the integrated detection result.
8. The environmental security detection method according to claim 7, wherein the step S3 includes:
step S31, the environmental safety detection system monitors the CPU genetic relationship of the multiple virtual machines on the same host machine to obtain a genetic relationship detection result;
step S32, the environmental safety detection system detects the CPU mapping relation between the virtual machines and the host machine to obtain a mapping relation detection result;
and step S33, the environment security detection system detects the CPU security vulnerabilities of the virtual machines to obtain a CPU security vulnerability detection result.
9. The environmental security detection method according to claim 7, wherein the step S4 includes:
step S41, the environmental security detection system detects whether memories of the multiple virtual machines on the same host are isolated and whether memory data is leaked, so as to obtain a memory security isolation detection result;
step S42, when the plurality of virtual machines return the memory to the host and the host redistributes the memory, the environmental security detection system detects whether the host clears the memory data in each virtual machine, and obtains a memory remaining information detection result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110277784.2A CN113067809B (en) | 2021-03-15 | 2021-03-15 | Environment safety detection system and method for cloud platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110277784.2A CN113067809B (en) | 2021-03-15 | 2021-03-15 | Environment safety detection system and method for cloud platform |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113067809A true CN113067809A (en) | 2021-07-02 |
| CN113067809B CN113067809B (en) | 2023-05-16 |
Family
ID=76561306
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110277784.2A Active CN113067809B (en) | 2021-03-15 | 2021-03-15 | Environment safety detection system and method for cloud platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113067809B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7149843B1 (en) * | 2001-12-10 | 2006-12-12 | Vmware, Inc. | System and method for detecting access to shared structures and for maintaining coherence of derived structures in virtualized multiprocessor systems |
| CN104461678A (en) * | 2014-11-03 | 2015-03-25 | 中国科学院信息工程研究所 | Method and system for providing password service in virtualized environment |
| CN106487633A (en) * | 2016-10-11 | 2017-03-08 | 中国银联股份有限公司 | A kind of abnormal monitoring method of virtual machine and device |
| CN106502760A (en) * | 2016-09-21 | 2017-03-15 | 华为技术有限公司 | A kind of virtual machine compatibility strategy visualization method and device |
| CN109639705A (en) * | 2018-12-27 | 2019-04-16 | 成都国信安信息产业基地有限公司 | Cloud platform safety detection method |
| CN111399988A (en) * | 2020-04-08 | 2020-07-10 | 公安部第三研究所 | Memory security detection system and method of cloud platform |
-
2021
- 2021-03-15 CN CN202110277784.2A patent/CN113067809B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7149843B1 (en) * | 2001-12-10 | 2006-12-12 | Vmware, Inc. | System and method for detecting access to shared structures and for maintaining coherence of derived structures in virtualized multiprocessor systems |
| CN104461678A (en) * | 2014-11-03 | 2015-03-25 | 中国科学院信息工程研究所 | Method and system for providing password service in virtualized environment |
| CN106502760A (en) * | 2016-09-21 | 2017-03-15 | 华为技术有限公司 | A kind of virtual machine compatibility strategy visualization method and device |
| CN106487633A (en) * | 2016-10-11 | 2017-03-08 | 中国银联股份有限公司 | A kind of abnormal monitoring method of virtual machine and device |
| CN109639705A (en) * | 2018-12-27 | 2019-04-16 | 成都国信安信息产业基地有限公司 | Cloud platform safety detection method |
| CN111399988A (en) * | 2020-04-08 | 2020-07-10 | 公安部第三研究所 | Memory security detection system and method of cloud platform |
Non-Patent Citations (1)
| Title |
|---|
| 章恒等: "云计算环境虚拟化的安全检测研究与实践", 《信息网络安全》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113067809B (en) | 2023-05-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109564514B (en) | Method and system for memory allocation at partially offloaded virtualization manager | |
| CN101515316B (en) | Trusted computing terminal and trusted computing method | |
| EP3149591B1 (en) | Tracking application deployment errors via cloud logs | |
| EP2798562B1 (en) | Trusted application migration across computer nodes | |
| US20190278808A1 (en) | Graph data processing method and apparatus, and system | |
| CN102110197B (en) | Method and system for multi-core processor to realize TMP (trusted platform module) in computing environment | |
| JP2022520005A (en) | Patch management in a hybrid computing environment | |
| JP5828348B2 (en) | Test server, information processing system, test program, and test method | |
| US8185905B2 (en) | Resource allocation in computing systems according to permissible flexibilities in the recommended resource requirements | |
| US9021546B1 (en) | Systems and methods for workload security in virtual data centers | |
| WO2018040525A1 (en) | Method, device, and equipment for processing resource pool | |
| JP5352890B2 (en) | Computer system operation management method, computer system, and computer-readable medium storing program | |
| CN101488173B (en) | Method for measuring completeness of credible virtual field start-up files supporting non-delaying machine | |
| US8793688B1 (en) | Systems and methods for double hulled virtualization operations | |
| CN102147763B (en) | Method, system and computer for recording weblog | |
| WO2009029496A1 (en) | Virtualization planning system | |
| US20200257549A1 (en) | System and method for automatically selecting security virtual machines | |
| CN113127160B (en) | Task scheduling method, system and equipment | |
| US20190294796A1 (en) | Resolving anomalies for network applications using code injection | |
| CN111399988B (en) | Memory security detection system and method for cloud platform | |
| CN103996003A (en) | Data wiping system in virtualization environment and method thereof | |
| US10360614B1 (en) | Assessing and rating deployments of resources | |
| CN115834075A (en) | Multi-tenant management-based password service and computing service integration method and device | |
| CN113067809B (en) | Environment safety detection system and method for cloud platform | |
| CN111241540A (en) | Service processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |