CN113067809B - Environment safety detection system and method for cloud platform - Google Patents
Environment safety detection system and method for cloud platform Download PDFInfo
- Publication number
- CN113067809B CN113067809B CN202110277784.2A CN202110277784A CN113067809B CN 113067809 B CN113067809 B CN 113067809B CN 202110277784 A CN202110277784 A CN 202110277784A CN 113067809 B CN113067809 B CN 113067809B
- Authority
- CN
- China
- Prior art keywords
- detection
- detection result
- virtual machines
- security
- cloud platform
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Alarm Systems (AREA)
Abstract
The invention provides an environment safety detection system and method of a cloud platform, which relate to the field of network safety, wherein a plurality of virtual machines are deployed on the cloud platform and run on the same host machine, and the environment safety detection system comprises the following steps: the selection module is used for a user to select a cloud platform to be detected; the security detection module is used for carrying out virtualization vulnerability detection, CPU security isolation detection, memory isolation and memory residual information detection on the cloud platform, network security isolation detection on a plurality of virtual machines on the selected cloud platform, disk security isolation and disk residual information detection on a plurality of virtual machines on the selected cloud platform and data transmission security detection on a plurality of virtual machines on the selected cloud platform respectively; and the result output module is connected with the safety detection module and is used for forming an integral detection result and outputting the integral detection result. The technical scheme can accurately and comprehensively display the safety state of the selected cloud platform and effectively ensure the safety of the selected cloud platform.
Description
Technical Field
The invention relates to the field of network security, in particular to an environment security detection system and method of a cloud platform.
Background
Cloud computing platforms, also referred to as cloud platforms, refer to services that provide computing, networking, and storage capabilities based on hardware resources and software resources. Cloud computing platforms can be divided into 3 classes: a storage type cloud platform mainly used for data storage, a computing type cloud platform mainly used for data processing and a comprehensive cloud computing platform taking both computing and data storage processing into consideration.
Cloud computing technology has been rapidly developed as a new service model. Because of a series of advantages of cloud services, more and more users choose to migrate an information system to the cloud, cloud service providers providing various cloud services also emerge, and cloud computing platforms provided by infrastructure service providers are a mode of the most basic, and cloud computing platform security is also a basis for safe operation of the information system.
Currently, for environmental security detection of a cloud platform, the detection is always in a deficient state: the existing technical scheme cannot effectively solve the security problems of a host machine of a cloud platform, security isolation between tenants, security isolation between the cloud platform and the tenants, residual information protection, data security problems during cloud platform environment migration and the like. Therefore, a technical solution is needed to realize the environmental security detection of the cloud platform.
Disclosure of Invention
Aiming at the problems existing in the prior art, the invention provides an environment safety detection system of a cloud platform, wherein a plurality of virtual machines are deployed on the cloud platform, the plurality of virtual machines operate on the same host machine, and the environment safety detection system comprises:
the selection module is used for a user to select the cloud platform to be detected;
the safety detection module is connected with the selection module and comprises:
the first detection unit is used for carrying out virtualization vulnerability detection on the selected cloud platform to obtain a first detection result;
the second detection unit is used for carrying out CPU security isolation detection on the selected cloud platform to obtain a second detection result;
the third detection unit is used for performing memory isolation and memory residual information detection on the selected multiple virtual machines on the cloud platform to obtain a third detection result;
the fourth detection unit is used for carrying out network security isolation detection on the plurality of virtual machines on the selected cloud platform to obtain a fourth detection result;
the fifth detection unit is used for carrying out disk security isolation and disk residual information detection on the selected multiple virtual machines on the cloud platform to obtain a fifth detection result;
the sixth detection unit is used for carrying out data transmission security detection on the plurality of virtual machines on the selected cloud platform to obtain a sixth detection result;
and the result output module is connected with the safety detection module and is used for selecting one or more of the first detection result, the second detection result, the third detection result, the fourth detection result, the fifth detection result and the sixth detection result so as to form an integral detection result and outputting the integral detection result.
Preferably, the cloud platform includes:
KVM, and/or VMware, and/or Xen.
Preferably, the second detection unit includes:
the affinity detection subunit is used for monitoring the CPU affinity of the plurality of virtual machines on the same host machine to obtain an affinity detection result;
the mapping relation detection subunit is used for detecting the CPU mapping relation of the plurality of virtual machines and the host machine to obtain a mapping relation detection result;
the CPU security hole detection subunit is used for detecting the CPU security holes of the plurality of virtual machines to obtain a CPU security hole detection result;
and the genetic relationship detection result, the mapping relationship detection result and the CPU security hole detection result form the second detection result.
Preferably, the third detection unit includes:
the memory safety isolation detection subunit is used for detecting whether the memories of the plurality of virtual machines on the same host are isolated and whether the memory data are leaked or not, so as to obtain a memory safety isolation detection result;
the memory residual information detection subunit is used for detecting whether the host machine clears the memory data in each virtual machine or not when the plurality of virtual machines return the memory to the host machine and the host machine reallocates the memory, so as to obtain a memory residual information detection result;
and the memory safety isolation detection result and the memory residual information detection result form the third detection result.
Preferably, the fifth detecting unit includes:
the disk safety isolation detection subunit is used for detecting whether the disks of the plurality of virtual machines on the same host machine are isolated and whether the disk data are leaked or not, so as to obtain a disk safety isolation detection result;
the disk residual information detection subunit is used for detecting whether the host machine clears the disk data in each virtual machine or not when the plurality of virtual machines return the disk to the host machine and the host machine redistributes the disk, so as to obtain a disk residual information detection result;
and the magnetic disk safety isolation detection result and the magnetic disk residual information detection result form the fifth detection result.
Preferably, the sixth detection unit includes:
the security policy detection subunit is used for detecting whether the security policies of the plurality of virtual machines are changed when the plurality of virtual machines are subjected to hot migration, so as to obtain a security policy detection result;
the data integrity detection subunit is used for detecting the integrity of the memory data and the disk data in the plurality of virtual machines when the plurality of virtual machines are subjected to hot migration, so as to obtain a data integrity detection result;
the data confidentiality detection subunit is used for detecting whether the plurality of virtual machines perform data transmission in an encryption mode when performing hot migration, so as to obtain a data confidentiality detection result;
and the security policy detection result, the data integrity detection result and the data confidentiality detection result form the sixth detection result.
The environment safety detection method of the cloud platform is applied to the environment safety detection system and comprises the following steps:
step S1, the environment safety detection system is used for a user to select the cloud platform to be detected;
step S2, the environment security detection system carries out virtualization vulnerability detection on the selected cloud platform to obtain a first detection result;
step S3, the environment safety detection system carries out CPU safety isolation detection on the selected cloud platform to obtain a second detection result;
step S4, the environment safety detection system performs memory isolation and memory residual information detection on the selected virtual machines on the cloud platform to obtain a third detection result;
s5, the environment security detection system performs network security isolation detection on the selected virtual machines on the cloud platform to obtain a fourth detection result;
s6, the environment safety detection system performs disk safety isolation and disk residual information detection on the selected multiple virtual machines on the cloud platform to obtain a fifth detection result;
step S7, the environmental security detection system performs data transmission security detection on the plurality of virtual machines on the selected cloud platform to obtain a sixth detection result;
step S8, the environmental safety detection system selects one or more of the first detection result, the second detection result, the third detection result, the fourth detection result, the fifth detection result and the sixth detection result to form an integral detection result and outputs the integral detection result.
Preferably, the step S3 includes:
step S31, the environmental security detection system monitors the CPU affinity of the plurality of virtual machines on the same host machine to obtain an affinity detection result;
step S32, the environmental security detection system detects the CPU mapping relation between the plurality of virtual machines and the host machine to obtain a mapping relation detection result;
and step S33, the environmental security detection system detects the CPU security vulnerabilities of the plurality of virtual machines to obtain a CPU security vulnerabilities detection result.
Preferably, the step S4 includes:
step S41, the environmental safety detection system detects whether the memories of the plurality of virtual machines on the same host are isolated and whether the memory data are leaked or not, and a memory safety isolation detection result is obtained;
in step S42, the environmental security detection system detects whether the host machine clears the memory data in each virtual machine when the plurality of virtual machines return the memory to the host machine and the host machine reallocates the memory, so as to obtain a memory residual information detection result.
The technical scheme has the following advantages or beneficial effects:
according to the technical scheme, a user can select different cloud platforms, and the environment safety of the cloud platforms is detected according to the angles of virtualization vulnerabilities, CPU, memory, network, magnetic disk, data transmission and the like of the cloud platforms, so that the overall detection result of the cloud platforms is obtained. The technical scheme can accurately and comprehensively display the safety state of the selected cloud platform, effectively ensure the safety of the selected cloud platform and is beneficial to popularization.
Drawings
FIG. 1 is a schematic diagram of the general structure of an environmental safety detection system in accordance with a preferred embodiment of the present invention;
FIG. 2 is a flow chart of an environmental security detection method in a preferred embodiment of the present invention;
FIG. 3 is a sub-flowchart of the environmental security detection method in a preferred embodiment of the present invention;
FIG. 4 is a sub-flowchart of the environmental security detection method in a preferred embodiment of the present invention.
Detailed Description
The invention will now be described in detail with reference to the drawings and specific examples. The present invention is not limited to the embodiment, and other embodiments may fall within the scope of the present invention as long as they conform to the gist of the present invention.
In a preferred embodiment of the present invention, based on the above-mentioned problems existing in the prior art, an environmental security detection system is provided, as shown in fig. 1, in which a plurality of virtual machines are deployed on a cloud platform, the plurality of virtual machines are operated on the same host machine, and the environmental security detection system includes:
the selection module 1 is used for a user to select a cloud platform to be detected;
a security detection module 2, a connection selection module 1, comprising:
the first detection unit 21 is configured to perform virtualization vulnerability detection on the selected cloud platform to obtain a first detection result;
the second detection unit 22 is configured to perform CPU security isolation detection on the selected cloud platform, to obtain a second detection result;
the third detection unit 23 is configured to perform memory isolation and memory remaining information detection on the multiple virtual machines on the selected cloud platform, so as to obtain a third detection result;
the fourth detection unit 24 is configured to perform network security isolation detection on the multiple virtual machines on the selected cloud platform, so as to obtain a fourth detection result;
the fifth detection unit 25 is configured to perform disk security isolation and disk remaining information detection on the multiple virtual machines on the selected cloud platform, so as to obtain a fifth detection result;
the sixth detection unit 26 is configured to perform data transmission security detection on the multiple virtual machines on the selected cloud platform, so as to obtain a sixth detection result;
and the result output module 3 is connected with the safety detection module 2 and is used for selecting one or more of the first detection result, the second detection result, the third detection result, the fourth detection result, the fifth detection result and the sixth detection result so as to form an integral detection result and outputting the integral detection result.
Specifically, in this embodiment, the selection module 1 may be configured to select, according to different cloud platforms deployed by a cloud service provider, a cloud platform to be detected by a user, where the cloud platform includes: KVM, and/or VMware, and/or Xen. According to the technical scheme, the self characteristics of the cloud platform and the business characteristics on the cloud platform are comprehensively considered. For the self characteristics of the cloud platform: the bottom layer of the cloud platform is a virtual machine management program, and the virtual machine management program is positioned at the bottommost layer in the whole virtualization platform software stack and directly interacts with hardware. Once the hypervisor of the virtual machine is hijacked, all virtual machines running on top of the hypervisor of the virtual machine will fall through. For business features on the cloud platform: the bottom layer equipment of the cloud platform is a plurality of hosts which provide all resources such as CPU, memory, disk and the like required by the cloud platform. There are multiple tenants on the cloud platform environment, different tenants have different virtual machines and execute different services, and the virtual machines share resources such as a CPU, a memory, a disk, a network and the like provided by the cloud platform environment. Virtual machine hot migration is also an important feature on cloud platforms. Aiming at the characteristics of the cloud platform environment and the service characteristics of the cloud platform environment, the security detection module 2 in the technical scheme comprises the functions of virtualization vulnerability detection, CPU security isolation detection, memory security isolation and memory residual information detection, network security isolation detection, disk security isolation and disk residual information detection, data transmission security detection and the like, and can be combined according to actual requirements in actual detection.
In the technical scheme, by arranging the result output module 3, one or more of the first detection result, the second detection result, the third detection result, the fourth detection result, the fifth detection result and the sixth detection result detected by the safety detection module 2 are selected, so that an overall detection result is formed and output for display to a user.
According to the technical scheme, from the perspective of the CPU, the memory and the disk shared by the cloud platform, the security problem of the cloud platform can be comprehensively and deeply analyzed through security detection on multiple aspects such as virtualization loopholes, CPU security isolation, memory residual information protection, network security isolation, disk residual information protection, data transmission security and the like, the security of the cloud platform is effectively improved, and popularization is facilitated.
Further, in this embodiment, the security detection module 2 performs virtual vulnerability detection, CPU security isolation detection, memory security isolation and memory remaining information detection, network security isolation detection, disk security isolation and disk remaining information detection and data transmission security detection through the first detection unit 21, the second detection unit 22, the third detection unit 23, the fourth detection unit 24, the fifth detection unit 25 and the sixth detection unit 26, respectively.
Further, the first detection unit 21 detects the virtualization vulnerability of the cloud platform, and obtains a first detection result of the virtualization vulnerability, where the first detection result can analyze the virtualization vulnerability in detail and give a modification suggestion.
Further, virtualization vulnerabilities include security vulnerabilities of virtual machine hypervisors and single hosts or platforms.
Further, the fourth detection unit 24 detects network connectivity between the virtual machines on the cloud platform, so as to obtain a fourth detection result representing a network security isolation result between the virtual machines on the cloud platform.
In a preferred embodiment of the present invention, the second detecting unit 22 includes:
the affinity detection subunit 223 is configured to monitor CPU affinities of multiple virtual machines on the same host machine, so as to obtain an affinity detection result;
a mapping relation detection subunit 221, configured to detect mapping relation between the CPUs of the multiple virtual machines and the CPU of the host machine, so as to obtain a mapping relation detection result;
the CPU security hole detection subunit 222 is configured to detect CPU security holes of multiple virtual machines, so as to obtain a CPU security hole detection result;
the genetic relationship detection result, the mapping relationship detection result and the CPU security hole detection result form a second detection result.
Specifically, in this embodiment, the CPU of all virtual machines share the CPU resources of the host machine, and the CPU scheduling of the virtual machines is implemented by the virtual machine manager. The virtual machine management program represents each core of the host machine as a physical CPU in the core, and each physical CPU manages a virtual CPU queue, namely, the computing resources of the physical CPU are shared by all virtual CPU instances in the virtual CPU queue, and all virtual machines share the virtual CPU instances. When the virtual machine manager schedules the virtual CPU queue, the virtual CPU operation is switched, the information of the previous virtual CPU instance is cleared from the physical CPU, and then the information of the next virtual CPU instance is loaded to the physical CPU to operate, so that the virtual CPU isolation is realized on the software level. However, at present, the exposed spectrum vulnerability and the Meltdown vulnerability may cause the CPU isolation between the virtual machines to fail, thereby causing information leakage; meanwhile, as the virtual machines share the virtual CPU instance, when the CPU utilization rate of one virtual machine is too high, the CPU scheduling of other virtual machines is possibly abnormal, namely the CPU isolation is failed. In this technical solution, by setting the affinity detection subunit 223 to analyze the sharing manner of the virtual CPU shared by the virtual machine and the physical CPU of the host machine, it can be detected whether the virtual CPU of the virtual machine shares multiple physical CPUs of the host machine or a single physical CPU. Meanwhile, the CPU affinity relationship between a plurality of virtual machines on the same host machine and the host machine can be detected, and the virtual machine with the possibility of failure in CPU isolation can be further judged.
In this technical solution, by setting the mapping relation detection subunit 221 to analyze specific mapping relation between the virtual CPU of the virtual machine and the physical CPU of the host machine on different time slices, it can be further detected whether the virtual CPU of the virtual machine and the physical CPU of the host machine are bound, that is, whether the virtual CPU of the virtual machine independently shares the physical CPU of the host machine, so as to further determine a virtual machine that may fail in CPU isolation.
In the technical scheme, the CPU security hole detection subunit 222 is configured to detect and analyze CPU security holes of multiple virtual machines, so as to determine whether the multiple virtual machines have CPU security holes, and analyze CPU security isolation results on the cloud platform from the perspective of the CPU security holes. The mapping relation detection result and the CPU security hole detection result form a second detection result representing the CPU security isolation result.
In a preferred embodiment of the present invention, the third detecting unit 23 includes:
a memory security isolation detection subunit 231, configured to detect whether the memories of multiple virtual machines on the same host are isolated and whether the memory data are leaked, so as to obtain a memory security isolation detection result;
the memory remaining information detection subunit 232 is configured to detect whether the host machine clears memory data in each virtual machine when the multiple virtual machines return the memory to the host machine and the host machine reallocates the memory, so as to obtain a memory remaining information detection result;
and forming a third detection result by the memory safety isolation detection result and the memory residual information detection result.
Specifically, in this embodiment, from the viewpoint of virtual memory, each virtual machine monopolizes the whole memory addressing space, and multiple virtual machines are completely isolated from each other; from a physical memory perspective, multiple virtual machines access respective virtual address spaces, but ultimately may refer to the same physical memory address on the host. In addition, when the virtual machine dies, the occupied memory address is released, at this time, the data in the memory of the virtual machine that may have die is not cleared but is returned directly to the host machine, and the host machine may allocate the memory to the virtual machine of the next application. All these situations can cause memory data leakage. Therefore, in the present technical solution, by setting the memory security isolation detection subunit 231 to detect whether the memory between the virtual machine and the virtual machine on the same host is completely isolated and whether there is memory data leakage, the problem that the memory is not completely isolated to cause memory data leakage and cause data security hidden trouble is avoided. When the virtual machine is deleted or restarted or powered off, the virtualization platform returns the memory of the virtual machine to the host. By setting the memory remaining information detection subunit 232, when the memory of the virtual machine is returned to the host machine or the host machine is used for distributing the memory released by the virtual machine, whether the host machine clears the memory data in each virtual machine is detected, and whether the virtualization platform has the memory leakage problem is further judged. And combining the memory security isolation detection result and the memory residual information detection result to form a third detection result.
In a preferred embodiment of the present invention, the fifth detecting unit 25 includes:
the disk security isolation detection subunit 251 is configured to detect whether disks of multiple virtual machines on the same host are isolated and whether disk data are leaked, so as to obtain a disk security isolation detection result;
the disk remaining information detecting subunit 252 is configured to detect whether the host machine clears the disk data in each virtual machine when the plurality of virtual machines return the disk to the host machine and the host machine redistributes the disk, so as to obtain a disk remaining information detecting result;
and the magnetic disk safety isolation detection result and the magnetic disk residual information detection result form a fifth detection result.
Specifically, in this embodiment, from the perspective of virtual machines, each virtual machine monopolizes the entire disk, and multiple virtual machines are completely isolated from each other; from the perspective of the host, all virtual machines share the disk space of the host, and the disks of multiple virtual machines may ultimately refer to the same disk space on the host. In addition, when the virtual machine dies, the occupied disk resources are released, at this time, the data in the disk of the virtual machine that may have die is not cleared but is returned directly to the host machine, and the host machine may allocate the disk to the virtual machine of the next application. The above situation causes leakage of disk data. Therefore, in the technical scheme, by setting the disk safety isolation detection subunit 251 to detect whether the disks of the plurality of virtual machines on the same host are isolated and whether the disk data are leaked, the problem that the disk data are leaked due to incomplete isolation of the disk is avoided, and the potential safety hazard of the data is caused. When the virtual machine on the virtualization platform is deleted, restarted or shut down, the disk of the virtual machine is returned to the host machine. By arranging the disk remaining information detection subunit 252, when a plurality of virtual machines return the disk to the host machine and the host machine redistributes the disk, whether the host machine clears the disk data in each virtual machine is detected, and whether the virtualization platform has the problem of disk information leakage is further judged. Combining disk security isolation detection results
And the disk remaining information detection result forms a fifth detection result.
In a preferred embodiment of the present invention, the sixth detection unit 26 includes:
the security policy detection subunit 261 is configured to detect, when the plurality of virtual machines are performing hot migration, whether the security policies of the plurality of virtual machines are changed, so as to obtain a security policy detection result;
the data integrity detection subunit 262 is configured to detect, when the plurality of virtual machines perform thermal migration, integrity of memory data and disk data in the plurality of virtual machines, to obtain a data integrity detection result;
the data confidentiality detection subunit 263 is configured to detect whether the multiple virtual machines perform data transmission in an encryption manner when performing hot migration, so as to obtain a data confidentiality detection result;
the security policy detection result, the data integrity detection result, and the data confidentiality detection result form a sixth detection result.
Specifically, in this embodiment, when virtual machine migration occurs on the cloud platform, user services carried by the virtual machine may be interrupted, and important configurations may be lost, thereby causing loss of user services and unavailability of the virtual machine. In addition, if the transmission protocol adopted in the migration process of the virtual machine is unsafe, important information of the virtual machine can be further leaked. Therefore, in the technical scheme, by setting the security policy detection subunit 261, when the plurality of virtual machines are in thermal migration, whether the security policies of the plurality of virtual machines are changed is detected, so that the user service terminal caused by the security policy change is avoided, and the stability of the technical scheme is effectively improved. By setting the data integrity detection subunit 262, when the multiple virtual machines are in thermal migration, the integrity of the memory data and the disk data in the multiple virtual machines is detected, so that the loss of user service caused by the incomplete memory data and disk data in the virtual machines is avoided. By setting the data confidentiality detection subunit 263 to detect whether the plurality of virtual machines perform data transmission in an encryption mode during the hot migration, the important configuration is prevented from being stolen due to unencrypted data transmission, and the safety of the virtual machines during the hot migration is effectively improved. And combining the security policy detection result, the data integrity detection result and the data confidentiality detection result to form a sixth detection result.
The method for detecting the environmental safety of the cloud platform is applied to the environmental safety detection system, as shown in fig. 2, and comprises the following steps:
step S1, an environment safety detection system is used for a user to select a cloud platform to be detected;
step S2, the environment security detection system performs virtualization vulnerability detection on the selected cloud platform to obtain a first detection result;
step S3, the environment safety detection system carries out CPU safety isolation detection on the selected cloud platform to obtain a second detection result;
step S4, the environment safety detection system performs memory isolation and memory residual information detection on the selected multiple virtual machines on the cloud platform to obtain a third detection result;
s5, the environment security detection system performs network security isolation detection on the plurality of virtual machines on the selected cloud platform to obtain a fourth detection result;
s6, performing disk security isolation and disk residual information detection on the selected multiple virtual machines on the cloud platform by the environment security detection system to obtain a fifth detection result;
step S7, the environment safety detection system carries out data transmission safety detection on the plurality of virtual machines on the selected cloud platform to obtain a sixth detection result;
in step S8, the environmental safety detection system selects one or more of the first detection result, the second detection result, the third detection result, the fourth detection result, the fifth detection result, and the sixth detection result to form an integrated detection result and outputs the integrated detection result.
In a preferred embodiment of the present invention, as shown in fig. 3, step S3 includes:
step S31, the environmental security detection system monitors the CPU affinity of the plurality of virtual machines on the same host machine to obtain an affinity detection result;
step S32, the environmental security detection system detects the CPU mapping relation between the plurality of virtual machines and the host machine to obtain a mapping relation detection result;
and step S33, the environmental security detection system detects the CPU security vulnerabilities of the plurality of virtual machines to obtain a CPU security vulnerabilities detection result.
In a preferred embodiment of the present invention, as shown in fig. 4, step S4 includes:
step S41, the environment safety detection system detects whether the memories of a plurality of virtual machines on the same host are isolated and whether the memory data are leaked or not, and a memory safety isolation detection result is obtained;
in step S42, the environmental security detection system detects whether the host machine clears the memory data in each virtual machine when the plurality of virtual machines return the memory to the host machine and the host machine reallocates the memory, so as to obtain a memory residual information detection result.
The foregoing is merely illustrative of the preferred embodiments of the present invention and is not intended to limit the embodiments and scope of the present invention, and it should be appreciated by those skilled in the art that equivalent substitutions and obvious variations may be made using the description and illustrations herein, which should be included in the scope of the present invention.
Claims (8)
1. An environmental security detection system of a cloud platform, wherein a plurality of virtual machines are deployed on the cloud platform, the plurality of virtual machines operate on a same host machine, the environmental security detection system comprising:
the selection module is used for a user to select the cloud platform to be detected;
the safety detection module is connected with the selection module and comprises:
the first detection unit is used for detecting the virtualization loopholes of the selected cloud platform to obtain a first detection result, wherein the virtualization loopholes comprise security loopholes of a virtual machine management program and a single host or platform;
the second detection unit is used for carrying out CPU security isolation detection on the selected cloud platform to obtain a second detection result;
the third detection unit is used for performing memory isolation and memory residual information detection on the selected multiple virtual machines on the cloud platform to obtain a third detection result;
the fourth detection unit is used for carrying out network security isolation detection on the plurality of virtual machines on the selected cloud platform to obtain a fourth detection result;
the fifth detection unit is used for carrying out disk security isolation and disk residual information detection on the selected multiple virtual machines on the cloud platform to obtain a fifth detection result;
the sixth detection unit is used for carrying out data transmission security detection on the plurality of virtual machines on the selected cloud platform to obtain a sixth detection result;
the result output module is connected with the safety detection module and is used for selecting one or more of the first detection result, the second detection result, the third detection result, the fourth detection result, the fifth detection result and the sixth detection result to form an integral detection result and outputting the integral detection result;
the second detection unit includes:
the affinity detection subunit is used for monitoring the CPU affinity of the plurality of virtual machines on the same host machine to obtain an affinity detection result, and the affinity detection subunit analyzes the sharing mode of the virtual CPU shared by the virtual machines and the physical CPU of the host machine;
the mapping relation detection subunit is used for detecting the mapping relation between the plurality of virtual machines and the CPU of the host machine to obtain a mapping relation detection result, and the mapping relation detection subunit analyzes specific mapping relation between the virtual CPU of the virtual machine and the physical CPU of the host machine on different time slices and detects whether the virtual CPU of the virtual machine solely shares the physical CPU of the host machine;
the CPU security hole detection subunit is used for detecting the CPU security holes of the plurality of virtual machines to obtain a CPU security hole detection result;
and the genetic relationship detection result, the mapping relationship detection result and the CPU security hole detection result form the second detection result.
2. The environmental security detection system of claim 1 wherein the cloud platform comprises:
KVM, and/or VMware, and/or Xen.
3. The environmental security inspection system of claim 1 wherein the third inspection unit comprises:
the memory safety isolation detection subunit is used for detecting whether the memories of the plurality of virtual machines on the same host are isolated and whether the memory data are leaked or not, so as to obtain a memory safety isolation detection result;
the memory residual information detection subunit is used for detecting whether the host machine clears the memory data in each virtual machine or not when the plurality of virtual machines return the memory to the host machine and the host machine reallocates the memory, so as to obtain a memory residual information detection result;
and the memory safety isolation detection result and the memory residual information detection result form the third detection result.
4. The environmental safety detection system of claim 3 wherein the fifth detection unit comprises:
the disk safety isolation detection subunit is used for detecting whether the disks of the plurality of virtual machines on the same host machine are isolated and whether the disk data are leaked or not, so as to obtain a disk safety isolation detection result;
the disk residual information detection subunit is used for detecting whether the host machine clears the disk data in each virtual machine or not when the plurality of virtual machines return the disk to the host machine and the host machine redistributes the disk, so as to obtain a disk residual information detection result;
and the magnetic disk safety isolation detection result and the magnetic disk residual information detection result form the fifth detection result.
5. The environmental security inspection system of claim 4 wherein the sixth inspection unit comprises:
the security policy detection subunit is used for detecting whether the security policies of the plurality of virtual machines are changed when the plurality of virtual machines are subjected to hot migration, so as to obtain a security policy detection result;
the data integrity detection subunit is used for detecting the integrity of the memory data and the disk data in the plurality of virtual machines when the plurality of virtual machines are subjected to hot migration, so as to obtain a data integrity detection result;
the data confidentiality detection subunit is used for detecting whether the plurality of virtual machines perform data transmission in an encryption mode when performing hot migration, so as to obtain a data confidentiality detection result;
and the security policy detection result, the data integrity detection result and the data confidentiality detection result form the sixth detection result.
6. An environmental security detection method of a cloud platform, applied to an environmental security detection system in claims 1-5, comprising:
step S1, the environment safety detection system is used for a user to select the cloud platform to be detected;
step S2, the environment security detection system carries out virtualization vulnerability detection on the selected cloud platform to obtain a first detection result;
step S3, the environment safety detection system carries out CPU safety isolation detection on the selected cloud platform to obtain a second detection result;
step S4, the environment safety detection system performs memory isolation and memory residual information detection on the selected virtual machines on the cloud platform to obtain a third detection result;
s5, the environment security detection system performs network security isolation detection on the selected virtual machines on the cloud platform to obtain a fourth detection result;
s6, the environment safety detection system performs disk safety isolation and disk residual information detection on the selected multiple virtual machines on the cloud platform to obtain a fifth detection result;
step S7, the environmental security detection system performs data transmission security detection on the plurality of virtual machines on the selected cloud platform to obtain a sixth detection result;
step S8, the environmental safety detection system selects one or more of the first detection result, the second detection result, the third detection result, the fourth detection result, the fifth detection result and the sixth detection result to form an integral detection result and outputs the integral detection result.
7. The environmental security inspection method of claim 6 wherein step S3 comprises:
step S31, the environmental security detection system monitors the CPU affinity of the plurality of virtual machines on the same host machine to obtain an affinity detection result;
step S32, the environmental security detection system detects the CPU mapping relation between the plurality of virtual machines and the host machine to obtain a mapping relation detection result;
and step S33, the environmental security detection system detects the CPU security vulnerabilities of the plurality of virtual machines to obtain a CPU security vulnerabilities detection result.
8. The environmental security inspection method of claim 6 wherein step S4 comprises:
step S41, the environmental safety detection system detects whether the memories of the plurality of virtual machines on the same host are isolated and whether the memory data are leaked or not, and a memory safety isolation detection result is obtained;
in step S42, the environmental security detection system detects whether the host machine clears the memory data in each virtual machine when the plurality of virtual machines return the memory to the host machine and the host machine reallocates the memory, so as to obtain a memory residual information detection result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110277784.2A CN113067809B (en) | 2021-03-15 | 2021-03-15 | Environment safety detection system and method for cloud platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110277784.2A CN113067809B (en) | 2021-03-15 | 2021-03-15 | Environment safety detection system and method for cloud platform |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113067809A CN113067809A (en) | 2021-07-02 |
| CN113067809B true CN113067809B (en) | 2023-05-16 |
Family
ID=76561306
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110277784.2A Active CN113067809B (en) | 2021-03-15 | 2021-03-15 | Environment safety detection system and method for cloud platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113067809B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7149843B1 (en) * | 2001-12-10 | 2006-12-12 | Vmware, Inc. | System and method for detecting access to shared structures and for maintaining coherence of derived structures in virtualized multiprocessor systems |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104461678B (en) * | 2014-11-03 | 2017-11-24 | 中国科学院信息工程研究所 | A kind of method and system that cryptographic service is provided in virtualized environment |
| CN106502760B (en) * | 2016-09-21 | 2019-06-21 | 华为技术有限公司 | A kind of virtual machine compatibility strategy visualization method and device |
| CN106487633B (en) * | 2016-10-11 | 2019-12-06 | 中国银联股份有限公司 | method and device for monitoring abnormity of virtual machine |
| CN109639705B (en) * | 2018-12-27 | 2021-08-31 | 成都国信安信息产业基地有限公司 | Cloud platform security detection method |
| CN111399988B (en) * | 2020-04-08 | 2024-02-09 | 公安部第三研究所 | Memory security detection system and method for cloud platform |
-
2021
- 2021-03-15 CN CN202110277784.2A patent/CN113067809B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7149843B1 (en) * | 2001-12-10 | 2006-12-12 | Vmware, Inc. | System and method for detecting access to shared structures and for maintaining coherence of derived structures in virtualized multiprocessor systems |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113067809A (en) | 2021-07-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10635558B2 (en) | Container monitoring method and apparatus | |
| EP2798562B1 (en) | Trusted application migration across computer nodes | |
| CN102110197B (en) | Method and system for multi-core processor to realize TMP (trusted platform module) in computing environment | |
| US7512815B1 (en) | Systems, methods and computer program products for high availability enhancements of virtual security module servers | |
| US9317316B2 (en) | Host virtual machine assisting booting of a fully-encrypted user virtual machine on a cloud environment | |
| US8856585B2 (en) | Hardware failure mitigation | |
| EP3288239B1 (en) | Service availability management method and apparatus, and network function virtualization infrastructure thereof | |
| US20050125537A1 (en) | Method, apparatus and system for resource sharing in grid computing networks | |
| US9021546B1 (en) | Systems and methods for workload security in virtual data centers | |
| US20090307705A1 (en) | Secure multi-purpose computing client | |
| US20150089331A1 (en) | Detection and handling of virtual network appliance failures | |
| US11119806B2 (en) | System and method for automatically selecting security virtual machines | |
| US20100146267A1 (en) | Systems and methods for providing secure platform services | |
| CN109379347B (en) | Safety protection method and equipment | |
| US10120779B1 (en) | Debugging of hosted computer programs | |
| KR101680702B1 (en) | System for web hosting based cloud service | |
| US10430261B2 (en) | Detecting a guest operating system crash on a virtual computing instance | |
| CN108255579A (en) | A kind of virtual machine management method and device based on KVM platforms | |
| CN111399988B (en) | Memory security detection system and method for cloud platform | |
| CN115454636A (en) | Container cloud platform GPU resource scheduling method, device and application | |
| CN107547258B (en) | Method and device for realizing network policy | |
| CN113067809B (en) | Environment safety detection system and method for cloud platform | |
| CN103309722A (en) | Cloud computation system and application access method thereof | |
| CN111818081A (en) | Virtual encryption machine management method and device, computer equipment and storage medium | |
| JP2010527550A (en) | Method, apparatus and computer program for implementing bandwidth capping at the logical port level for a shared Ethernet port |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |