CN113824683A - Trusted domain establishing method and device and data system - Google Patents
Trusted domain establishing method and device and data system Download PDFInfo
- Publication number
- CN113824683A CN113824683A CN202110932716.5A CN202110932716A CN113824683A CN 113824683 A CN113824683 A CN 113824683A CN 202110932716 A CN202110932716 A CN 202110932716A CN 113824683 A CN113824683 A CN 113824683A
- Authority
- CN
- China
- Prior art keywords
- domain
- user
- trusted
- measuring
- user domain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
Abstract
The embodiment of the application provides a method, a device and a data system for establishing a trusted domain. The method for establishing the trusted domain comprises the following steps: determining a management domain and a user domain which run on a virtual management module; measuring the credibility of the administrative domain based on an integrity measurement mechanism to determine the credible administrative domain; measuring the credibility of the user domain based on a system operation behavior mechanism to determine the credible user domain; and transferring the trust relationship between the trusted management domain and the trusted user domain so as to establish the trusted domain in the cloud platform. According to the embodiment of the application, the credibility of the cloud platform is more accurately evaluated.
Description
Technical Field
The application relates to the technical field of cloud, in particular to a method, a device and a data system for establishing a trusted domain.
Background
According to the research report of the Essen philosophy, the lack of trust of the user on the cloud service is an important factor for refusing to use the cloud service. The cloud platform is used as an important carrier of cloud services, how to analyze and evaluate the security of the cloud platform is achieved, and a user can trust a cloud service provider and the cloud platform provided by the cloud service provider, so that the cloud platform is one of key factors for popularization and popularization of cloud computing.
In combination with service failure accidents occurring in cloud services in recent years, which include both safety accidents and reliability accidents caused by some service design defects, how to evaluate the credibility of a cloud platform more accurately becomes one of the problems to be solved urgently.
Disclosure of Invention
Based on the above problems, embodiments of the present application provide a method, an apparatus, and a data system for establishing a trusted domain.
The embodiment of the application discloses the following technical scheme:
a method of establishing a trusted domain, comprising:
determining a management domain and a user domain which run on a virtual management module;
measuring the credibility of the administrative domain based on an integrity measurement mechanism to determine the credible administrative domain;
measuring the credibility of the user domain based on a system operation behavior mechanism to determine the credible user domain;
and transferring the trust relationship between the trusted management domain and the trusted user domain so as to establish the trusted domain in the cloud platform.
Optionally, in an embodiment of the present application, the measuring the trustworthiness of the administrative domain based on the integrity measurement mechanism to determine the trustworthy administrative domain includes: and measuring the credibility of the management domain to form a trust chain based on an integrity measurement mechanism so as to determine the credible management domain.
Optionally, in an embodiment of the present application, the measuring the trustworthiness of the user domain based on the system operation behavior mechanism to determine the trustworthy user domain includes: and monitoring the behaviors of the user kernel component and the user application component in the user domain based on a system operation behavior mechanism, and measuring the credibility of the user domain to determine the credible user domain.
Optionally, in an embodiment of the present application, the method further includes: analyzing the component tree in the user domain, and determining a user kernel component and a user application component in the user domain, wherein the user kernel component is a root node of the component tree, and the user application component is a child node of the component tree.
An apparatus for establishing a trusted domain, comprising:
a domain determining unit for determining a management domain and a user domain running on the virtual management module;
a first measurement unit, configured to measure, based on an integrity measurement mechanism, trustworthiness of the administrative domain to determine a trustworthy administrative domain;
the second measurement unit is used for measuring the credibility of the user domain based on a system operation behavior mechanism so as to determine the credible user domain;
and the domain establishing unit is used for transferring the trust relationship between the trusted management domain and the trusted user domain so as to establish the trusted domain in the cloud platform.
Optionally, in an embodiment of the present application, the first metric unit is further configured to measure the trustworthiness of the administrative domain to form a trust chain based on an integrity measurement mechanism, so as to determine the trusted administrative domain.
Optionally, in an embodiment of the present application, the second measuring unit is further configured to monitor behaviors of a user kernel component and a user application component in the user domain based on a system operation behavior mechanism, and measure the credibility of the user domain to determine the credible user domain.
An electronic device comprising a memory having stored thereon a computer-executable program and a processor for executing the computer-executable program to perform a method as in any embodiment of the application.
A computer readable storage medium, the computer readable storage medium computer executable program being executed to perform a method as described in any of the embodiments of the present application.
A data system comprising a plurality of electronic devices as described in any of the embodiments herein, each electronic device acting as a trusted data node in the data system.
In the technical scheme of the embodiment of the application, a management domain and a user domain running on a virtual management module are determined; measuring the credibility of the administrative domain based on an integrity measurement mechanism to determine the credible administrative domain; measuring the credibility of the user domain based on a system operation behavior mechanism to determine the credible user domain; and transmitting the trust relationship between the credible management domain and the credible user domain to establish the credible domain in the cloud platform, so that the credibility of the cloud platform is more accurately evaluated.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a schematic flowchart of a method for establishing a trusted domain according to a first embodiment of the present application;
fig. 2 is a schematic flowchart of a method for establishing a trusted domain in a second embodiment of the present application;
fig. 3 is a schematic flowchart of a method for establishing a trusted domain in a third embodiment of the present application;
fig. 4 is a schematic structural diagram of a device for establishing a trusted domain in a fourth embodiment of the present application;
fig. 5 is a schematic structural diagram of a device for establishing a trusted domain in a fifth embodiment of the present application;
fig. 6 is a schematic structural diagram of an apparatus for establishing a trusted domain according to a sixth embodiment of the present application;
fig. 7 is a schematic structural diagram of an apparatus for establishing a trusted domain according to a seventh embodiment of the present application;
fig. 8 is a schematic structural diagram of an apparatus for establishing a trusted domain in an eighth embodiment of the present application;
FIG. 9 is a schematic structural diagram of an electronic device according to a ninth embodiment of the present application;
fig. 10 is a schematic hardware structure diagram of an electronic device in a tenth embodiment of the present application;
fig. 11 is a schematic structural diagram of a computer storage medium in an eleventh embodiment of the present application.
Detailed Description
It is not necessary for any particular embodiment of the invention to achieve all of the above advantages at the same time.
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the technical scheme of the embodiment of the application, a management domain and a user domain running on a virtual management module are determined; measuring the credibility of the administrative domain based on an integrity measurement mechanism to determine the credible administrative domain; measuring the credibility of the user domain based on a system operation behavior mechanism to determine the credible user domain; and transmitting the trust relationship between the credible management domain and the credible user domain to establish the credible domain in the cloud platform, so that the credibility of the cloud platform is more accurately evaluated.
Fig. 1 is a schematic flowchart of a method for establishing a trusted domain according to a first embodiment of the present application; as shown in fig. 1, it includes:
s101, determining a management domain and a user domain running on a virtual management module;
optionally, the cloud platform includes but is based on a homogeneous or heterogeneous cloud platform, and a server, various smart terminals, a PC, and the like may be included in the cloud platform.
Optionally, in an application scenario, the management domain refers to a privileged virtual machine in type one virtualization or an operating system on which a virtualization engine in type two depends.
Alternatively, in an application scenario, the user domain refers to a memory or the like associated with a user identifier without assistance from an operating system.
S102, measuring the credibility of the management domain based on an integrity measurement mechanism to determine the credible management domain;
optionally, in an application scenario, when performing the integrity measurement, the trustworthiness of the management domain is measured based on a manner of a trust chain. In particular, the trust chain may pass trust relationships in real-time and accurately in the management domain, so that it may be measured whether the virtual management module is trusted at any one time, such that any virtual behavior that does not comply with the expected policy is not considered unsafe.
S103, measuring the credibility of the user domain based on a system operation behavior mechanism to determine the credible user domain;
optionally, in an application scenario, the measuring the trustworthiness of the user domain based on the system operation behavior mechanism to determine the trustworthy user domain includes: according to the data structure of the system kernel symbols in the user domain, a process list and a component list are obtained and mapped to an execution file memory to carry out hash calculation on the process list and the component list, so that the credibility of the user domain is measured, the concurrence between the credibility measurement of the management domain and the credibility measurement of the user domain is guaranteed, and meanwhile, the measurement expandability is improved.
S104, transferring the trust relationship between the trusted management domain and the trusted user domain so as to establish the trusted domain in the cloud platform.
Optionally, in an application scenario, a security component policy may be formulated according to requirements of the application scenario, so that a trust relationship is transferred between the trusted management domain and the trusted user domain based on the security component policy, so as to establish a trusted domain in the cloud platform.
Optionally, when the trust relationship is transferred between the trusted management domain and the trusted user domain, the transfer of the trust relationship may be performed based on a single chain or a star chain.
Optionally, when the transfer of the trust relationship is performed based on a single chain, the transfer of the trust relationship is performed again each time a new user domain is created based on a single trusted user domain. And when the star-chain type trust relationship is transferred, a central user domain is set, and the trust relationship is transferred in a radial mode from the central user domain.
Fig. 2 is a schematic flowchart of a method for establishing a trusted domain in a second embodiment of the present application; as shown in fig. 2, it includes:
s201, determining a management domain and a user domain running on a virtual management module;
in the present embodiment, step S201 is similar to step S101 described above.
S202, measuring the credibility of the management domain based on an integrity measurement mechanism to determine the credible management domain;
optionally, in a specific application scenario, the measuring the trustworthiness of the administrative domain based on the integrity measurement mechanism to determine the trustworthy administrative domain includes: based on an integrity measurement mechanism, measuring the credibility of the management domain to form a trust chain so as to determine the credible management domain, thereby improving the accuracy of credibility measurement.
Optionally, in a specific application scenario, measuring the trustworthiness of the management domain to form a trust chain based on an integrity measurement mechanism, so as to determine the trusted management domain, includes: firstly, measuring the integrity of the BIOS, if the BIOS is complete, the BIOS is trusted, triggering the trusted measurement of the BOOT, if the BOOT is complete, the BOOT is trusted, and the management domain is trusted, so that the speed of the trusted measurement is improved.
S203, measuring the credibility of the user domain based on a system operation behavior mechanism to determine the credible user domain;
s204, transferring the trust relationship between the trusted management domain and the trusted user domain so as to establish the trusted domain in the cloud platform.
In this embodiment, steps S203 and S204 are similar to steps S103 and S104, respectively, described above.
Fig. 3 is a schematic flowchart of a method for establishing a trusted domain in a third embodiment of the present application; as shown in fig. 3, it includes:
s301, determining a management domain and a user domain running on a virtual management module;
s302, measuring the credibility of the management domain based on an integrity measurement mechanism to determine the credible management domain;
s303, measuring the credibility of the user domain based on a system operation behavior mechanism to determine the credible user domain;
optionally, in a specific application scenario, the measuring the trustworthiness of the user domain based on the system operation behavior mechanism to determine the trustworthy user domain includes: and monitoring the behaviors of the user kernel component and the user application component in the user domain based on a system operation behavior mechanism, and measuring the credibility of the user domain to determine the credible user domain. Because the measurement is carried out based on the behaviors of the user kernel component and the user application component, the measurement with the finest granularity is realized, and the measurement accuracy is ensured.
Optionally, in a specific application scenario, the monitoring, based on the system operation behavior mechanism, behaviors of a user kernel component and a user application component in the user domain, and measuring a trustworthiness of the user domain to determine a trustworthy user domain include: and measuring the credibility of the user domain to determine the credible user domain by monitoring the user kernel component in the user domain in a measurement starting stage and monitoring the behavior of the user application component in a measurement running stage based on a system running behavior mechanism. Because the user kernel component in the user domain is monitored in the measurement starting stage and the behavior of the user application component is monitored in the measurement running stage, the credibility of the user domain during measurement starting and the credibility of the user domain after measurement starting are detected, and malicious attacks can be detected in time.
S304, analyzing the component tree in the user domain, and determining a user kernel component and a user application component in the user domain, wherein the user kernel component is a root node of the component tree, and the user application component is a child node of the component tree.
S305, transferring the trust relationship between the trusted management domain and the trusted user domain so as to establish the trusted domain in the cloud platform.
In this embodiment, please refer to the first embodiment and the second embodiment for the steps S304 and S305.
Fig. 4 is a schematic structural diagram of a device for establishing a trusted domain in a fourth embodiment of the present application; as shown in fig. 4, it includes:
a domain determining unit 401, configured to determine a management domain and a user domain running on the virtual management module;
a first measurement unit 402, configured to measure a trustworthiness of the administrative domain based on an integrity measurement mechanism to determine a trustworthy administrative domain;
a second measuring unit 403, configured to measure, based on a system operation behavior mechanism, the credibility of the user domain to determine a credible user domain;
a domain establishing unit 404, configured to perform a trust relationship between the trusted management domain and the trusted user domain to establish a trusted domain in the cloud platform.
Optionally, in an application scenario, the management domain refers to a privileged virtual machine in type one virtualization or an operating system on which a virtualization engine in type two depends.
Alternatively, in an application scenario, the user domain refers to a memory or the like associated with a user identifier without assistance from an operating system.
Optionally, in an application scenario, when performing integrity measurement, the first measurement unit measures the trustworthiness of the management domain based on a manner of a trust chain. In particular, the trust chain may pass trust relationships in real-time and accurately in the management domain, so that it may be measured whether the virtual management module is trusted at any one time, such that any virtual behavior that does not comply with the expected policy is not considered unsafe.
Optionally, in an application scenario, the domain establishing unit may formulate a security component policy according to requirements of the application scenario, so as to perform transfer of a trust relationship between the trusted management domain and the trusted user domain based on the security component policy, so as to establish the trusted domain in the cloud platform.
Optionally, when the domain establishing unit performs the transfer of the trust relationship between the trusted management domain and the trusted user domain, the transfer of the trust relationship may be performed based on a single chain or a star chain.
Optionally, when the trust relationship is transferred based on a single chain, the domain establishing unit is based on a single trusted user domain, and the trust relationship is transferred again each time a new user domain is created. And when the star-chain type trust relationship is transferred, a central user domain is set, and the trust relationship is transferred in a radial mode from the central user domain.
Fig. 5 is a schematic structural diagram of a device for establishing a trusted domain in a fifth embodiment of the present application; as shown in fig. 5, it includes:
a domain determining unit 501, configured to determine a management domain and a user domain running on a virtual management module;
a first measurement unit 502, configured to measure a trustworthiness of the administrative domain based on an integrity measurement mechanism to determine a trustworthy administrative domain;
a second measuring unit 503, configured to measure, based on a system operation behavior mechanism, the trustworthiness of the user domain to determine a trustworthy user domain;
a domain establishing unit 505, configured to perform transfer of a trust relationship between the trusted management domain and the trusted user domain, so as to establish a trusted domain in the cloud platform.
Optionally, in a specific application scenario, the first metric unit is further configured to measure the trustworthiness of the management domain to form a trust chain based on an integrity measurement mechanism, so as to determine the trusted management domain.
Optionally, in a specific application scenario, the measuring, by the first measuring unit, the trustworthiness of the management domain to form a trust chain based on an integrity measurement mechanism, so as to determine the trusted management domain, includes: firstly, measuring the integrity of the BIOS, if the BIOS is complete, the BIOS is trusted, triggering the trusted measurement of the BOOT, if the BOOT is complete, the BOOT is trusted, and the management domain is trusted, so that the speed of the trusted measurement is improved.
Fig. 6 is a schematic structural diagram of an apparatus for establishing a trusted domain according to a sixth embodiment of the present application; as shown in fig. 6, it includes:
a domain determining unit 601, configured to determine a management domain and a user domain running on a virtual management module;
a first measurement unit 602, configured to measure, based on an integrity measurement mechanism, trustworthiness of the administrative domain to determine a trusted administrative domain;
a second measuring unit 603, configured to measure, based on a system operation behavior mechanism, the credibility of the user domain to determine a credible user domain;
a domain establishing unit 606, configured to perform transfer of a trust relationship between the trusted management domain and the trusted user domain, so as to establish a trusted domain in the cloud platform.
Optionally, in a specific application scenario, the second metric unit is further configured to monitor behaviors of a user kernel component and a user application component in the user domain based on a system operation behavior mechanism, and measure the credibility of the user domain to determine the credible user domain. Because the measurement is carried out based on the behaviors of the user kernel component and the user application component, the measurement with the finest granularity is realized, and the measurement accuracy is ensured.
Optionally, in a specific application scenario, the second metric unit is further configured to measure the trustworthiness of the user domain to determine the trusted user domain by monitoring a user kernel component in the user domain during a measurement starting stage and monitoring the behavior of the user application component during a measurement running stage based on a system running behavior mechanism. Because the user kernel component in the user domain is monitored in the measurement starting stage and the behavior of the user application component is monitored in the measurement running stage, the credibility of the user domain during measurement starting and the credibility of the user domain after measurement starting are detected, and malicious attacks can be detected in time.
Fig. 7 is a schematic structural diagram of an apparatus for establishing a trusted domain according to a seventh embodiment of the present application; as shown in fig. 7, it includes:
a domain determining unit 701, configured to determine a management domain and a user domain running on a virtual management module;
a first measuring unit 702, configured to measure the trustworthiness of the administrative domain based on an integrity measurement mechanism to determine a trusted administrative domain;
a second measuring unit 703, configured to measure, based on a system operation behavior mechanism, the credibility of the user domain to determine a credible user domain;
a domain establishing unit 704, configured to perform a trust relationship communication between the trusted management domain and the trusted user domain to establish a trusted domain in the cloud platform.
A parsing unit 705, configured to parse the component tree in the user domain, and determine a user kernel component and a user application component in the user domain, where the user kernel component is a root node of the component tree, and the user application component is a child node of the component tree.
By analyzing the component tree in the user domain, the user kernel components and the user application components in the user domain can be quickly and accurately obtained, and the omission of the user kernel components and the user application components is avoided.
Fig. 8 is a schematic structural diagram of an apparatus for establishing a trusted domain in an eighth embodiment of the present application; as shown in fig. 8, it includes:
a domain determining unit 801 configured to determine a management domain and a user domain running on the virtual management module;
a first measurement unit 802, configured to measure the trustworthiness of the administrative domain based on an integrity measurement mechanism to determine a trusted administrative domain;
a second measuring unit 803, configured to measure, based on a system operation behavior mechanism, the trustworthiness of the user domain to determine a trustworthy user domain;
a domain establishing unit 804, configured to perform transfer of a trust relationship between the trusted management domain and the trusted user domain, so as to establish a trusted domain in the cloud platform.
A detecting unit 805, configured to detect that an attribute of the user domain changes in real time, and if the attribute of the user domain changes, monitor behaviors of a user kernel component and a user application component in the user domain based on a system running behavior mechanism again, and measure a credibility of the user domain to determine the credible user domain.
The method can also comprise the following steps: and the maintenance unit is used for dynamically maintaining a user domain list and updating the user domain list when detecting that the attribute of the user domain changes.
The attribute change of the user domain is detected in real time through the detection unit, so that once the attribute change occurs to the user domain, the measurement can be carried out again, the dynamic measurement is realized, and the credibility of the user domain is ensured in real time.
In addition, the white list establishment of the credible user domain is realized through the maintenance unit, and the transfer of the trust relationship between the user domain and the management domain based on the white list can be further realized.
FIG. 9 is a schematic structural diagram of an electronic device according to a ninth embodiment of the present application; as shown in fig. 9, it includes: a memory 901 having stored thereon a computer executable program and a processor 902 for executing the computer executable program to implement the method of any of the embodiments of the present application.
Fig. 10 is a schematic hardware structure diagram of an electronic device in a tenth embodiment of the present application; as shown in fig. 10, the hardware structure of the electronic device may include: a processor task parsing unit 1001, a communication interface overhead determining unit 1002, a computer readable medium task characterizing unit 1003 and a communication bus 1004;
the system comprises a processor task analysis unit 1001, a communication interface overhead determination unit 1002 and a computer readable medium task depicting unit 1003, wherein the processor task analysis unit 1001, the communication interface overhead determination unit 1002 and the computer readable medium task depicting unit 1003 complete mutual communication through a communication bus 1004;
optionally, the communication interface overhead determining unit 1002 may be an interface of a communication module, such as an interface of a GSM module;
the processor task parsing unit 1001 may be specifically configured to run an executable program stored in a memory, so as to execute all or part of the processing steps of any one of the method embodiments described above.
The Processor task parsing Unit 1001 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The electronic device of the embodiments of the present application exists in various forms, including but not limited to:
(1) mobile communication devices, which are characterized by mobile communication capabilities and are primarily targeted at providing voice and data communications. Such terminals include smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) The ultra-mobile personal computer equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include PDA, MID, and UMPC devices, such as ipads.
(3) Portable entertainment devices such devices may display and play multimedia content. Such devices include audio and video players (e.g., ipods), handheld game consoles, electronic books, as well as smart toys and portable car navigation devices.
(4) The server is similar to a general computer architecture, but has higher requirements on processing capability, stability, reliability, safety, expandability, manageability and the like because of the need of providing highly reliable services.
(5) And other electronic devices with data interaction functions.
FIG. 11 is a schematic structural diagram of a computer storage medium according to an eleventh embodiment of the present application; as shown in fig. 11, the computer storage medium stores thereon a computer executable program, and the computer executable program is executed to implement the method according to any embodiment of the present application.
An embodiment of the present application further provides a data system, which includes the electronic device according to any embodiment of the present application.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication section, and/or installed from a removable medium. The computer program, when executed by a processing unit (CPU), performs the above-described functions defined in the method of the present application. It should be noted that the computer readable medium described herein can be a computer readable signal medium or a computer storage medium or any combination of the two. A computer storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of computer storage media may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
Fig. 6 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application; as shown in fig. 6, the hardware structure of the electronic device may include: a processor 601, a communication interface 602, a computer-readable medium 603, and a communication bus 604;
the processor 601, the communication interface 602, and the computer-readable medium 603 complete communication with each other through the communication bus 604;
optionally, the communication interface 602 may be an interface of a communication module, such as an interface of a GSM module;
the processor 601 may be specifically configured to run a computer software program stored on the memory, so as to perform all or part of the processing steps of any of the above method embodiments.
The Processor 601 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The electronic device of the embodiments of the present application exists in various forms, including but not limited to:
(1) mobile communication devices, which are characterized by mobile communication capabilities and are primarily targeted at providing voice and data communications. Such terminals include smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) The ultra-mobile personal computer equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include PDA, MID, and UMPC devices, such as ipads.
(3) Portable entertainment devices such devices may display and play multimedia content. Such devices include audio and video players (e.g., ipods), handheld game consoles, electronic books, as well as smart toys and portable car navigation devices.
(4) The server is similar to a general computer architecture, but has higher requirements on processing capability, stability, reliability, safety, expandability, manageability and the like because of the need of providing highly reliable services.
(5) And other electronic devices with data interaction functions.
It should be noted that the same and similar parts in the various embodiments in this specification may be referred to each other, and each embodiment is mainly described as different from the other embodiments. In particular, for the apparatus and system embodiments, since they are substantially similar to the method embodiments, they are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described embodiments of the apparatus and system are merely illustrative, and the modules illustrated as separate components may or may not be physically separate, and the components suggested as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only one specific embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A method for establishing a trusted domain, comprising:
determining a management domain and a user domain which run on a virtual management module;
measuring the credibility of the administrative domain based on an integrity measurement mechanism to determine the credible administrative domain;
measuring the credibility of the user domain based on a system operation behavior mechanism to determine the credible user domain;
and transferring the trust relationship between the trusted management domain and the trusted user domain so as to establish the trusted domain in the cloud platform.
2. The method of claim 1, wherein said measuring trustworthiness of said administrative domain to determine a trustworthy said administrative domain based on an integrity measurement mechanism comprises: and measuring the credibility of the management domain to form a trust chain based on an integrity measurement mechanism so as to determine the credible management domain.
3. The method of claim 1, wherein measuring the trustworthiness of the owner zone to determine the trustworthy owner zone based on a system operation behavior mechanism comprises: and monitoring the behaviors of the user kernel component and the user application component in the user domain based on a system operation behavior mechanism, and measuring the credibility of the user domain to determine the credible user domain.
4. The method of claim 3, further comprising: analyzing the component tree in the user domain, and determining a user kernel component and a user application component in the user domain, wherein the user kernel component is a root node of the component tree, and the user application component is a child node of the component tree.
5. An apparatus for establishing a trusted domain, comprising:
a domain determining unit for determining a management domain and a user domain running on the virtual management module;
a first measurement unit, configured to measure, based on an integrity measurement mechanism, trustworthiness of the administrative domain to determine a trustworthy administrative domain;
the second measurement unit is used for measuring the credibility of the user domain based on a system operation behavior mechanism so as to determine the credible user domain;
and the domain establishing unit is used for transferring the trust relationship between the trusted management domain and the trusted user domain so as to establish the trusted domain in the cloud platform.
6. The apparatus of claim 5, wherein the first metric unit is further configured to measure the trustworthiness of the administrative domain to form a trust chain based on an integrity measurement mechanism to determine the administrative domain that is trustworthy.
7. The apparatus of claim 5, wherein the second metric unit is further configured to monitor behavior of a user kernel component and a user application component in the user domain based on a system operation behavior mechanism, and measure the trustworthiness of the user domain to determine the trusted user domain.
8. An electronic device comprising a memory having a computer-executable program stored thereon and a processor for executing the computer-executable program to perform the method of any of claims 1-4.
9. A computer-readable storage medium, characterized by a computer-executable program that is executed to perform the method of any of claims 1-4.
10. A data system comprising a plurality of electronic devices according to claim 8, each electronic device acting as a trusted data node in the data system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110932716.5A CN113824683A (en) | 2021-08-13 | 2021-08-13 | Trusted domain establishing method and device and data system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110932716.5A CN113824683A (en) | 2021-08-13 | 2021-08-13 | Trusted domain establishing method and device and data system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113824683A true CN113824683A (en) | 2021-12-21 |
Family
ID=78922898
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110932716.5A Pending CN113824683A (en) | 2021-08-13 | 2021-08-13 | Trusted domain establishing method and device and data system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113824683A (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103139221A (en) * | 2013-03-07 | 2013-06-05 | 中国科学院软件研究所 | Dependable virtual platform and construction method thereof, data migration method among platforms |
| CN103747036A (en) * | 2013-12-23 | 2014-04-23 | 中国航天科工集团第二研究院七〇六所 | Trusted security enhancement method in desktop virtualization environment |
| CN104134038A (en) * | 2014-07-31 | 2014-11-05 | 浪潮电子信息产业股份有限公司 | Safe and credible operation protective method based on virtual platform |
| CN105095768A (en) * | 2015-08-20 | 2015-11-25 | 浪潮电子信息产业股份有限公司 | Virtualization-based credible server trust chain construction method |
| CN109992972A (en) * | 2019-04-10 | 2019-07-09 | 北京可信华泰信息技术有限公司 | The method for building up and system of trust chain in a kind of cloud environment |
| CN110096370A (en) * | 2012-12-14 | 2019-08-06 | 微软技术许可有限责任公司 | Control inversion component service model for virtual environment |
| CN111783097A (en) * | 2020-05-28 | 2020-10-16 | 东方红卫星移动通信有限公司 | Information integrity measurement verification method and system for satellite-borne computing system |
| CN112214759A (en) * | 2020-10-21 | 2021-01-12 | 北京八分量信息科技有限公司 | Behavior authority distribution method and device for application program based on credible root measurement and related products |
| CN112347472A (en) * | 2020-10-27 | 2021-02-09 | 中国南方电网有限责任公司 | Behavior measurement method and device of power system |
-
2021
- 2021-08-13 CN CN202110932716.5A patent/CN113824683A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110096370A (en) * | 2012-12-14 | 2019-08-06 | 微软技术许可有限责任公司 | Control inversion component service model for virtual environment |
| CN103139221A (en) * | 2013-03-07 | 2013-06-05 | 中国科学院软件研究所 | Dependable virtual platform and construction method thereof, data migration method among platforms |
| CN103747036A (en) * | 2013-12-23 | 2014-04-23 | 中国航天科工集团第二研究院七〇六所 | Trusted security enhancement method in desktop virtualization environment |
| CN104134038A (en) * | 2014-07-31 | 2014-11-05 | 浪潮电子信息产业股份有限公司 | Safe and credible operation protective method based on virtual platform |
| CN105095768A (en) * | 2015-08-20 | 2015-11-25 | 浪潮电子信息产业股份有限公司 | Virtualization-based credible server trust chain construction method |
| CN109992972A (en) * | 2019-04-10 | 2019-07-09 | 北京可信华泰信息技术有限公司 | The method for building up and system of trust chain in a kind of cloud environment |
| CN111783097A (en) * | 2020-05-28 | 2020-10-16 | 东方红卫星移动通信有限公司 | Information integrity measurement verification method and system for satellite-borne computing system |
| CN112214759A (en) * | 2020-10-21 | 2021-01-12 | 北京八分量信息科技有限公司 | Behavior authority distribution method and device for application program based on credible root measurement and related products |
| CN112347472A (en) * | 2020-10-27 | 2021-02-09 | 中国南方电网有限责任公司 | Behavior measurement method and device of power system |
Non-Patent Citations (1)
| Title |
|---|
| 周振吉;吴礼发;洪征;徐明飞;: "云计算环境下的虚拟机可信度量模型", 东南大学学报(自然科学版), vol. 44, no. 01, pages 45 - 50 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2919727C (en) | Dynamic application security verification | |
| US20150264077A1 (en) | Computer Implemented Techniques for Detecting, Investigating and Remediating Security Violations to IT Infrastructure | |
| US8646074B1 (en) | Systems and methods for enabling otherwise unprotected computing devices to assess the reputations of wireless access points | |
| US11328059B2 (en) | Cloud-based tamper detection | |
| CN113783844A (en) | Zero-trust access control method and device and electronic equipment | |
| CN106203092B (en) | Method and device for intercepting shutdown of malicious program and electronic equipment | |
| CN109818972A (en) | A kind of industrial control system information security management method, device and electronic equipment | |
| CN112162782A (en) | Method, device and related product for determining credible state of application program based on credible root dynamic measurement | |
| CN113569232A (en) | Credibility measuring method and device for container and data system | |
| CN112434245A (en) | Method and device for judging abnormal behavior event based on UEBA (unified extensible architecture), and related product | |
| CN113824683A (en) | Trusted domain establishing method and device and data system | |
| CN111967016A (en) | Dynamic monitoring method of baseboard management controller and baseboard management controller | |
| CN116595523A (en) | Multi-engine file detection method, system, equipment and medium based on dynamic arrangement | |
| CN112214760A (en) | Application program management method and device based on credible root measurement and related products | |
| CN112214759A (en) | Behavior authority distribution method and device for application program based on credible root measurement and related products | |
| CN111030977A (en) | Attack event tracking method and device and storage medium | |
| CN115150300A (en) | Management system and method for vehicle safety attack and defense | |
| CN113986132A (en) | Method, device and related product for sharing storage resources in heterogeneous network | |
| CN112990745A (en) | Security detection method, device, equipment and computer storage medium | |
| CN108874462B (en) | Browser behavior acquisition method and device, storage medium and electronic equipment | |
| KR20140037442A (en) | Method for pre-qualificating social network service contents in mobile environment | |
| CN114186207A (en) | Data sharing method and device | |
| CN108875363B (en) | Method and device for accelerating virtual execution, electronic equipment and storage medium | |
| CN114154184A (en) | Data threat prediction method and device | |
| CN108875362B (en) | Sample behavior obtaining method and device, storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |