CN115934245A - Method and system for enhancing credible security of virtual machine - Google Patents
Method and system for enhancing credible security of virtual machine Download PDFInfo
- Publication number
- CN115934245A CN115934245A CN202211355325.2A CN202211355325A CN115934245A CN 115934245 A CN115934245 A CN 115934245A CN 202211355325 A CN202211355325 A CN 202211355325A CN 115934245 A CN115934245 A CN 115934245A
- Authority
- CN
- China
- Prior art keywords
- file
- trusted
- credible
- verification
- virtual machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a method and a system for enhancing the credible security of a virtual machine, wherein the method comprises the steps of obtaining a file and protecting the integrity of the file; performing static credibility verification on the file; performing dynamic credible verification on the file; and after the process is loaded, protecting the process. The method realizes static credible verification, dynamic credible verification, file integrity protection, file credible verification and process protection of the application program, so that the virtual machine has a complete credible computing function and active immunity, a safe and credible virtual machine operating environment is constructed, and attacks and intrusions of unknown bugs, trojans and viruses are effectively prevented.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method and a system for enhancing the credible security of a virtual machine.
Background
Products in the power system relate to a server, a PC, an Internet of things terminal, network boundary protection equipment and a cloud platform system. For existing servers and PC devices, the software can be deployed in the forms of trusted root installation, enhanced boot program trust, system program trust and application program trust.
For the terminal equipment and the network boundary equipment of the Internet of things, equipment transformation can be carried out, a trusted root is added, and meanwhile, a bootstrap program, a system program and special application trusted verification are protected. For a management system such as a cloud platform, besides the improvement of a server, a terminal device, a PC and the like which are formed, a trusted security management center is also required to be equipped, all the formed devices are managed by the trusted security management center, and an integral trusted system is formed according to the device states.
In summary, it is imperative to construct an electric feasible security protection overall architecture and to construct a trusted security management center for performing unified and centralized trusted management on the trusted server, the trusted terminal device and the trusted virtual machine.
Disclosure of Invention
In view of the above, the present invention is proposed to provide a virtual machine trusted security enhancement method and system that overcomes or at least partially solves the above mentioned problems.
According to one aspect of the invention, a method for enhancing the trusted security of a virtual machine is provided, which comprises the following steps:
acquiring a file and protecting the integrity of the file;
performing static credibility verification on the file;
performing dynamic credible verification on the file;
and after the process is loaded, protecting the process.
Optionally, the integrity protection of the file specifically includes:
carrying out cryptographic abstract operation on the file and storing a reference value;
and adding an interception program into an operating system kernel, and prohibiting operation when writing and deleting operations are performed on the file.
Optionally, the performing static trusted verification on the file specifically includes:
measuring the file periodically to obtain a measurement value;
comparing the metric value with the reference value, judging whether the metric value is consistent with the reference value, and if so, recording the metric value as credible and verifying the metric value as credible; otherwise, it is deemed not authentic.
Optionally, the performing dynamic trusted verification on the file specifically includes:
when a program is loaded, recording a cryptography abstract for a code segment in a process, and storing the code segment as a reference value;
carrying out periodic measurement on the process to obtain a measurement value;
judging whether the metric value is consistent with the reference value, if so, recording the metric value as credible, and verifying the metric value as credible; otherwise, it is deemed not to be trusted.
Optionally, after the process is loaded, protecting the process specifically includes:
after the process is loaded, adding an interception program into an operating system kernel, and when a closing signal is sent to the process, shielding the closing signal and directly returning failure.
The invention also provides a virtual machine trusted security enhancement system, which comprises:
the system comprises a trusted VM, a system application, an operating system and a trusted verification module;
the trusted VM comprises a plurality of service applications, a trusted management interface and application layer trusted protection;
the operating system is connected with the system application;
the credibility verification module is respectively connected with the system application and the operating system and is used for carrying out static credibility verification on the file; and carrying out dynamic credible verification on the file.
The invention provides a method and a system for enhancing the credible security of a virtual machine, wherein the method comprises the steps of obtaining a file and protecting the integrity of the file; performing static credibility verification on the file; performing dynamic credible verification on the file; and after the process is loaded, protecting the process. The method realizes static credible verification, dynamic credible verification, file integrity protection, file credible verification and process protection of the application program, so that the virtual machine has a complete credible computing function and active immunity, a safe and credible virtual machine running environment is constructed, and attacks and intrusions of unknown bugs, trojans and viruses are effectively prevented.
The above description is only an overview of the technical solutions of the present invention, and the present invention can be implemented in accordance with the content of the description so as to make the technical means of the present invention more clearly understood, and the above and other objects, features, and advantages of the present invention will be more clearly understood.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a block diagram of a virtual machine trusted security enhancement system provided in the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The terms "comprises" and "comprising," and any variations thereof, in the present description and claims and drawings are intended to cover a non-exclusive inclusion, such as a list of steps or elements.
The technical solution of the present invention is further described in detail with reference to the accompanying drawings and embodiments.
The implementation provides a virtual machine trusted security enhancement method, which comprises the following steps:
and (3) file integrity protection: after the files are subjected to cryptographic abstract operation, storing a reference value; adding an interception program into an operating system kernel, and forbidding operation when writing, deleting and other operations are performed on a file;
static credibility verification: carrying out periodic measurement on the file, comparing the measurement value with the reference value, and recording the measurement value as credible and verifying as credible when the measurement value is consistent with the reference value; otherwise, the system is regarded as not credible;
dynamic credible verification: when a program is loaded, recording a cryptography abstract for a code segment in a process, and storing the code segment as a reference value; then, carrying out periodic measurement on the process, comparing the measurement value with the reference value, and recording the measurement value as credible and verifying as credible when the measurement value is consistent with the reference value; otherwise, the system is regarded as not credible;
process protection: after the process is loaded, adding an interception program into an operating system kernel, and when a closing signal is sent to the process, shielding the closing signal and directly returning failure.
As shown in fig. 1, a virtual machine trusted security enhancement system includes:
the system comprises a trusted VM, a system application, an operating system and a trusted verification module;
the trusted VM comprises a plurality of service applications, a trusted management interface and application layer trusted protection;
the operating system is connected with the system application;
the credibility verification module is respectively connected with the system application and the operating system and is used for carrying out static credibility verification on the file; and performing dynamic credible verification on the file.
Enhancing the credibility of the virtual machine operating system: the trusted verification module in the operating system performs the functions of static trusted verification, dynamic trusted verification, file integrity protection, file trusted verification and process protection trusted enhancement on the operating system of the virtual machine, thereby ensuring the security of the operating system of the virtual machine.
Application trust enhancement: through a security enhancement function interface provided by the virtual machine operating system, static trusted verification is carried out on the application starting process, dynamic trusted verification is carried out on the execution process, integrity protection is carried out on key files and data, and trusted security protection on the application program on the virtual machine is achieved.
Has the advantages that: the method realizes static credible verification, dynamic credible verification, file integrity protection, file credible verification and process protection of the application program, so that the virtual machine has a complete credible computing function and active immunity, a safe and credible virtual machine operating environment is constructed, and attacks and intrusions of unknown bugs, trojans and viruses are effectively prevented.
The above embodiments, objects, technical solutions and advantages of the present invention are further described in detail, it should be understood that the above embodiments are only examples of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (6)
1. A virtual machine trusted security enhancement method is characterized in that the enhancement method comprises the following steps:
acquiring a file and protecting the integrity of the file;
performing static credibility verification on the file;
performing dynamic credible verification on the file;
and after the process is loaded, protecting the process.
2. The method for enhancing trusted security of virtual machine according to claim 1, wherein the integrity protection of the file specifically includes:
carrying out cryptographic abstract operation on the file and storing a reference value;
and adding an interception program into an operating system kernel, and prohibiting operation when writing and deleting operations are performed on the file.
3. The method for enhancing the trusted security of the virtual machine according to claim 2, wherein the performing the static trusted verification on the file specifically includes:
carrying out periodic measurement on the file to obtain a measurement value;
comparing the metric value with the reference value, judging whether the metric value is consistent with the reference value, and if so, recording the metric value as credible and verifying the metric value as credible; otherwise, it is deemed not to be trusted.
4. The method for enhancing the trusted security of the virtual machine according to claim 1, wherein the performing the dynamic trusted verification on the file specifically includes:
when a program is loaded, recording a cryptography abstract for a code segment in a process, and storing the code segment as a reference value;
carrying out periodic measurement on the process to obtain a measurement value;
judging whether the metric value is consistent with the reference value, if so, recording the metric value as credible, and verifying the metric value as credible; otherwise, it is deemed not to be trusted.
5. The method for enhancing the trusted security of the virtual machine according to claim 1, wherein after the process is loaded, the protecting the process specifically includes:
after the process is loaded, adding an interception program into an operating system kernel, and when a closing signal is sent to the process, shielding the closing signal and directly returning to failure.
6. A virtual machine trusted security enforcement system, the enforcement system comprising: the system comprises a trusted VM, a system application, an operating system and a trusted verification module;
the trusted VM comprises a plurality of service applications, a trusted management interface and application layer trusted protection;
the operating system is connected with the system application;
the credibility verification module is respectively connected with the system application and the operating system and is used for carrying out static credibility verification on the file; and performing dynamic credible verification on the file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211355325.2A CN115934245A (en) | 2022-11-01 | 2022-11-01 | Method and system for enhancing credible security of virtual machine |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211355325.2A CN115934245A (en) | 2022-11-01 | 2022-11-01 | Method and system for enhancing credible security of virtual machine |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115934245A true CN115934245A (en) | 2023-04-07 |
Family
ID=86699735
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211355325.2A Pending CN115934245A (en) | 2022-11-01 | 2022-11-01 | Method and system for enhancing credible security of virtual machine |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115934245A (en) |
-
2022
- 2022-11-01 CN CN202211355325.2A patent/CN115934245A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Kil et al. | Remote attestation to dynamic system properties: Towards providing complete system integrity evidence | |
| EP2788912B1 (en) | Predictive heap overflow protection | |
| US10547626B1 (en) | Detecting repackaged applications based on file format fingerprints | |
| US8776196B1 (en) | Systems and methods for automatically detecting and preventing phishing attacks | |
| US9294284B1 (en) | Systems and methods for validating application signatures | |
| US9270467B1 (en) | Systems and methods for trust propagation of signed files across devices | |
| Canfora et al. | Composition-malware: building android malware at run time | |
| US10771477B2 (en) | Mitigating communications and control attempts | |
| CN107408176A (en) | The execution of malicious objects dissects detection | |
| EP3270318B1 (en) | Dynamic security module terminal device and method for operating same | |
| Schmidt et al. | Malware detection and kernel rootkit prevention in cloud computing environments | |
| US20150007332A1 (en) | Systems and methods for directing application updates | |
| CN111989679A (en) | Injecting trap code in an execution path of a process executing a program to generate a trap address range to detect potentially malicious code | |
| Akram et al. | How to build a vulnerability benchmark to overcome cyber security attacks | |
| Biggs et al. | The jury is in: Monolithic os design is flawed: Microkernel-based designs improve security | |
| CN109684829B (en) | Service call monitoring method and system in virtualization environment | |
| US10262131B2 (en) | Systems and methods for obtaining information about security threats on endpoint devices | |
| Kaczmarek et al. | Operating system security by integrity checking and recovery using write‐protected storage | |
| Biggs et al. | The jury is in: Monolithic OS design is flawed | |
| CN110659478B (en) | Method for detecting malicious files preventing analysis in isolated environment | |
| CN115934245A (en) | Method and system for enhancing credible security of virtual machine | |
| Kim et al. | Extending a hand to attackers: browser privilege escalation attacks via extensions | |
| Wang et al. | Panalyst: Privacy-Aware Remote Error Analysis on Commodity Software. | |
| CN113076542A (en) | Test management system for trusted computing in artificial intelligence | |
| Abdullah et al. | Towards a dynamic file integrity monitor through a security classification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |