WO2009081530A1 - 仮想計算機システム、ポリシ強制システム、ポリシ強制方法及び仮想計算機制御用プログラム - Google Patents
仮想計算機システム、ポリシ強制システム、ポリシ強制方法及び仮想計算機制御用プログラム Download PDFInfo
- Publication number
- WO2009081530A1 WO2009081530A1 PCT/JP2008/003691 JP2008003691W WO2009081530A1 WO 2009081530 A1 WO2009081530 A1 WO 2009081530A1 JP 2008003691 W JP2008003691 W JP 2008003691W WO 2009081530 A1 WO2009081530 A1 WO 2009081530A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- setting
- guest
- application
- setting item
- virtual machine
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims description 50
- 238000001514 detection method Methods 0.000 claims description 40
- 230000004044 response Effects 0.000 claims description 15
- 238000012544 monitoring process Methods 0.000 abstract description 4
- 230000006870 function Effects 0.000 description 25
- 230000008859 change Effects 0.000 description 10
- 230000008569 process Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 238000006243 chemical reaction Methods 0.000 description 3
- 230000010365 information processing Effects 0.000 description 2
- 230000000717 retained effect Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000008685 targeting Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2149—Restricted operating environment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
Definitions
- the present invention relates to a virtual machine system, a policy enforcement system, a policy enforcement method, and a virtual machine control program.
- Virtual Machine System makes it possible to create one or more virtual machines (Virtual Machines) on a host computer, which is a real machine, and to run the OS independently on each virtual machine. System.
- the virtual machine is operated using the resources of the host computer.
- a virtual OS that runs on a virtual machine is called a guest OS.
- the setting of the OS and application software is enforced by installing a function prepared in the OS or a dedicated agent. It was. Note that the expression policy enforcement includes not only forcibly setting a setting value in accordance with the security policy but also an act of applying the setting value.
- Patent Literature 1 has a control screen displayed by a host OS (specifically, a hypervisor), and the control screen. Describes a computer system in which a command and execution conditions for a guest OS are input and the guest OS is executed by inputting the command and the like from the host OS side.
- Patent Document 2 by changing the parameters of the automatic startup file and the operating environment file under the guest OS by the operation on the host OS side, the application program running on the guest OS is started and the guest OS is under control.
- a program activation method is described that can change the operating environment (operating environment of the guest OS) necessary for the application program to operate.
- Patent Document 3 the process monitoring is performed to change the device in the plant by converting the configuration data edited on the screen by the user into the data format of each device in the plant and transmitting the data.
- the system is described.
- Patent Document 4 describes a method for automatically acquiring network setting information in an information processing apparatus.
- Patent Document 5 forcibly sets a density setting parameter in a print processing apparatus. A method of setting is disclosed.
- JP 2005-135137 A Japanese Patent Laid-Open No. 05-053833 JP 2004-334360 A JP 2003-110564 A JP 2004-306555 A
- An intranet is composed of an arbitrary number of computer systems such as servers and clients.
- a security policy (hereinafter sometimes simply referred to as a policy) is forcibly applied to an OS or an application (application program) operating on the OS.
- a function prepared by the OS or a dedicated agent is installed.
- the setting contents recognized by the guest OS and applications running on the guest OS can be acquired or changed to the setting contents in accordance with the policy. Notification can be easily realized.
- this implementation method has a problem that the guest OS needs to be modified for policy enforcement. Therefore, it is preferable that the policy can be enforced for the guest OS or an application running on the guest OS without installing a special agent on the guest OS.
- Patent Document 1 is intended to automatically execute a command executed in each guest OS to link the guest OSs. Therefore, in order to enforce the policy, how to manage and detect the setting according to the type of guest OS and the application running on it, and how to apply it when the setting is changed is considered. It has not been done. For example, if a policy is to be enforced for an application running on the guest OS, the application needs to be restarted in order to apply the changed contents.
- Patent Documents 3 to 5 are intended for real computers, and a special agent must be installed on the guest OS when applying to a system targeting virtual computers. I must.
- an object of the present invention is to provide a virtual machine system and policy that can enforce a policy for a guest OS or an application running on the guest OS without installing a special agent on the guest OS.
- a forcing system a policy forcing method, and a virtual machine control program.
- a virtual computer system is a virtual computer system that constructs one or more virtual computers on a real computer, A hypervisor that realizes access to a virtualized hardware by a guest OS that is an operating system operating on the virtual machine or an application operating on the guest OS by a physical device included in the real machine;
- the hypervisor is A setting item information holding unit that holds setting item information in which a security policy applied to the virtual machine system is indicated by a setting value of a setting item according to the type of the guest OS or the type of the application;
- Setting detection means for detecting a value;
- the setting indicated by the setting item information is set in the guest OS or the application that is the setting target of the setting item.
- Setting application means for applying a value.
- the policy enforcement system is a policy enforcement system that enforces a security policy for a virtual computer system that constructs one or more virtual computers on a real computer, The virtual machine system, and a management system that manages the security policy to be applied to the virtual machine system,
- the virtual computer system is a hypervisor that implements access to virtualized hardware by a guest OS that is an operating system that operates on the virtual computer or an application that operates on the guest OS by a physical device included in the real computer.
- the hypervisor is A setting item information holding unit that holds setting item information indicated by a setting value of a setting item according to the type of the guest OS or the type of the application, the security policy applied to the virtual machine system; Based on the setting item information, the command executed by the guest OS and the output of the physical device are monitored, and the setting value set in the setting item of the setting item information holding unit or the setting to be changed
- Setting detection means for detecting a value; When the setting value detected by the setting detection unit is different from the setting value indicated by the setting item information, the setting indicated by the setting item information is set in the guest OS or the application that is the setting target of the setting item.
- Setting application means for applying a value.
- the policy enforcement method is a policy enforcement method for enforcing a security policy for a virtual machine system that constructs one or more virtual machines on a real machine.
- a hypervisor that realizes access to a virtualized hardware by a guest OS that is an operating system operating on the virtual machine or an application operating on the guest OS by a physical device included in the real machine;
- the hypervisor monitors instructions executed by the guest OS and the output of the physical device based on the setting item information, and the setting value set in the setting item or changed in the setting item information holding step.
- a setting detection step for detecting a setting value to be set When the setting value detected by the hypervisor in the setting detection step is different from the setting value indicated by the setting item information, the setting item information is sent to the guest OS or the application that is the setting target of the setting item.
- a setting application step for applying the setting value indicated by It is characterized by including.
- the virtual machine control program according to the present invention is a virtual machine control program in a virtual machine system that constructs one or more virtual machines on a real machine, A hypervisor that realizes access to a virtualized hardware by a guest OS that is an operating system operating on the virtual machine or an application operating on the guest OS by a physical device included in the real machine;
- the hypervisor is A setting item information holding procedure for holding setting item information in which a security policy applied to the virtual machine system is indicated by a setting value of a setting item according to the type of the guest OS or the type of the application;
- the command executed by the guest OS and the output of the physical device are monitored, and the setting value set in the setting item of the setting item information holding procedure or the setting to be changed
- the setting indicated by the setting item information is set in the guest OS or the application that is the setting target of the setting item. Applying settings to apply values, Is executed by
- the present invention it is possible to enforce a security policy for a guest OS and an application running on the guest OS without installing a special agent on the guest OS.
- FIG. 1 is a block diagram showing a configuration example of a virtual machine system 600 according to the present invention.
- a virtual machine system 600 shown in FIG. 1 is a physical device 60 that a real machine has access to virtualized hardware by a guest OS 341 that is an operating system that runs on each virtual machine or an application 351 that runs on the guest OS 341.
- the hypervisor 50 realized by the above is provided.
- the hypervisor 50 includes setting detection means 11, setting application means 12, and setting item information holding means 21.
- the setting detection unit 11 monitors the command executed by the guest OS 341 and the output from the physical device 60 based on the setting item information held by the setting item information holding unit 21, and actually sets each setting item indicated by the setting item information. Detects a set value that is set or is about to be changed.
- the setting item information is a setting item corresponding to the type of the guest OS 341 or the type of the application 351 running on the guest OS 341, according to the security policy applied to the virtual machine system 600 having the hypervisor 50. It is information indicated as a setting value and is held by the setting item information holding means 21.
- the setting item information holding unit 21 secures a storage area for setting item information in the allocated storage area for the hypervisor 50 and causes the hypervisor 50 to store another value by holding a value in the reserved storage area.
- the setting item information is held so as to be accessible by means.
- the setting detection unit 11 stores information indicating that the value of a predetermined registry is 1 as a setting item for the guest OS 341 in accordance with a certain security policy in the setting item information. It is also possible to detect whether or not a hardware access instruction is associated with reference to the above, and detect the setting value that is currently set by reading into the physical device 60 that is performed according to the hardware access instruction. Alternatively, the setting value about to be changed may be detected by monitoring the hardware access accompanying the update of the registry and referring to the update value included in the hardware access request.
- the setting item is not limited to the one associated with the registry, and it is sufficient that the setting item information indicates how the setting is performed. For example, it may be an item held in a certain setting file.
- the setting application unit 12 refers to the setting item that detected the difference or Rewrite response to hardware access command associated with update, write to physical device 60 holding setting value of setting item, use function held by guest OS 341 or application 351 that is target of setting item By performing any one of these notifications or combining them, the setting value indicated by the setting item information is applied to the guest OS 341 or the application 351 that is the target of the setting item.
- the setting application unit 12 applies the setting value to the guest OS 341 or the application 351 that is the target of the setting item, for example, by rewriting the response to the hardware access command related to the reference or update of the setting item in which the difference is detected. You may let me.
- the setting application unit 12 performs, for example, a notification using a function held by the guest OS 341 or the application 351 that is the target of the setting item for which the difference is detected, so that the guest OS 341 or the application 351 that is the target of the setting item.
- a set value may be applied to.
- the setting value may be applied to the guest OS 341 or the application 351 that is the target of the setting item by writing to the physical device 60 that holds the setting value of the setting item in which the difference is detected.
- the setting application unit 12 generates an interrupt received by the guest OS 341 or the application 351 as a notification using the function held by the guest OS 341 or the application 351 that is the target of the setting item for which the difference is detected. Also good.
- an interrupt accepted by the application 351 may be generated via the guest OS 341 in which the application 351 is operating. Is possible.
- the physical device 60 in response to the hardware access command
- the setting value may be applied to the guest OS 341 or the application 351 that is the target of the setting item by rewriting the reference value of the setting value to the setting value indicated by the setting item information.
- the setting value may be applied to the guest OS 341 or the application 351 that is the target of the setting item.
- the physical device 60 is not rewritten by the hardware access command.
- the setting value may be applied to the guest OS 341 or application 351 that is the target of the setting item by generating an interrupt that is accepted by the guest OS 341 or application 351 that is the target of the setting item.
- the virtual computer system 600 may further include setting item information generation means 13 and correspondence information holding means 22.
- a virtual machine system 610 shown in FIG. 2 is connected to the management system 100 via the network 200.
- the setting item information generation unit 13 receives information on the security policy applied to the virtual machine system 610 from the management system 100 that manages the security policy, and sets each item of the received security policy as a corresponding information holding unit. 22, the setting item information is generated by developing the setting value of one or more setting items according to the type of the guest OS 341 and the type of the application 351 running on the guest OS 341 based on the correspondence information held by the host OS 341.
- the correspondence information is information indicating the correspondence between each item of the security policy and the setting item for each type of the guest OS 341 and the type of the application 351 running on the guest OS 341 according to the item. Therefore, it is held by the correspondence information holding means 22.
- the correspondence information holding unit 22 includes, for example, information (identifiers and possible values) of each item of the security policy, each type of the guest OS 341 corresponding to the item, and each type of the application 351 operating on the guest OS 341.
- the setting item information (setting method, corresponding setting value, etc.) may be stored in association with each other.
- Corresponding information holding means 22 accesses the hypervisor 70 by other means by, for example, securing a storage area for correspondence information in the allocated storage area and holding the value in the reserved storage area. Hold possible correspondence information.
- the setting application unit 12 holds information on each setting item detected by the setting detection unit 11.
- the guest OS 341 that is the target of the setting item or A set value may be applied to the application 351.
- the setting performed by automatic detection thereof is performed. It is executed by hardware access associated with the item reference.
- the setting application unit 12 detects a difference in setting value of the setting item by updating the setting item information by the setting item information generation unit 13, the guest OS 341 or the application 351 that is the target of the setting item accepts the setting item information.
- the setting value may be applied to the guest OS 341 or the application 351 that is the target of the setting item by generating an interrupt to be performed.
- the actual application is executed by hardware access accompanying the reference to the setting item performed by generating an interrupt.
- the updated setting value is written in the physical device 60, and then the guest OS 341 or application 351 that is the target of the setting item accepts it.
- the setting value may be applied to the guest OS 341 or the application 351 that is the target of the setting item by generating an interrupt to be performed.
- the setting application unit 12 holds, for example, information indicating what application method is used for each setting item for each OS type or each application type, and performs predetermined processing based on the information. Can be done.
- the updated setting value is written in the physical device 60, so that the target of the setting item
- the setting value may be applied to the guest OS 341 or the application 351.
- the setting application unit 12 uses, for example, an interrupt (software interrupt) received by the application 351 by using a function possessed by the guest OS 341 in which the application 351 that is the target of the corresponding setting item is operating. It may be generated.
- an interrupt software interrupt
- the setting application unit 12 when the setting application unit 12 writes to the physical device 60, the setting application unit 12 also writes to the corresponding hardware area allocated as a hardware resource for the guest OS 341 or the application 351 that is the target of the corresponding setting item. May be performed.
- the registry information is stored in the page pool, not only the registry information stored in the page pool but also the registry information on the physical memory may be rewritten.
- the setting detection unit 11, the setting application unit 12, and the setting item information generation unit 13 are specifically realized by a processor such as a CPU that operates according to a control program that realizes a hypervisor function.
- the setting item information holding unit 21 and the correspondence information holding unit 22 are specifically realized by a storage device such as a memory allocated for the hypervisor 70.
- a hypervisor refers to a control program that realizes a hypervisor function.
- a processor such as a CPU is connected to a hypervisor function. It shows that predetermined processing is executed according to a control program for realizing the above.
- FIG. 3 is a block diagram illustrating a configuration example of a policy enforcement system 500 according to the present invention.
- the policy enforcement system 500 shown in FIG. 3 is a policy enforcement system that enforces a security policy for the virtual machine system 300, and includes a management system 100 and a virtual machine system 300.
- the management system 100 and the virtual machine system 300 are connected via the network 200.
- FIG. 3 shows one virtual machine system 300, but there may be a plurality of virtual machine systems 300 to be subjected to security policies. Further, a computer system other than the virtual machine system may be included.
- the management system 100 is managed by an administrator such as a company, and policy setting information management means 110 that manages security policy information (hereinafter referred to as policy setting information) applied to the virtual machine system 300; Policy setting information transmitting means 120 for transmitting to the computer system 300 is provided.
- policy setting information manages security policy information (hereinafter referred to as policy setting information) applied to the virtual machine system 300; Policy setting information transmitting means 120 for transmitting to the computer system 300 is provided.
- the policy setting information management unit 110 receives a security policy setting from the administrator and stores it as policy setting information, or transmits the policy setting information transmission unit 120 when the security policy is changed. Or ask.
- the policy setting information may be information including, for example, an identifier for identifying the security policy item to be applied, and information (e.g. permission / denial) on how to set the item.
- the conditions for the setting of the item may include the conditions of the user used, the conditions of the OS used, and the like.
- the virtual machine system 300 includes hardware 310, a virtual machine monitor unit 320 (hereinafter referred to as VMM unit 320), a host OS unit 330, a guest OS unit 340, and an application unit 350.
- VMM unit 320 virtual machine monitor unit 320
- host OS unit 330 host OS unit 330
- guest OS unit 340 guest OS unit 340
- application unit 350 application unit 350
- the hardware 310 corresponds to the physical device 60 shown in FIG. 1, and has each physical device.
- the VMM unit 320, the host OS unit 330, the guest OS unit 340, and the application unit 350 represent abstract processing blocks that are realized by executing a program in which the functions are implemented.
- the VMM unit 320 represents a processing block realized by a control program (VMM program) that implements the virtual machine monitor function.
- VMM program control program
- the VMM unit 320 is often simply referred to as a VMM, but specifically, the VMM unit 320 is realized by a processor such as a CPU that operates according to the VMM program.
- the VMM program is driven by control from the host OS unit 330.
- the VMM unit 320 refers to the physical disk, or captures the processing of the guest OS unit 340 or the application unit 350 that operates on the guest OS unit 340, thereby operating the guest operating on the virtual computer system 300. It has a function of discriminating the type of the OS unit 340 and the type of the application unit 350 operating on the guest OS unit 340.
- the host OS unit 330 indicates a processing block realized by an OS (host OS) program that operates on a real computer of the virtual computer system 300. Although generally called simply a host OS, the host OS unit 330 is specifically realized by a processor such as a CPU that operates according to the host OS program.
- OS operating system
- the host OS unit 330 is specifically realized by a processor such as a CPU that operates according to the host OS program.
- the VMM unit 320 and the host OS unit 330 can be implemented as a hypervisor unit that is a processing block realized by a hypervisor program that operates on a real computer of the virtual computer system 300 without distinguishing between the VMM unit 320 and the host OS unit 330.
- the hypervisor unit mounted without distinguishing between the VMM unit 320 and the host OS unit 330 corresponds to the hypervisor 50 shown in FIG.
- the guest OS unit 340 indicates a processing block realized by an OS (guest OS) program (ie, guest OS 341) operating on the virtual machine of the virtual machine system 300.
- the guest OS program is an operating system program used by a user such as Windows (registered trademark), for example.
- Windows registered trademark
- the guest OS unit 340 is specifically realized by a processor such as a CPU that operates according to the host OS program.
- the guest OS program is driven on a virtualized hardware resource under the control of the VMM unit 320.
- the application unit 350 indicates a processing block realized by an application program (that is, the application 351) operating on the virtual computer of the virtual computer system 300.
- the application program is an application program that runs on the guest OS and is used by the user, and has application-specific setting items.
- the application unit 350 is often simply called an application, but specifically, the application unit 350 is realized by a processor such as a CPU that operates according to the application program. Note that the application program is driven on a virtualized hardware resource under the control of the guest OS unit 340.
- the hardware 310 includes a CPU 311, a bus 312, a memory 313, a disk 314, and the like.
- the VMM unit 320 includes a setting detection unit 321 and a setting notification unit 322 in order to enforce a security policy.
- the setting detection unit 321 monitors the behavior of the guest OS 341 (here, can be identified with the guest OS unit 340) and the application 351 (here, can be identified with the application unit 350).
- Each setting item corresponding to the security policy applied to the guest OS 341 operating on the virtual machine system 300 and the application 351 operating on the guest OS 341 is the setting value that is currently set or the setting that is about to be changed. Detect value. Note that if it is assumed that an appropriate setting value has already been set, the setting value that is about to be changed may be detected.
- the setting detection unit 321 realizes the function of the setting detection unit 11 shown in FIG.
- the setting detection unit 321 will be described later with respect to information on each setting item according to the security policy applied to the guest OS 341 operating on the virtual machine system 300 and the application 351 operating on the guest OS 341. Obtained from the setting item information management means 333 of the host OS unit 330.
- the setting detection unit 321 notifies the setting item information management unit 333 of the detected setting value.
- the setting notification unit 322 performs a notification process in accordance with an instruction from the setting information management unit 333 of the host OS unit 330, so that a correct value of the setting item (a value according to the security policy) is set.
- a correct value of the setting item (a value according to the security policy) is set.
- the setting notification unit 322 issues an interrupt to the guest OS 341 or the application 351 that is the setting target of the setting item, or sends the hardware 310 to each physical device. Write processing is performed, and the response of the hardware access command detected by the setting detection unit 321 is rewritten.
- the setting notification unit 322 and the setting item information management unit 333 realize the functions of the setting item information holding unit 21 and the setting application unit 12 shown in FIG.
- the host OS unit 330 includes a policy setting reception unit 331, a setting item information generation unit 332, and a setting item information management unit 333 in order to enforce a security policy.
- the policy setting receiving unit 331 receives policy setting information applied to the virtual machine system 300 from the management system 100.
- the setting item information generation unit 332 converts the received policy setting information into setting item information that can be discriminated by the guest OS 341 and the application 351 operating on the guest OS 341. Specifically, the setting item information generation unit 332 associates each item of the security policy with each setting item for each type of the guest OS 431 and each type of the application 351 operating on the guest OS 341 according to the item. Corresponding information indicating the relationship is retained, and the setting contents of each item indicated by the received policy setting information are based on the retained correspondence information, and the type of guest OS 341 and the application operating on the guest OS 341 The setting item information is generated by expanding the setting value of one or more setting items corresponding to the type of the item 351.
- the function of the setting item information generation unit 13 shown in FIG. 2 is realized by the setting item information generation unit 332.
- the setting item information generation unit 332 Processing such as conversion to a registry format that the guest OS 341 can understand is performed. Note that when the setting item information generation unit 332 performs conversion, it is assumed that information such as the type of the guest OS 341, the type of the application 351, and the installation location has been received from the setting item information management unit 333 in advance.
- the means 332 may determine the conversion method based on the correspondence information and the information.
- an application that manages settings using the registry can be converted to the registry format
- an application that manages settings using a file can be used in memory Just convert it to a format.
- the setting item information management unit 333 is a unit that manages setting item information generated by the setting item information generation unit 332, and manages setting item reading and writing information performed by the guest OS unit 341 and the application unit 351. Further, it is assumed that the setting item information management unit 333 also manages information on the type of guest OS 341 and the type of application 351 running on each guest OS 341. Specifically, the setting item information management unit 333 reserves a storage area for holding the setting item information, holds a value in the storage area, or notifies the setting item information generation unit 332 of the value. Or update.
- a storage area for holding the contents of the setting values in the guest OS 341 or the application 351 of each setting item indicated by the setting item information is secured, and the setting value notified from the setting detection unit 321 is held in the storage area.
- the setting value in the guest OS 341 or the application 351 is compared with the setting value in accordance with the security policy indicated by the setting item information and a difference is detected, the setting in accordance with the security policy indicated in the setting item information is detected.
- a control instruction is issued to the setting notification means 322 to change the setting value.
- FIG. 4 is a flowchart showing an operation example of the management system 100 of the present embodiment.
- the policy setting information management unit 110 (FIG. 3) uses the setting contents as policy setting information to be applied to the virtual machine system 300. Save (step S102).
- the policy setting information transmitting unit 120 transmits the policy setting information to the virtual machine system 300 (step S103).
- FIG. 5 is an explanatory diagram showing an example of policy setting information.
- the policy setting information management unit 110 may hold the security policy setting contents in a format as shown in FIG. 5, for example.
- the user, the setting target, and the policy are associated with each other and listed.
- OS (1) when User A uses a specific guest OS (OS (1)), a security policy is indicated to prohibit use of the USB memory.
- OS (2) a security policy that prohibits the use of an external recording medium when a specific guest OS (OS (2)) is used.
- AP (1) a specific application
- FIG. 5 is an example, and there may be other items.
- FIG. 6 it may be integrated with correspondence information.
- a user, a setting target, a policy, and a setting method are associated and listed.
- a setting method for changing a certain registry is shown.
- a setting method for changing a certain registry is shown.
- a setting method for changing a certain registry is shown.
- a setting method for changing the exclusive setting file of AP1 is shown.
- a setting method for changing an OS setting file is shown.
- FIG. 7 is a flowchart illustrating an example of operations of the VMM unit 320 and the host OS unit 330 in the virtual machine system 300.
- steps S200 to S203 in FIG. 7 an operation related to the change of setting items from the guest OS unit 340 or the application unit 350 will be described.
- the VMM unit 320 captures the hardware access. (Step S201).
- the setting detection unit 321 determines whether or not the access is related to the setting item (step S202). If the access is related to the setting item (Yes in step S202), the setting detection unit 321 detects the setting content.
- the host OS unit 330 is notified (step S203). For example, the setting detection unit 321 may detect that the setting has been changed and the change value and notify the host OS unit 330 (specifically, the setting item information management unit 333) to that effect. .
- step S200 for example, when the user makes a setting for the application 351 running on the guest OS 341, the application unit 350 attempts to save the update of the setting item via the guest OS unit 340. Hardware access is issued.
- step S202 if the access is not related to the setting item (No in step S202), it waits for either hardware access or policy setting information update.
- the setting item information generating unit 332 displays each item of the security policy indicated by the policy setting information by the guest OS 341 or the application 351 operating on the virtual computer system 300.
- Setting item information is generated by converting the setting item information into discriminable information (step S211).
- the setting item information generation unit 332 notifies the setting item information management unit 333 of the generated setting item information, and holds and updates the setting item information (step S212).
- the setting item information management unit 333 of the host OS unit 330 sets the setting contents from the guest OS unit 340 (or the application unit 350 via the guest OS unit 340) notified in step S203 and the setting items updated in step S212. Receive information.
- the setting value is the setting value of the setting item indicated by the setting item information (that is, the setting value according to the security policy). (Step S220).
- the setting item information management unit 333 updates the setting item information with the contents of the received setting item information, and then sets the setting value of each setting item indicated by the setting item information. And whether or not the set values set so far match.
- the setting item information management unit 333 finds a difference in the setting value of the setting item, the setting item information management unit 333 causes the setting notification unit 322 to perform the setting process for the setting item (steps S221 to S223) according to an arbitrary setting (step S230). ).
- Step S221 when the setting to write to the physical device 60 is made, the setting value of the setting item converted so that the guest OS 341 or the application 351 can be discriminated is sent to the hardware 310 (physical device) via the setting notification unit 322. ) (Step S221).
- Write destinations include data flowing on the bus 312, data written to the memory 313, files written to the disk 314, and the like.
- step S222 instead of writing to the hardware 310 in step S221, when the interrupt setting notification is made in step S230, for example, the guest OS 341 that is the setting target of the setting item is set by the setting notification unit 322.
- a software interrupt may be generated for the application 351 (step S222).
- an event is sent to the corresponding application 351 via the guest OS 341 by generating a predetermined software interrupt for the guest OS 341 in which the application 351 is operating.
- a method of issuing can also be used.
- notification is made using the functions held by the guest OS 341 and the application 351 that are the target of the corresponding setting item.
- the setting notification unit 322 may generate an interrupt by writing a CPU instruction for interruption to the CPU 311 used by the guest OS 341 in accordance with an instruction from the setting item information management unit 333.
- step S222 instead of generating an interrupt in step S222, if a hardware access instruction is detected in step S230, for example, the response of the hardware access may be rewritten (step S223). . It is also possible to execute the operations in steps S221 to S223 in combination.
- the difference detection may be omitted and the setting process may be performed unconditionally.
- setting processing may be performed on a plurality of guest OSs 341 at a time. It is also possible to perform setting processing uniformly (for example, rewriting of response, writing to a physical device, and notification of setting) regardless of the detection process.
- FIG. 8 shows an example of the operation of the guest OS unit 340 in the virtual machine system 300 related to the setting process by the VMM unit 320.
- FIG. 8 is a flowchart showing an example of the operation of the guest OS unit 340 related to software interrupt issuance.
- the guest OS unit 340 receives an event due to the software interrupt (step S300).
- the guest OS unit 340 When the guest OS unit 340 receives the event due to the software interrupt, the guest OS unit 340 reads the setting item (step S301), and reflects the read setting value in the subsequent operation (step S302).
- the setting value read here is, for example, the setting value read from the physical device in which the correct setting value is written in step S221 in FIG. Further, for example, the response content is the setting value rewritten to the correct setting value in step S223 of FIG. 7 when the hardware access accompanying this reference is detected.
- the guest OS unit 340 Depending on the processing result, it operates with the value of the setting item before the change, and the security policy is maintained.
- the user using the guest OS 341 or the application 351 may be notified of the contents of the security policy forced on the guest OS 341 or the application 351.
- the configuration of this embodiment may be basically the same as that of the first embodiment.
- a method of virtualizing the graphic subsystem may be used so that the user can easily understand when performing the operations of steps S221 to S223 in FIG.
- the VMM technology applied to the host processor may be extended to a graphics processing unit (GPU) to enable hardware access to the graphics accelerator, where setting change information may be displayed.
- GPU graphics processing unit
- the management system 100 may include setting item information generation means 332.
- the guest OS 341 and application 351 operating on the virtual machine system 300 are managed on the management system 100 side, and the management system 100 side determines the type of the guest OS 341 and the application 351 based on the contents. It is also possible to generate setting item information.
- a virtual machine system is a virtual machine system that constructs one or more virtual machines on a real machine, and operates on a guest OS or a guest OS that is an operating system that runs on each virtual machine.
- a hypervisor that realizes access to virtualized hardware from an application to be executed by a physical device provided in a real computer, and the hypervisor sets a security policy applied to the virtual computer system having the hypervisor according to the type of guest OS or Setting item information holding means for holding setting item information indicated as setting values of setting items corresponding to the type of application running on the guest OS, and instructions executed by the guest OS and physical devices based on the setting item information Monitor the output and set
- the setting detection means for detecting the setting value currently set to the eye or the setting value to be changed is different from the setting value detected by the setting detection means and the setting value indicated by the setting item information
- rewriting of a response to a hardware access command related to reference or update of a setting item in which a difference is detected writing to a physical device holding the setting value of
- the hypervisor corresponds to each item of the security policy and the setting item for each type of guest OS and for each type of application operating on the guest OS according to the item.
- the setting application unit rewrites the response to the hardware access command related to the reference or update of the setting item in which the difference is detected, so that the guest OS that is the target of the setting item Alternatively, the setting value may be applied to the application.
- the setting application unit performs notification using a function held by the guest OS or application that is the target of the setting item for which the difference is detected, so that the target of the setting item is detected.
- the setting value may be applied to the guest OS or application.
- the setting application unit further writes to the physical device that holds the setting value of the setting item for which the difference is detected, so that the guest OS that is the target of the setting item Alternatively, the setting value may be applied to the application.
- the guest OS or the application accepts the notification using the function held by the guest OS or application that is the target of the setting item whose setting is detected by the setting application unit.
- An interrupt may be generated.
- the application operates an interrupt received by the application as a notification that the setting application unit uses a function possessed by the application that is the target of the corresponding setting item. It may be generated via a guest OS.
- the virtual machine system has a corresponding hardware allocated as a hardware resource for the guest OS or application that is the target of the corresponding setting item when the setting application unit writes to the physical device. You may make it write also to a wear area
- a policy enforcement system is a policy enforcement system that enforces a policy for a virtual computer system that constructs one or more virtual computers on a real computer, the virtual computer system and the virtual computer A management system that manages a security policy applied to the system, and the virtual machine system is a virtualized hardware from a guest OS that is an operating system that runs on each virtual machine or an application that runs on the guest OS A hypervisor that realizes access to the physical computer provided in the real computer, and the hypervisor sets the security policy applied to the virtual machine system having the hypervisor as the type of guest OS or the type of application operating on the guest OS A setting item information holding unit that holds setting item information indicated as a setting value of the corresponding setting item, and a command executed by the guest OS and an output from the physical device are monitored based on the setting item information, and the setting item is When a setting detection unit that detects a setting value that is currently set or a setting value that is about to be changed is different from a setting value that is detected by the setting detection unit and
- the hypervisor corresponds to each item of the security policy and the setting item for each type of guest OS and the type of application running on the guest OS according to the item.
- the policy forcing method according to the present invention is a policy forcing method for forcing a policy to a virtual machine system that constructs one or more virtual machines on a real machine, and the hypervisor has the hypervisor.
- Setting item information indicating a security policy applied to the virtual machine system as a setting value of a setting item corresponding to the type of guest OS or the type of application running on the guest OS is held, and the hypervisor stores the setting item information in the setting item information
- the instruction executed by the guest OS and the output from the physical device are monitored to detect the setting value that is currently set in the setting item or the setting value that is about to be changed, and the hypervisor detects the setting that has been detected.
- a set value is applied.
- the hypervisor corresponds to each item of the security policy and the setting item for each type of guest OS and the type of application running on the guest OS according to the item.
- Corresponding information indicating the relationship is held, and the hypervisor accepts information on the security policy applied to the virtual machine system from the management system managing the security policy, and the setting contents of each item of the accepted security policy May be expanded into setting values of one or more setting items corresponding to the type of guest OS and the type of application running on the guest OS based on the correspondence information to generate setting item information. good.
- a virtual machine control program is a virtual machine control program for realizing a hypervisor in a virtual machine system that constructs one or more virtual machines on a real machine, and Based on the setting item information indicating the security policy applied to the computer system as the setting value of the setting item corresponding to the type of guest OS or the type of application running on the guest OS, the command executed by the guest OS and the physical device
- the process of monitoring the output to detect the setting value currently set in the setting item or the setting value to be changed, and the detected setting value and the setting value indicated by the setting item information are different.
- the hardware action related to the reference or update of the setting item that detected the difference is different.
- Rewriting the response to the command writing to the physical device holding the setting value of the setting item, notification using the function of the guest OS or application that is the target of the setting item, or By performing a combination of two or more of the rewriting, the writing, and the notification, a process of causing the guest OS or application that is the target of the setting item to apply the setting value indicated by the setting item information is executed. It is characterized by that.
- the virtual machine control program includes, for each security policy item applied to the virtual machine system received from a management system that manages the security policy, a security policy item and Based on the correspondence information indicating the correspondence relationship between the setting item for each type of guest OS and the type of application running on the guest OS according to the item, the type of guest OS and the application running on the guest OS Depending on the type, the setting value of one or more setting items may be expanded to generate the setting item information.
- the present invention can be suitably applied to a guest OS that operates on a virtual machine system and an application that operates on the guest OS when it is desired to force settings without installing a special agent.
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Stored Programmes (AREA)
- Storage Device Security (AREA)
Abstract
Description
前記仮想計算機上で動作するオペレーティングシステムであるゲストOSまたは当該ゲストOS上で動作するアプリケーションによる仮想化されたハードウェアに対するアクセスを、前記実計算機が備える物理デバイスによって実現するハイパバイザを有し、
前記ハイパバイザは、
前記仮想計算機システムに適用されるセキュリティポリシが前記ゲストOSの種類または前記アプリケーションの種類に応じた設定項目の設定値によって示される設定項目情報を保持する設定項目情報保持手段と、
前記設定項目情報に基づいて、前記ゲストOSが実行する命令および前記物理デバイスの出力を監視して、前記設定項目情報保持手段の前記設定項目に設定されている設定値または変更されようとしている設定値を検出する設定検出手段と、
前記設定検出手段によって検出された設定値と前記設定項目情報で示される設定値とが相違するとき、前記設定項目の設定対象である前記ゲストOSまたは前記アプリケーションに、前記設定項目情報で示される設定値を適用させる設定適用手段と、を備えることを特徴とする。
前記仮想計算機システムと、前記仮想計算機システムに適用させる前記セキュリティポリシを管理する管理システムと、を備え、
前記仮想計算機システムは、当該仮想計算機上で動作するオペレーティングシステムであるゲストOSまたは当該ゲストOS上で動作するアプリケーションによる仮想化されたハードウェアに対するアクセスを、前記実計算機が備える物理デバイスによって実現するハイパバイザを有し、
前記ハイパバイザは、
前記仮想計算機システムに適用される前記セキュリティポリシが前記ゲストOSの種類または前記アプリケーションの種類に応じた設定項目の設定値によって示される設定項目情報を保持する設定項目情報保持手段と、
前記設定項目情報に基づいて、前記ゲストOSが実行する命令および前記物理デバイスの出力を監視して、前記設定項目情報保持手段の前記設定項目に設定されている設定値または変更されようとしている設定値を検出する設定検出手段と、
前記設定検出手段によって検出された設定値と前記設定項目情報で示される設定値とが相違するとき、前記設定項目の設定対象である前記ゲストOSまたは前記アプリケーションに、前記設定項目情報で示される設定値を適用させる設定適用手段と、を備えることを特徴とする。
前記仮想計算機上で動作するオペレーティングシステムであるゲストOSまたは当該ゲストOS上で動作するアプリケーションによる仮想化されたハードウェアに対するアクセスを、前記実計算機が備える物理デバイスによって実現するハイパバイザを有し、
前記ハイパバイザが、前記仮想計算機システムに適用される前記セキュリティポリシが前記ゲストOSの種類または前記アプリケーションの種類に応じた設定項目の設定値によって示される設定項目情報を保持する設定項目情報保持ステップと、
前記ハイパバイザが、前記設定項目情報に基づいて、前記ゲストOSが実行する命令および前記物理デバイスの出力を監視して、前記設定項目情報保持ステップにおいて前記設定項目に設定されている設定値または変更されようとしている設定値を検出する設定検出ステップと、
前記ハイパバイザが、前記設定検出ステップにおいて検出された設定値と前記設定項目情報で示される設定値とが相違するとき、前記設定項目の設定対象である前記ゲストOSまたは前記アプリケーションに、前記設定項目情報で示される設定値を適用させる設定適用ステップと、
含むことを特徴とする。
前記仮想計算機上で動作するオペレーティングシステムであるゲストOSまたは当該ゲストOS上で動作するアプリケーションによる仮想化されたハードウェアに対するアクセスを、前記実計算機が備える物理デバイスによって実現するハイパバイザを有し、
前記ハイパバイザは、
前記仮想計算機システムに適用されるセキュリティポリシが前記ゲストOSの種類または前記アプリケーションの種類に応じた設定項目の設定値によって示される設定項目情報を保持する設定項目情報保持手順と、
前記設定項目情報に基づいて、前記ゲストOSが実行する命令および前記物理デバイスの出力を監視して、前記設定項目情報保持手順の前記設定項目に設定されている設定値または変更されようとしている設定値を検出する設定検出手順と、
前記設定検出手順によって検出された設定値と前記設定項目情報で示される設定値とが相違するとき、前記設定項目の設定対象である前記ゲストOSまたは前記アプリケーションに、前記設定項目情報で示される設定値を適用させる設定適用手順と、
をコンピュータに実行させることを特徴とする。
以下、本発明の実施形態について、図面を参照して説明する。図1は、本発明による仮想計算機システム600の構成例を示すブロック図である。
また、本発明の第2の実施形態として、ゲストOS341やアプリケーション351に対して強制したセキュリティポリシの内容について、ゲストOS341やアプリケーション351を利用するユーザに通知するようにしてもよい。なお、本実施形態の構成は基本的には、第1の実施形態と同様でよい。
また、本発明の第3の実施形態として、設定項目情報生成手段332を管理システム100が備えるようにしてもよい。例えば、管理システム100側で、仮想計算機システム300上で動作するゲストOS341やアプリケーション351を管理しておき、その内容に基づき、管理システム100側で、ゲストOS341の種類やアプリケーション351の種類に応じた設定項目情報を生成することも可能である。
Claims (14)
- 実計算機上に1つ以上の仮想計算機を構築する仮想計算機システムであって、
前記仮想計算機上で動作するオペレーティングシステムであるゲストOSまたは当該ゲストOS上で動作するアプリケーションによる仮想化されたハードウェアに対するアクセスを、前記実計算機が備える物理デバイスによって実現するハイパバイザを有し、
前記ハイパバイザは、
前記仮想計算機システムに適用されるセキュリティポリシが前記ゲストOSの種類または前記アプリケーションの種類に応じた設定項目の設定値によって示される設定項目情報を保持する設定項目情報保持手段と、
前記設定項目情報に基づいて、前記ゲストOSが実行する命令および前記物理デバイスの出力を監視して、前記設定項目情報保持手段の前記設定項目に設定されている設定値または変更されようとしている設定値を検出する設定検出手段と、
前記設定検出手段によって検出された設定値と前記設定項目情報で示される設定値とが相違するとき、前記設定項目の設定対象である前記ゲストOSまたは前記アプリケーションに、前記設定項目情報で示される設定値を適用させる設定適用手段と、
を備えることを特徴とする仮想計算機システム。 - 前記ハイパバイザは、
前記セキュリティポリシで規定される項目と、当該項目に応じた前記ゲストOSの種類毎および前記アプリケーションの種類毎の設定項目との対応関係を示す対応情報を保持する対応情報保持手段と、
前記セキュリティポリシを管理している管理システムから、当該仮想計算機システムに適用される前記セキュリティポリシの情報を受け付けて、受け付けた前記セキュリティポリシの前記項目の設定内容を、保持される前記対応情報に基づいて、前記ゲストOSの種類および前記アプリケーションの種類に応じた1つ以上の設定項目の設定値に展開して設定項目情報を生成する設定項目情報生成手段と、
を備えることを特徴とする請求項1に記載の仮想計算機システム。 - 前記設定適用手段は、
前記相違が検知された設定項目の参照または更新に係るハードウェアアクセス命令に対する応答の書き換えを行うことにより、当該設定項目の対象である前記ゲストOSまたは前記アプリケーションに設定値を適用させる
ことを特徴とする請求項1または2に記載の仮想計算機システム。 - 前記設定適用手段は、
前記相違が検知された設定項目の対象である前記ゲストOSまたは前記アプリケーションが保有している機能を利用した通知を行うことにより、当該設定項目の対象である前記ゲストOSまたは前記アプリケーションに設定値を適用させる
ことを特徴とする請求項1乃至3の何れか1項に記載の仮想計算機システム。 - 前記設定適用手段は、
前記相違が検知された設定項目の設定値を保持している物理デバイスに書き込みを行うことにより、当該設定項目の対象である前記ゲストOSまたは前記アプリケーションに設定値を適用させる
ことを特徴とする請求項1乃至4の何れか1項に記載の仮想計算機システム。 - 前記設定適用手段は、
前記相違が検知された設定項目の対象である前記ゲストOSまたは前記アプリケーションが保有している機能を利用した通知として、当該ゲストOSまたは当該アプリケーションが受理する割り込みを発生させる
ことを特徴とする請求項1乃至5の何れか1項に記載の仮想計算機システム。 - 前記設定適用手段は、
前記割り込みを、前記アプリケーションが動作している前記ゲストOSを介して発生させる
ことを特徴とする請求項6に記載の仮想計算機システム。 - 前記設定適用手段は、
前記物理デバイスに書き込みを行うとき、該当する設定項目の対象である前記ゲストOSまたは前記アプリケーション用にハードウェア資源として割り当てられた対応するハードウェア領域に対して書き込みを行う
ことを特徴とする請求項1乃至7の何れか1項に記載の仮想計算機システム。 - 実計算機上に1つ以上の仮想計算機を構築する仮想計算機システムに対してセキュリティポリシを強制するポリシ強制システムであって、
前記仮想計算機システムと、前記仮想計算機システムに適用させる前記セキュリティポリシを管理する管理システムと、を備え、
前記仮想計算機システムは、当該仮想計算機上で動作するオペレーティングシステムであるゲストOSまたは当該ゲストOS上で動作するアプリケーションによる仮想化されたハードウェアに対するアクセスを、前記実計算機が備える物理デバイスによって実現するハイパバイザを有し、
前記ハイパバイザは、
前記仮想計算機システムに適用される前記セキュリティポリシが前記ゲストOSの種類または前記アプリケーションの種類に応じた設定項目の設定値によって示される設定項目情報を保持する設定項目情報保持手段と、
前記設定項目情報に基づいて、前記ゲストOSが実行する命令および前記物理デバイスの出力を監視して、前記設定項目情報保持手段の前記設定項目に設定されている設定値または変更されようとしている設定値を検出する設定検出手段と、
前記設定検出手段によって検出された設定値と前記設定項目情報で示される設定値とが相違するとき、前記設定項目の設定対象である前記ゲストOSまたは前記アプリケーションに、前記設定項目情報で示される設定値を適用させる設定適用手段と、
を備えることを特徴とするポリシ強制システム。 - 前記ハイパバイザは、
前記セキュリティポリシで規定される項目と、当該項目に応じた前記ゲストOSの種類毎および前記アプリケーションの種類毎の設定項目との対応関係を示す対応情報を保持する対応情報保持手段と、
前記セキュリティポリシを管理している管理システムから、当該仮想計算機システムに適用される前記セキュリティポリシの情報を受け付けて、受け付けた前記セキュリティポリシの前記項目の設定内容を、保持される前記対応情報に基づいて、前記ゲストOSの種類および前記アプリケーションの種類に応じた1つ以上の設定項目の設定値に展開して設定項目情報を生成する設定項目情報生成手段と、
を備えることを特徴とする請求項9に記載のポリシ強制システム。 - 実計算機上に1つ以上の仮想計算機を構築する仮想計算機システムに対してセキュリティポリシを強制するポリシ強制方法であって、
前記仮想計算機上で動作するオペレーティングシステムであるゲストOSまたは当該ゲストOS上で動作するアプリケーションによる仮想化されたハードウェアに対するアクセスを、前記実計算機が備える物理デバイスによって実現するハイパバイザを有し、
前記ハイパバイザが、前記仮想計算機システムに適用される前記セキュリティポリシが前記ゲストOSの種類または前記アプリケーションの種類に応じた設定項目の設定値によって示される設定項目情報を保持する設定項目情報保持ステップと、
前記ハイパバイザが、前記設定項目情報に基づいて、前記ゲストOSが実行する命令および前記物理デバイスの出力を監視して、前記設定項目情報保持ステップにおいて前記設定項目に設定されている設定値または変更されようとしている設定値を検出する設定検出ステップと、
前記ハイパバイザが、前記設定検出ステップにおいて検出された設定値と前記設定項目情報で示される設定値とが相違するとき、前記設定項目の設定対象である前記ゲストOSまたは前記アプリケーションに、前記設定項目情報で示される設定値を適用させる設定適用ステップと、
含むことを特徴とするポリシ強制方法。 - 前記ハイパバイザが、前記セキュリティポリシで規定される項目と、当該項目に応じた前記ゲストOSの種類毎および前記アプリケーションの種類毎の設定項目との対応関係を示す対応情報を保持する対応情報保持ステップと、
前記ハイパバイザが、前記セキュリティポリシを管理している管理システムから、当該仮想計算機システムに適用される前記セキュリティポリシの情報を受け付けて、受け付けた前記セキュリティポリシの前記項目の設定内容を、保持される前記対応情報に基づいて、前記ゲストOSの種類および前記アプリケーションの種類に応じた1つ以上の設定項目の設定値に展開して設定項目情報を生成する設定項目情報生成ステップと、
を含むことを特徴とする請求項11に記載のポリシ強制方法。 - 実計算機上に1つ以上の仮想計算機を構築する仮想計算機システムにおける仮想計算機制御用プログラムであって、
前記仮想計算機上で動作するオペレーティングシステムであるゲストOSまたは当該ゲストOS上で動作するアプリケーションによる仮想化されたハードウェアに対するアクセスを、前記実計算機が備える物理デバイスによって実現するハイパバイザを有し、
前記ハイパバイザは、
前記仮想計算機システムに適用されるセキュリティポリシが前記ゲストOSの種類または前記アプリケーションの種類に応じた設定項目の設定値によって示される設定項目情報を保持する設定項目情報保持手順と、
前記設定項目情報に基づいて、前記ゲストOSが実行する命令および前記物理デバイスの出力を監視して、前記設定項目情報保持手順の前記設定項目に設定されている設定値または変更されようとしている設定値を検出する設定検出手順と、
前記設定検出手順によって検出された設定値と前記設定項目情報で示される設定値とが相違するとき、前記設定項目の設定対象である前記ゲストOSまたは前記アプリケーションに、前記設定項目情報で示される設定値を適用させる設定適用手順と、
をコンピュータに実行させることを特徴とする仮想計算機制御用プログラム。 - 前記ハイパバイザは、
前記セキュリティポリシで規定される項目と、当該項目に応じた前記ゲストOSの種類毎および前記アプリケーションの種類毎の設定項目との対応関係を示す対応情報を保持する対応情報保持手順と、
前記セキュリティポリシを管理している管理システムから、当該仮想計算機システムに適用される前記セキュリティポリシの情報を受け付けて、受け付けた前記セキュリティポリシの前記項目の設定内容を、保持される前記対応情報に基づいて、前記ゲストOSの種類および前記アプリケーションの種類に応じた1つ以上の設定項目の設定値に展開して設定項目情報を生成する設定項目情報生成手順と、
をコンピュータに実行させることを特徴とする請求項13に記載の仮想計算機制御用プログラム。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/809,285 US8468522B2 (en) | 2007-12-26 | 2008-12-10 | Virtual machine system, system for forcing policy, method for forcing policy, and virtual machine control program |
JP2009546929A JP5387415B2 (ja) | 2007-12-26 | 2008-12-10 | 仮想計算機システム、ポリシ強制システム、ポリシ強制方法及び仮想計算機制御用プログラム |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2007-333472 | 2007-12-26 | ||
JP2007333472 | 2007-12-26 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2009081530A1 true WO2009081530A1 (ja) | 2009-07-02 |
Family
ID=40800848
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2008/003691 WO2009081530A1 (ja) | 2007-12-26 | 2008-12-10 | 仮想計算機システム、ポリシ強制システム、ポリシ強制方法及び仮想計算機制御用プログラム |
Country Status (3)
Country | Link |
---|---|
US (1) | US8468522B2 (ja) |
JP (1) | JP5387415B2 (ja) |
WO (1) | WO2009081530A1 (ja) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2013522761A (ja) * | 2010-03-15 | 2013-06-13 | シマンテック コーポレーション | 仮想環境においてネットワークアクセス制御を行うシステムおよび方法 |
Families Citing this family (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8046550B2 (en) | 2008-07-14 | 2011-10-25 | Quest Software, Inc. | Systems and methods for performing backup operations of virtual machine files |
US8060476B1 (en) | 2008-07-14 | 2011-11-15 | Quest Software, Inc. | Backup systems and methods for a virtual computing environment |
US8429649B1 (en) * | 2008-09-25 | 2013-04-23 | Quest Software, Inc. | Systems and methods for data management in a virtual computing environment |
JP5166318B2 (ja) * | 2009-02-24 | 2013-03-21 | 株式会社東芝 | 情報を処理する装置、方法およびプログラム |
US8996468B1 (en) | 2009-04-17 | 2015-03-31 | Dell Software Inc. | Block status mapping system for reducing virtual machine backup storage |
US9778946B2 (en) | 2009-08-07 | 2017-10-03 | Dell Software Inc. | Optimized copy of virtual machine storage files |
US9569446B1 (en) | 2010-06-08 | 2017-02-14 | Dell Software Inc. | Cataloging system for image-based backup |
US8898114B1 (en) | 2010-08-27 | 2014-11-25 | Dell Software Inc. | Multitier deduplication systems and methods |
WO2012057942A1 (en) * | 2010-10-27 | 2012-05-03 | High Cloud Security, Inc. | System and method for secure storage of virtual machines |
US8910155B1 (en) | 2010-11-02 | 2014-12-09 | Symantec Corporation | Methods and systems for injecting endpoint management agents into virtual machines |
KR20130050156A (ko) * | 2011-11-07 | 2013-05-15 | 한국전자통신연구원 | 가상 주소 공간 전환 장치 |
US9311375B1 (en) | 2012-02-07 | 2016-04-12 | Dell Software Inc. | Systems and methods for compacting a virtual machine file |
US9569192B2 (en) * | 2014-03-31 | 2017-02-14 | Red Hat Israel, Ltd. | Configuring dependent services associated with a software package on a host system |
RU2568282C2 (ru) * | 2014-04-18 | 2015-11-20 | Закрытое акционерное общество "Лаборатория Касперского" | Система и способ обеспечения отказоустойчивости антивирусной защиты, реализуемой в виртуальной среде |
US10318765B2 (en) * | 2014-05-02 | 2019-06-11 | Avago Technologies International Sales Pte. Limited | Protecting critical data structures in an embedded hypervisor system |
JP6579735B2 (ja) * | 2014-08-05 | 2019-09-25 | キヤノン株式会社 | 情報処理システム、情報処理装置、情報処理システムの制御方法、情報処理装置の制御方法、及びプログラム |
US9516033B2 (en) * | 2014-10-13 | 2016-12-06 | International Business Machines Corporation | Providing restricted access to given devices by constructing abstract devices |
KR102387157B1 (ko) * | 2015-07-27 | 2022-04-18 | 삼성전자주식회사 | 장치 관리 방법 및 이를 지원하는 전자 장치 |
US9841986B2 (en) * | 2015-10-27 | 2017-12-12 | Vmware, Inc. | Policy based application monitoring in virtualized environment |
US11748140B2 (en) * | 2020-08-31 | 2023-09-05 | Red Hat, Inc. | Virtual machine security policy implementation |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2001337864A (ja) * | 2000-03-22 | 2001-12-07 | Hitachi Ltd | アクセス制御システム |
JP2004287810A (ja) * | 2003-03-20 | 2004-10-14 | Nec Corp | 不正アクセス防止システム、不正アクセス防止方法、および不正アクセス防止プログラム |
JP2006155583A (ja) * | 2004-11-08 | 2006-06-15 | Ntt Docomo Inc | デバイス管理装置、デバイス及びデバイス管理方法 |
JP2007109016A (ja) * | 2005-10-13 | 2007-04-26 | Nec Corp | アクセスポリシ生成システム、アクセスポリシ生成方法及びアクセスポリシ生成用プログラム |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH0553833A (ja) | 1991-08-26 | 1993-03-05 | Fujitsu Ltd | プログラム起動方法 |
JP2003110564A (ja) | 2001-09-28 | 2003-04-11 | Toshiba Corp | 情報処理装置及びネットワーク設定方法 |
JP2004306555A (ja) | 2003-04-10 | 2004-11-04 | Seiko Epson Corp | 印刷処理装置及び印刷処理方法 |
JP2004334360A (ja) | 2003-05-01 | 2004-11-25 | Toshiba Corp | プロセス監視システム |
JP2005135137A (ja) | 2003-10-30 | 2005-05-26 | Hitachi Ltd | 仮想計算機システム |
US20070174429A1 (en) * | 2006-01-24 | 2007-07-26 | Citrix Systems, Inc. | Methods and servers for establishing a connection between a client system and a virtual machine hosting a requested computing environment |
-
2008
- 2008-12-10 JP JP2009546929A patent/JP5387415B2/ja active Active
- 2008-12-10 WO PCT/JP2008/003691 patent/WO2009081530A1/ja active Application Filing
- 2008-12-10 US US12/809,285 patent/US8468522B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2001337864A (ja) * | 2000-03-22 | 2001-12-07 | Hitachi Ltd | アクセス制御システム |
JP2004287810A (ja) * | 2003-03-20 | 2004-10-14 | Nec Corp | 不正アクセス防止システム、不正アクセス防止方法、および不正アクセス防止プログラム |
JP2006155583A (ja) * | 2004-11-08 | 2006-06-15 | Ntt Docomo Inc | デバイス管理装置、デバイス及びデバイス管理方法 |
JP2007109016A (ja) * | 2005-10-13 | 2007-04-26 | Nec Corp | アクセスポリシ生成システム、アクセスポリシ生成方法及びアクセスポリシ生成用プログラム |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2013522761A (ja) * | 2010-03-15 | 2013-06-13 | シマンテック コーポレーション | 仮想環境においてネットワークアクセス制御を行うシステムおよび方法 |
JP2016006670A (ja) * | 2010-03-15 | 2016-01-14 | シマンテック コーポレーションSymantec Corporation | 仮想環境においてネットワークアクセス制御を行うシステムおよび方法 |
Also Published As
Publication number | Publication date |
---|---|
JP5387415B2 (ja) | 2014-01-15 |
US20110154325A1 (en) | 2011-06-23 |
US8468522B2 (en) | 2013-06-18 |
JPWO2009081530A1 (ja) | 2011-05-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP5387415B2 (ja) | 仮想計算機システム、ポリシ強制システム、ポリシ強制方法及び仮想計算機制御用プログラム | |
US10140115B2 (en) | Applying update to snapshots of virtual machine | |
US11778057B2 (en) | System and method for intent-based service deployment | |
US8924703B2 (en) | Secure virtualization environment bootable from an external media device | |
US8997172B2 (en) | Controlling information disclosure during application streaming and publishing | |
JP6077562B2 (ja) | 分散型アプリケーション・オブジェクトに関するアップデート通知の提供 | |
KR101574366B1 (ko) | 가상 머신 및 애플리케이션 수명들의 동기화 | |
JP5198584B2 (ja) | 拡張されたサーバーベースのクライアント用デスクトップ仮想マシン構成 | |
US7823023B2 (en) | Test framework for testing an application | |
EP2378711B1 (en) | Network policy implementation for a multi-virtual machine appliance | |
US8412797B2 (en) | Platform for development and deployment of system administration solutions | |
US20120144391A1 (en) | Provisioning a virtual machine | |
KR20080067633A (ko) | 재부팅 없는 디스플레이 드라이버 업그레이드 | |
EP3516841B1 (en) | Remote computing system providing malicious file detection and mitigation features for virtual machines | |
US20140089557A1 (en) | Image storage optimization in virtual environments | |
US9195518B1 (en) | System and method for communicating production virtual machine access events to a service appliance in a virtualized environment | |
JP5951002B2 (ja) | 選択的ポリシーによるホストと複数のゲストとの間での構成要素伝播の実現 | |
US10394619B2 (en) | Signature-based service manager with dependency checking | |
JP2004094782A (ja) | リソース管理システム、プログラムおよび記録媒体 | |
JP2009217709A (ja) | 仮想マシン管理システムおよび計算機、並びに、プログラム | |
Patrão | VMware Hot Add and Hot Plug | |
JP5564466B2 (ja) | 仮想化装置、仮想化装置制御方法、仮想化装置制御プログラム | |
JP2012252492A (ja) | 仮想化装置、仮想化装置制御方法、仮想化装置制御プログラム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
DPE2 | Request for preliminary examination filed before expiration of 19th month from priority date (pct application filed from 20040101) | ||
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 08864044 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 12809285 Country of ref document: US |
|
ENP | Entry into the national phase |
Ref document number: 2009546929 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 08864044 Country of ref document: EP Kind code of ref document: A1 |