WO2011079996A1

WO2011079996A1 - Method and device for accessing protected data using a virtual machine

Info

Publication number: WO2011079996A1
Application number: PCT/EP2010/066973
Authority: WO
Inventors: Rainer Falk; Steffen Fries; Stefan Seltzsam
Original assignee: Siemens Aktiengesellschaft
Priority date: 2009-12-30
Filing date: 2010-11-08
Publication date: 2011-07-07
Also published as: DE102009060744A1

Abstract

Virtual machines are used in the utilization of distributed computer infrastructures to be able to distribute the workload to individual computers in as flexible a manner as possible. For this purpose, it is necessary to be able to access protected data also within a virtual machine. The invention allows the flexible restriction of the execution of/the access to protected data within a virtual machine at the level of an infrastructure provider, rights which can be defined by the rightholder being reliably and efficiently enforced.

Description

description

PROCESS AND DEVICE FOR ACCESSING PROTECTED DATA THROUGH A VIRTUAL MACHINE

The present invention relates to a method and apparatus for accessing protected data by a virtual machine. During the operation of distributed computing infrastructures, the available processing capacity is to ge ^¬ can handle flexible as possible so that you can expand computing power very quickly and dynamically adjust the distribution of services on the computer. One way of doing bending tet the art of virtualization, by means of which on a computer so-called virtual machines ^¬ Ma may be performed by a so-called hypervisor completely independent. Modern virtualization solutions can virtualize any operating system, runtime environment and application with the appropriate hardware support. A running virtual machine can always be stored in a sogenann ^¬ th image and recorded on any ande ren ^¬ computer with a hypervisor again and execution will continue there. This is called "migrating" a virtual machine. One advantage of this technological approach is that the servers are better utilized by multiple virtual machines run on a server ^¬. Another advantage is that a flexible response to increased or decreased requirements of individual virtual machines is possible. As a virtual machine, for example, be based ^¬ transferred with increased resource requirements vorüberge a stronger server and continue to run there. Through the global distribution of computing infrastructure, a virtual machine can be migrated worldwide. However, the influence of regulatory requirements must be taken into account, for example, the transfer of certain technologies in is prohibited in some countries. A further problem is that a user of such a computer infrastructure is located in a country that is under an embargo of other countries. In such a case, the virtual machine ei ^¬ nes such customers may only be performed in a few countries or only with certain restrictions.

As a result, the trend towards virtualization is also fueling the need for an effective control mechanism for virtual machines. Also on the virtual machine itself, applications or documents to be used in need of wirksa ^¬ men access or use protection.

Applications and documents are usually protected by ei ^¬ ner digital rights management against unauthorized access.

An example of a digital rights management is the En ^¬ terprise Rights Management (ERM). This realizes one

Access protection on documents, regardless of a location of documents. A protected document can be opened by a car ^¬ linearized users only in accordance with its applicable thereto permissions and processed independently because of ^¬ on which storage device the document was saved and WUR to which processing unit sent the document ^¬ de. An unauthorized outsider who has no

Access rights have been granted, can receive no information with a copy of the document ^¬ ment, which was sent for example electronically.

In conventional methods, documents are encrypted according to at least one encryption algorithm. The publisher of a document encrypts a docu ^¬ ment before releasing it and have also defined the rights of specific users or groups on the contents of the document in a rights information. The encrypted file can be sent together with the rights information to an ERM server. In addition, the rights information can be a key which is used to encrypt the document. Since this very key represents a secret information ^¬ , the rights information with the public

Keys of the ERM server are encrypted and the originator can digitally sign the rights information.

In addition to the ERM server, which is a central part of rights management, there is an ERM client installed on each accessing machine that wants to retrieve access-protected documents. The ERM

Client can continue to take the communication with the ERM server to identify the key and the rights of present ^¬ the document. The ERM client can pass on the read rights to another read-out unit, which is provided for compliance with the rights. A decision ^¬ ment of the document can take over the ERM client, which also performs any necessary re-encryption at a later date. The key can be kept secret from the ERM client by means of an encryption technique before further read-out units. For this purpose, encryption techniques or obfuscation techniques such as code obfuscation are used in conventional methods. Consequently, the virtual machine must be beyond its own

ERM client to connect to the associated ERM server. However, because a host is typically running multiple virtual machines as shown above, multiple independent ERM clients are also active on one host.

However, using multiple independent ERM client instances is disadvantageous in some respects. Since each client ERM In ^¬ punched knows only their own ERM rights objects and these storage chert and the same rights objects may of different virtual machines are needed, it can therefore lead to a multiple request for the same rights objects. After quitting a virtual machine are In addition, the rights objects of an ERM client of the virtual machine may be lost and must be re-requested the next time the virtual machine is used. Another disadvantage is that granting of rights for an ERM client within a virtual machine by ERM Server is independent of which hypervisor the virtual machine is running and in which host the virtual machine is running. For the reasons mentioned above, this can lead to conflicts with regulatory or administrative requirements.

The object of the present invention is therefore to specify a method for accessing protected data by a virtual machine, with which rights that can be predetermined by the rights holder are enforced reliably and efficiently.

According to the invention, in a method for accessing data by a virtual machine in which a virtual execution environment for the virtual machine is provided by a hypervisor and in which the data is protected by digital rights management,

the following steps are performed by a controller, the supervisory instance being provided by the hypervisor:

Requesting at least one rights information associated with the protected data,

Determining a usage authorization for the data from the at least one requested rights information, and

- determining a key from the at least one ^¬ been demanded rights information at a determined usage authorization for the protected data,

Decrypting the protected data with the determined key and providing the decrypted data in the scope of the determined usage authorization. The inventive device for accessing data by a virtual machine, wherein the data are protected by a di ^¬ legal rights management,

has a hypervisor that provides a virtual execution environment for the virtual machine and a control instance provided by the hypervisor that performs the following steps:

Requesting at least one rights information associated with the protected data,

- Decrypt the protected data with the determined

Key and providing the decrypted data within the scope of the determined usage right.

Further advantageous embodiments of the invention are the subject matter of the dependent claims and the below beschrie ^¬ surrounded embodiments. In the following, the invention will be explained in more detail by means of exemplary implementations with reference to the enclosed figures. 1 shows a block diagram of a first system architecture for a method according to the invention with an ERM client in the hypervisor and a subordinate ERM client in a virtual machine, FIG. 2 shows a block diagram of a second system architecture for a method according to the invention with an ERM client in the hypervisor.

Virtualization runs a guest operating system in a virtual machine. A virtual machine is a virtual machine that runs as software. However, the virtual machine runs on a host, which is a physically existing computer. On a physical see computer multiple virtual Maschi ^¬ nen can be operated simultaneously.

A hypervisor or virtual machine monitor (VMM) is a virtualization software that creates an environment for virtual machines Ma ^¬. The virtualization software can be divided into a type 1 and a type 2. Type 1 runs directly on the hardware without any additional software. Type 2 is based on a full operating system.

In type 1, the platform virtualization solution as a separate layer or as a host operating system Availability checked ^¬ supply. Guest systems run in their own containers. A Type 1 hypervisor typically consumes less resources but must have drivers for all hardware itself.

In Type 2 virtualization software runs on a Stan ^¬ dardbetriebssystem can run guest operating systems in turn. At the same time, native applications can run on the host. A Type 2 hypervisor uses the device drivers of the operating system under which it is running.

Virtual Machine migration allows moving a virtu ^¬ economic machine from one physical host to another. In this case, a memory map (image) is sent to a virtual machine from one host to another substantially. This migration can also take place during operation. One aspect of the present invention is to provide an ERM

Client on the hypervisor with a proxy functionality from ^¬ stead and thereby make the ERM clients within the virtuel ^¬ len machines superfluous. The virtual machines then either directly use the Hypervisor's ERM client through a defined interface, or the ERM client running within the virtual machine forwards requests to the ERM client in the hypervisor and works only as an ERM client stub. A proxy works as a "mediator", accepting client requests, and then connecting to other servers through its own address. A typical proxy is for example used multiple client systems to give an in ^¬ ternal network access to an external server. At the same time the address of the client is hidden from the server. The ^¬ like proxies are often used in corporate networks. In addition, there is the concept of a reverse proxy, in which case the address conversion is carried out in the opposite direction and thus the client remains the true address of the target system ver ^¬ borrowed. Such systems are used for example as a load balancer. The functionality of the ERM client as a proxy allows the Hy ^¬ pervisor ERM-related compounds, which are synthesized from the virtual machines out to control and transmit to the corresponding ERM server. This functionality can not only be used for ERM requests from a virtual machine, but also allows the hypervisor to perform the ERM queries on any number of virtual machines that are ^executed in the context of the hypervisor. The hypervisor can also save the received rights objects and maintain them according to the validity of the rights object. Thus the rights object to the ERM client can be the same route in the virtual machine in the event of it ^¬ ninth query the hypervisor.

In another variant, the ERM proxy can implement ERM actions within the virtual machine, taking into account both the running virtual machine and the executing host. Thus, for example, certain rights within a virtual machine can then zusätz ^¬ Lich depending on the physical execution environment, so al the host, are defined.

The rights objects can be stored in the respective virtual machine or together with rights objects the virtual machine in the hypervisor. In the latter case the access to the rights objects is then carried out either via a dedicated interface or a Netzwerkverbin ^¬ dung, which is terminated in the local hypervisor.

In a further variant, the user of the virtual machine can authenticate itself. At the request of the actual rights object from the virtual machine out ge ^¬ genüber the server of the ERM proxy adds information about the hypervisor one, or authenticated it. Since ^¬ evaluated by, the ERM server which user and which hypervisor requesting a permission. It can be implemented, for example, that a particular application in ^¬ nerhalb a virtual machine as it travels in Europe, will have the right to run, but not when it is running in a virtual machine that migrated outside the europae ^¬ pean Union has been. In parallel, Applikatio ^¬ nen can for other documents that are also protected by ERM, continue to have execution rights, even if they are in egg ner virtual machine on a hypervisor outside the European Union.

1 shows schematically a first computer system R, which can be used in an embodiment of a method according to the invention for accessing protected data by a virtu ^¬ elle machine as a host system for a virtualization. The host system has a plurality of hardware components HW, for example, the network adapter NIC and the hard disk HD. On the host computer R, a host operating system H-OS is used, which is designed as a type 1 hypervisor. The hypervisor includes an ERM client / proxy and manages two rights objects ROI and R02 each defining the rights of use for the execution of a vir tual ^¬ machine. These rights objects are directly linked to the respective virtual machine.

On the host operating system H-OS run two ERM protected virtual machines VM1 and VM2. It gets through the hypervisor in each case a virtual hardware V-HW1, V-HW2 provided with a virtual ^¬ network adapter VNIC1, VNIC2 and virtual hard disk VHD1, VHD2. In the virtual machine in each case a guest runs operating system G-OS1 and G-OS2. Furthermore run in user mode Gl-UL, G2-UL of the respective virtual machine application programs AP.

Via the network adapter NIC, the computer is connected to a network via which, for example, an ERM server can be contacted.

In addition, the ERM client works as an ERM proxy for applications AP in the virtual machine. For this VM2 rights objects for the respective applications / data (ROAPI, ROAP2) are managed in a EIGE ^¬ nen ERM client in the virtual machines VM1.

2 shows schematically a second computer system R, which can be used in an embodiment of a method according to the invention for accessing protected data by a virtu ^¬ elle machine as a host system for a virtualization. The same or functionally identical elements are provided in Figure 2 with the same reference numerals as in Figure 1. In contrast to FIG. 1, in addition to the ERM client / proxy and the two rights objects ROI and R02, the hypervisor additionally includes the rights objects RO ^ pi _unc [ROAP2.

In this variant, the communication of the virtual machine with the supervisory done (here ERM Client / Proxy) then either via a dedicated interface or a spe ^¬ cial network connection that is terminated in the hypervisor. In this case, no separate ERM client is required in the virtual machine. In client mode, the ERM client of the hypervisor checks the conditions of use of the virtual machine image before starting a virtual machine on a computer / host. Dependent The result of the execution of the virtual machine ge ^¬ granted or denied.

The following steps are performed by the hypervisor, which includes the functionality of an ERM client:

- Receive a signal to start a specific VM

- Loading the ERM protected VM image of the VM to be started

- Authentication to a rights server (ERM server)

Requesting the rights information associated with the VM to be started from the rights server (ERM server)

- Receive a rights object of the VM to be started from the rights server (ERM server)

- Determine the authorization to start the VM

- In the negative case: abort (execution of VM is denied)

- In the positive case: determining a key from the

Rights information; Override the ERM protection of the ERM protected VM image (that is, decrypting the VM image using the discovered key); Run the decrypted VM image

In proxy mode, the ERM client hypervisor processed, ie the ERM proxy requests that come from the virtual Ma ^¬ machine, for example, to access certain data. The following steps are carried out:

Receiving a signal for accessing dedicated data from an application running within the VM. This purpose, for example, a dedicated network connection can use the ^¬ that guides converted to the local ERM client on the Hypervisor.

- Determining the requested access rights

Authentication of the user of the application and optionally of the hypervisor itself to a rights server (ERM server)

- Requesting the rights object assigned to the data from the rights server (ERM server)

- Receipt of a rights object for the data to be processed by the rights server (ERM server) - Determine the authorization to access the data

- In the negative case: abort

- In the positive case (that is, the given user can use the rights provided by the ERM server for the given document in the given application on the current hypervisor): determining a key from the rights object; Removing the ERM protection of the ERM-protected data (that is, decrypting the data using the particular key);

Processing the unprotected data

In addition, the requested rights can be compared with the rights objects of the virtual machine, for example, with regard to a specific execution environment, in order to be able to further restrict the rights to operate on the data depending on it.

The method steps described can be carried out iteratively and / or in a different order. The proposed solution, the execution / the

Access to ERM protected documents within a Virtuel ^¬ len machine flexibly limited in an infrastructure provider. As a decision criterion can be evaluated on an ERM server in addition to the VM image user on which hypervisor runs a virtual machine image. In addition, this access can be coupled with the ERM rights objects of the virtual machine image and thus made even more flexible. As a result, regulatory or administrative restrictions can be implemented robustly (even within a virtual machine). Through the applied ERM measures, both the operator and the user have the possibility to control or influence the access conditions to the virtual machine and data in the virtual machine.

It is also possible to cache rights objects in the ERM proxy (cachen) and thus within the scope of the validity of the Rights object faster to respond to requests. This then saves the necessary Kommunikati ^¬ on between the ERM and the actual proxy server ERM.

Claims

claims

1. A method for accessing data by a virtual machine in which a hypervisor provides a virtual execution environment for the virtual machine and in which the data is protected by digital rights management,

wherein a control instance performs the following steps:

Requesting at least one rights information associated with the protected data,

Determination of a key from the at least one requested rights information in the case of a determined use authorization for the protected data,

Decrypting the protected data with the determined key and providing the decrypted data within the scope of the determined usage right,

where the control instance is provided by the hypervisor.

2. The method of claim 1, wherein the at least one provided rights information has a usage restriction, an indication of an access authorization, in particular ei ^¬ nes computer system, and / or a time stamp.

3. The method according to any one of claims 1 or 2, wherein the rights information is provided by means of a server.

4. The method according to claim 1, wherein the data are configured, operated and / or executed depending on the determined usage authorization.

5. The method of claim 1, wherein the requested rights information is stored for a predeterminable period.

6. The method according to claim 1, wherein a communication of the virtual machine with the control entity takes place via a subordinate control entity in the virtual machine, and the rights information is stored by the virtual machine.

7. The method of claim 1, wherein a communication of the virtual machine with the control instance via a communication interface,

and the rights information is stored by the hypervisor.

8. The method according to any one of the preceding claims, wherein the control entity includes functions of an Enterprise Rights Management Client.

9. An apparatus for accessing data by a virtual machine, wherein the data is protected by a digital Rechteverwal ^¬ tung,

comprising a hypervisor, by the virtual execution environment of the virtual machine is deployed, and a supervisory authority, which performs the following steps ^¬:

Requesting at least one rights information associated with the protected data,

- determining a key from the at least one ^¬ been demanded rights information in a determined use-emption for the protected data,

where the control instance is provided by the hypervisor.