WO2015070376A1

WO2015070376A1 - Method and system for realizing virtualization security

Info

Publication number: WO2015070376A1
Application number: PCT/CN2013/086956
Authority: WO
Inventors: 施迅; 叶思海
Original assignee: 华为技术有限公司
Priority date: 2013-11-12
Filing date: 2013-11-12
Publication date: 2015-05-21
Also published as: CN104169939A; CN104169939B

Abstract

In the method and system provided in the embodiments of the present invention, a user virtual machine receives a command from a user of a virtual machine, classifies the command according to an executive body corresponding to the command, and obtains at least one of the following: a first type of command and a second type of command, wherein the first type of command is executed by the user virtual machine, the second type of command is executed by a security virtual machine, and then the user virtual machine presents the execution results of the command to the user of the virtual machine, thereby improving the user experience while being able to realize virtualization security.

Description

Method and system for realizing virtualization security

The embodiments of the present invention relate to the field of cloud computing technologies, and in particular, to a method and system for implementing virtualization security.

Background technique

Cloud computing is an important innovation in computing models that provides large-scale computing resources to users in the form of reliable services by efficiently integrating various interconnected computing resources and enabling multi-level virtualization and abstraction. Virtualization technology brings a lot of convenience to the sharing and management of computing resources and becomes an important part of cloud computing. The virtual machine monitor (VMM, Vi r tua l Machine Moni tor) is the core of virtualization technology. By abstracting the physical resources of the server that provides computing resources, the central processor (CPU, cent ra l proces s ing uni t ) Server physical resources such as memory, input/output (I/O, input/output) are converted into a set of logical resources that can be uniformly managed, flexibly scheduled, dynamically allocated, and based on these logical resources, multiple simultaneous constructions on a single physical server A virtual machine execution environment that runs and is isolated from each other.

As cloud computing applications become more complex, their security requirements are increasing. The traditional IT system is closed and exists inside the enterprise. Only a few interfaces such as web servers and mail servers are exposed. Therefore, only security measures such as firewall and access control can be set at the exit to solve most security problems. However, in a cloud computing environment, the cloud is exposed to the public network, and any node and their network may be attacked, and there are many security risks. At present, the virtualization layer security service technology is adopted, and a separate secure virtual machine is used to centrally execute security applications, which can avoid the problems caused by traditional security software running in a virtualized environment. However, the user experience is poor.

Summary of the invention

The embodiment of the invention provides a method and system for implementing virtualization security to improve the user experience when implementing virtualization security.

In a first aspect, the embodiment of the present invention provides a method for implementing virtualization security, where the method is applied to a system including a user virtual machine and a secure virtual machine, and specifically includes: The user virtual machine receives a command from a virtual machine user;

The user virtual machine classifies the command according to the execution body corresponding to the command, and obtains at least one of the following: a first type command and a second type command;

If the first type of command is obtained, the user virtual machine executes the first type of command, and presents an execution result of the first type of command to the virtual machine user;

If the second type of command is obtained, the user virtual machine sends the second type of command to the secure virtual machine through a virtual machine monitor; the secure virtual machine executes the second type of command, and The execution result of the second type of command is sent to the user virtual machine by using the virtual machine monitor; the user virtual machine presents the execution result of the second type of command to the virtual machine user;

If the first type of command and the second type of command are obtained, the user virtual machine executes the first type of command, and sends the second type of command to the secure virtual machine through a virtual machine monitor; The virtual machine executes the second type of command, and sends the execution result of the second type of command to the user virtual machine through the virtual machine monitor; the user virtual machine will use the first type of command The execution result and the execution result of the second type of command are presented to the virtual machine user.

With reference to the first aspect, in a first possible implementation manner, a correspondence between an operation code and an execution body is configured on the user virtual machine, and the execution body corresponding to the command further includes: :

The user virtual machine queries the corresponding relationship between the operation code and the execution entity according to the operation code carried by the command, and obtains an execution body corresponding to the command.

With reference to the first aspect or the first possible implementation manner, in a second possible implementation manner, if the command is a security configuration command, the method further includes:

The security light agent of the user virtual machine classifies the first type of commands according to the execution entity corresponding to the first type of command, and obtain at least one of the following: a proxy class command and a driver class command; And the secure light agent executes the proxy class command, and presents an execution result of the proxy class command to the virtual machine user; If the driver class command is obtained, the secure light agent sends the driver class command to the security driver of the user virtual machine; the security driver of the user virtual machine executes the driver class command, and the driver class The execution result of the command is sent to the secure light agent; the secure light agent presents the execution result of the drive type command to the virtual machine user;

If the proxy class command and the driver class command are obtained, the secure light proxy executes the proxy class command, and sends the driver class command to the user virtual machine security driver; the user virtual machine security driver execution And driving the command to send the execution result of the driver class command to the secure light agent; the secure light agent is configured to execute the execution result of the proxy class command and the execution result of the driver class command The virtual machine user is presented.

With the first aspect, the first possible or the second possible implementation of the first aspect, in a third possible implementation, if the command is a security configuration command, the method further includes: the security virtual Before executing the second type of commands, the machine further includes:

The user configuration auditing module of the security virtual machine audits the second type of command to determine that the second type of command satisfies a pre-configured security policy.

With reference to the first aspect, or any one of the first to the third possible implementations of the first aspect, in a fourth possible implementation, the method further includes:

Before the execution result of the second type of command is sent to the user virtual machine by using the virtual machine monitor, the security function processing module of the secure virtual machine determines that the execution result of the second type of command satisfies the pre-configuration Notification policy.

With reference to the first aspect, or any one of the first to fourth possible implementation manners of the first aspect, in a fifth possible implementation, the method further includes: performing a light proxy verification of the secure virtual machine The module compares the integrity metric of the security light agent of the user virtual machine with the first correct value, and then processes the comparison result of the secure light agent according to the pre-configured first verification policy, where The integrity metric of the secure light proxy is obtained by performing integrity calculation on the metric content of the secure light proxy, and the metric content of the secure light proxy includes at least one of the following: the code of the secure light proxy in memory , data, program files on disk, and Configuration Data.

With reference to the first aspect, or any one of the first to the fifth possible implementation manners of the first aspect, in a sixth possible implementation, the method further includes: a light proxy verification module of the secure virtual machine Comparing the security-driven integrity metric value of the user virtual machine with the second correct value, and then processing the comparison result of the security driver of the user virtual machine according to the pre-configured second verification policy. The security-driven integrity metric is obtained by performing integrity calculation on the metric content of the security driver of the user virtual machine, where the metric content of the security driver includes at least one of the following: a security driver of the user virtual machine Code, data, drive files and configuration data saved on disk.

In a second aspect, the embodiment of the present invention provides a system for implementing virtualization security, where the system includes a user virtual machine and a security virtual machine, where the user virtual machine is configured to receive a command from a virtual machine user, according to the The execution body corresponding to the command classifies the command, and obtain at least one of the following: a first type command and a second type command;

If the first type of command is obtained, the user virtual machine is configured to execute the first type of command, and present an execution result of the first type of command to the virtual machine user;

If the second type of command is obtained, the user virtual machine is configured to send the second type of command to the secure virtual machine by using a virtual machine monitor; and the secure virtual machine is configured to execute the second type a command, and the execution result of the second type of command is sent to the user virtual machine by using the virtual machine monitor; the user virtual machine is further configured to send the execution result of the second type of command to the user Virtual machine user presentation;

If the first type of command and the second type of command are obtained, the user virtual machine is configured to execute the first type of command, and send the second type of command to the secure virtual machine through a virtual machine monitor; The secure virtual machine is configured to execute the second type of command, and send the execution result of the second type of command to the user virtual machine by using the virtual machine monitor; the user virtual machine, And a method for presenting an execution result of the first type of command and an execution result of the second type of command to the virtual machine user. With reference to the second aspect, in a first possible implementation manner, a correspondence between an operation code and an execution body is configured on the user virtual machine, and the command is classified according to an execution body corresponding to the command. The user virtual machine is further configured to query the corresponding relationship between the operation code and the execution entity according to the operation code carried by the command, and obtain an execution body corresponding to the command.

With reference to the second aspect or the first possible implementation manner, in a second possible implementation manner, the user virtual machine includes a secure light proxy and a security driver, if the command is a security configuration command: the user virtual machine The security light proxy is configured to classify the first type of commands according to an execution entity corresponding to the first type of command, and obtain at least one of the following: a proxy class command and a driver class command;

If the proxy class command is obtained, the secure light proxy is configured to execute the proxy class command, and present an execution result of the proxy class command to the virtual machine user;

If the driver class command is obtained, the secure light agent is used to send the driver class command to the user virtual machine; the user virtual machine security driver is configured to execute the driver class command. And sending the execution result of the driver class command to the secure light agent; the secure light agent is further configured to present an execution result of the driver class command to the virtual machine user;

If the agent class command and the driver class command are obtained, the secure light agent is configured to execute the agent class command, and send the driver class command to the user virtual machine security driver; the user virtual machine a security driver, configured to execute the driver-type command, and send an execution result of the driver-type command to the secure light agent; the secure light agent is further configured to execute an execution result of the proxy class command The execution result of the driver class command is presented to the virtual machine user.

With reference to the second aspect, the first or the second possible implementation manner of the second aspect, in a third possible implementation, the security virtual machine includes a user configuration auditing module, if the command is a security configuration command Before the security virtual machine is configured to execute the second type of command, the user configuration auditing module is configured to perform auditing on the second type of command, and determine the second type of command. Meet pre-configured security policies.

With reference to the second aspect, or any one of the first to the third possible implementation manners of the second aspect, in a fourth possible implementation, the security virtual machine includes a security function processing module, Before the execution result of the second type of command is sent to the user virtual machine by the virtual machine monitor, the security function processing module is configured to determine that the execution result of the second type of command satisfies a pre-configured notification policy.

With reference to the second aspect, or any one of the first to fourth possible implementation manners of the second aspect, in a fifth possible implementation, the security virtual machine includes a light proxy verification module: a module, configured to compare an integrity metric of the security light agent of the user virtual machine with a first correct value, and then process the comparison result of the secure light agent according to the pre-configured first verification policy The integrity metric of the secure light agent is calculated by performing integrity calculation on the metric content of the secure light agent, and the metric content of the secure light agent includes at least one of the following: the secure light agent is in the memory Code, data, program files on disk, and configuration data.

With reference to the second aspect, or any one of the first to the fifth possible implementation manners of the second aspect, in a sixth possible implementation, the light proxy verification module of the secure virtual machine is used to Comparing the security-driven integrity metric of the user virtual machine with the second correct value, and then processing the comparison result of the security driver of the user virtual machine according to the pre-configured second verification policy, the security The integrity metric of the driver is calculated by performing integrity calculation on the metric content of the security driver of the user virtual machine, and the metric content of the security driver includes at least one of the following: the security driver of the user virtual machine is in the memory The code, data, drive files and configuration data saved on the disk.

In a third aspect, an embodiment of the present invention provides a system for implementing virtualization security, including: a processor, a memory, and a system bus, where the processor and the memory are connected through the system bus and complete each other. Communication

The memory is configured to store a computer execution instruction; The processor is configured to execute the computer to execute an instruction, and perform the first aspect or any one of the first to sixth possible implementation manners of the first aspect.

In a fourth aspect, an embodiment of the present invention provides a computer program product, including a computer readable storage medium storing program code, where the program code includes instructions for performing the first aspect or the first aspect of the first aspect to The sixth of any possible implementation.

In the embodiment of the present invention, the user virtual machine receives the command from the virtual machine user, and classifies the command according to the execution entity corresponding to the command, to obtain at least one of the following: a first type command and a second type command, where The first type of command is executed by the user virtual machine, and the second type of command is executed by the secure virtual machine, and then the execution result of the command is presented by the user virtual machine to the virtual machine user, thereby being able to implement virtualization security. , improve the user experience.

DRAWINGS

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the prior art or the embodiments will be briefly described below. Obviously, the drawings in the following description are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained according to these figures without any creative work.

1 is a system architecture diagram for implementing virtualization security according to an embodiment of the present invention; FIG. 2 is a schematic diagram of a method for implementing virtualization security according to an embodiment of the present invention; FIG. 3 is provided according to an embodiment of the present invention. The process of configuring the security function;

4 is a flowchart of operation of a security function according to an embodiment of the present invention;

FIG. 5 is a flow chart of a security function notification according to an embodiment of the present invention; FIG. 7 is another system structure diagram for implementing virtualization security.

detailed description

The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. Embodiments of the present invention provide a method and system for implementing virtualization security, which can ensure At the same time of virtualization security, the experience of virtual machine users (called users) is improved.

The system architecture of the embodiment of the present invention is implemented. FIG. 1 is merely an exemplary illustration, and does not limit a specific networking manner.

The system includes a host 10, a virtualization management server 20, a security management server 30, and an application management server 40.

The host 10 is a physical server for providing computing resources in cloud computing. The host 10 specifically includes: a hypervisor 101, a secure virtual machine 102, and a user virtual machine 103.

Of course, the hypervisor 101, the secure virtual machine 102, and the user virtual machine 103 may also be located in different hosts 10. For example, the secure virtual machine 102 and the hypervisor 101 are located in the host one, the user virtual machine 103 is located in the host two; or the hypervisor 101 is located in the host one. The secure virtual machine 102 and the user virtual machine 103 are located in the host 2; or the hypervisor 101 is located in the host 1, the secure virtual machine 102 is located in the host 2, and the user virtual machine 103 is located in the host 3. In Figure 1, the Hypervisor 101, the secure virtual machine 102, and the user virtual machine 103 are located in the same main body example.

The Hypervisor 101, also known as the Virtual Machine Monitor (VMM), is a core component that provides virtualization capabilities. It manages the physical resources of the host, allocates the physical resources to multiple virtual machines, and maintains virtual machines. The isolation between logical resources.

The security virtual machine 102 is configured to provide security protection capabilities for the user virtual machine 103, and specifically includes a security driver 1021 and a security application 1022. The secure driver 1021 collects context information related to security events by invoking the hypervisor and communicates with the secure driver 1031 within the user virtual machine 103 by invoking the hypervisor. The secure driver 1021 can also provide an application programming interface (API) to the security application 1022 to assist the security application 1022 in accessing the hypervisor 101. The security application 1022, provided by the security application software vendor, is the execution engine and database of the security application and provides a checksum audit function for the secure light agent 1032 within the user virtual machine 103. The user virtual machine 103 is a virtual machine that provides computing power to the user, and can run desktop office, data execution, server maintenance, and the like. The user virtual machine 103 provides functions similar to those of a general computer, and specifically includes a secure driver 1031 and a secure light agent 1 032. The security driver 1031 is configured to monitor security events in the user virtual machine 103, such as file read and write, process creation, etc., and then invoke

Hyperv i sor 101 notifies the monitored security event information to the secure virtual machine 102. The Secure Drive 1031 also provides an API interface to the Secure Light Agent 1032 to help the Secure Light Agent 1032 access Hyperv i sor 101. The security driver 1031 can be specifically provided by a security application software vendor; or by a platform vendor.

The Secure Light Agent 1 032, also known as the "Thin Agent", is located in the User Virtual Machine 103 and provides functionality related to user interaction to ensure that virtual machine users experience the same when using a secure application. Other security functions are provided by the secure virtual machine 102, and the information transfer channel is provided by Hyperv i sor 101. Secure Light Agent 1032 is provided by security application software vendors.

A virtualization management server 20 for managing, maintaining, and distributing virtualized resources. Virtualized resources include computing resources, storage resources, or network resources. The virtualization management server 20 can be deployed in a server or virtual machine.

The security management server 30 is configured to provide deployment of the secure virtual machine 102, installation of the secure driver 1 031 in the user virtual machine 103, and monitor the running status of the secure driver 1021 and the secure driver 1031, receive events and alarm information, and ensure the secure driver 1021. And the reliable operation of the safe drive 1031. The security management server 30 can be deployed in a separate server or virtual machine, or can be deployed together with the virtualization management server 20, or can be directly integrated into the software of the virtualization management server 20.

The application management server 40 is configured to provide management functions for the security application 1022, and is provided by the security application software vendor. The application management server 40 may be deployed in a separate server or virtual machine, may be deployed together with the virtualization management server 20, or may be deployed together with the security management server 30. It includes the following modules (not shown): Security Application Deployment 401: Initially install and upgrade the security application 1 022, Secure Light Agent 1 032 in the virtualized system by means of centralized push or client application.

Centralized configuration 402: The administrator runs the execution and execution policies of the security application 1 022 and the secure light agent 1 032, such as resource occupancy policy and periodic task settings.

Security Function Operation 403: The operation object is specified by the administrator and the security application 1 022, the function of the secure light agent 1 032, such as anti-virus full disk scanning and sensitive data discovery.

The administrator of the cloud computing system can be divided into system administrators, security administrators, audit administrators, etc. according to the scope of responsibility. Cloud administrators with specific permissions can deploy and manage security applications in the virtualized system. 022, safe light agent 1 032.

The virtual machine user can connect to the virtual machine provided by the cloud through the network, and operate the desktop office, data execution, server maintenance, and the like.

The specific interaction process between the user virtual machine and the secure virtual machine is described in the following embodiment.

Ways to achieve virtualization security

The method for implementing virtualization security provided by the embodiment of the present invention is described below. The method may be implemented on the system architecture of the foregoing embodiment.

An embodiment of the method for implementing virtualization security as shown in FIG. 2 includes the following steps:

1) The user virtual machine receives the command from the virtual machine user, and then classifies the command according to the execution body corresponding to the command, and obtains at least one of the following: a first type command and a second type command, wherein the first type command Executed by the user virtual machine, the second type of command is executed by the secure virtual machine.

And the corresponding relationship between the operation code and the execution entity is configured on the user virtual machine, and before the classifying the command according to the execution entity corresponding to the command, the method further includes:

If the second type of command is obtained after classifying the command, the following steps 2) -6) are performed. If the first type of command is obtained, the user virtual machine executes the first type of command, and the The execution results of the first type of commands are presented to the virtual machine user.

The command includes at least one of the following: a security function configuration, a security function operation, and a security function notification. The specific process is described in detail with reference to Figures 3-5.

2) If a second type of command is obtained, the user virtual machine sends the second type of command to the Hyperv i sor. Hyperv i sor can also be called a virtual machine monitor (诵, Vi r tua l Machine Moni tor ).

3) The Hyperv i sor sends the second type of command to the secure virtual machine, and the second virtual machine executes the second type of command.

4) The secure virtual machine sends the execution result of the second type of command to the Hyperv i sor. The security function processing module of the secure virtual machine may determine that the execution result of the second type of command satisfies the pre-configured notification policy, and then sends the execution result of the second type of command to the Hypervisor.

5) Hyperv i sor sends the execution result of the second type of command to the user virtual machine.

6) The user virtual machine presents the execution result of the second type of command to the virtual machine user.

In the method provided by the embodiment, the user virtual machine receives the command from the virtual machine user, and classifies the command according to the execution entity corresponding to the command, to obtain at least one of the following: a first type command and a second type command The first type of command is executed by the user virtual machine, and the second type is described by the virtual machine user. Therefore, the virtualized security can be realized by the secure virtual machine, and the physical risk of the virtual machine user is enhanced by the user virtual machine. Therefore, virtualized security is achieved through the cooperation of the secure virtual machine and the user virtual machine, and the application experience of the virtual machine user is improved.

According to the commands from the VM users, the VMs can work with other modules to complete security function configuration, security function operations, and security function notifications. The details are described below.

As shown in FIG. 3, it is a flow of security function configuration provided by an embodiment of the present invention.

The virtual machine user according to his own usage habits, through the software interface provided by the secure light agent User virtual machines and secure virtual machines are configured to be consistent with the use of traditional security software. As described in the system embodiment, the user virtual machine includes a secure light agent and a secure driver; the secure virtual machine includes a secure application and a secure driver. The virtual machine monitor includes a virtualized security service platform.

1) After receiving the security function configuration of the virtual machine user, the security light agent classifies the security function configuration to obtain a first type command or a second type command, wherein the first type command is executed by the user virtual machine, and the second type command is executed. Executed by a secure virtual machine. The first type of command is specifically divided into a proxy class command and a driver class command, wherein the proxy class command is locally saved by the secure light proxy of the user virtual machine. The user configuration module in the secure light proxy can implement the above functions.

The proxy class command in the first type of command may specifically include at least one of the following: a log setting of the secure light agent, an upgrade setting of the secure light agent, and an upgrade setting of a security driver of the user virtual machine.

The log settings of the secure light agent include: but not limited to, configuring the log file size and saving time of the secure light agent;

Upgrade settings for secure light agents: including but not limited to the upgrade cycle for configuring secure light agents; security driver upgrade settings for user virtual machines: including but not limited to the upgrade cycle for configuring security drives for user virtual machines.

The driver class command in the first type of command may specifically include at least one of the following: a log setting of the security driver of the user virtual machine, a cache setting, an Ema il protection setting, a self-protection setting of the security driver of the user virtual machine, The self-protection setting of the secure light agent.

The log setting of the security driver of the user virtual machine: including but not limited to configuring the log file size of the security driver of the user virtual machine, or saving time;

Cache settings: include, but are not limited to, whether to enable scan result caching, cache size, or number of cache files;

Ema il protection settings: including but not limited to whether Ema il protection is enabled, attachment type, whether a large number of outsourcing is enabled for detection; The self-protection setting of the security driver of the user virtual machine includes: but is not limited to, prohibiting the modification or stopping of the security monitoring function, recording the log of the destruction behavior, and automatically opening the time interval after temporarily closing the protection;

The self-protection setting of the security light agent includes, but is not limited to, prohibiting the deletion or stopping of the security light agent, recording the log of the destruction behavior, and automatically opening the time interval after the security light agent is temporarily stopped.

The second type of command is sent to the secure virtual machine for saving and executing by using the security driver of the user virtual machine and the virtualized security service platform, and may specifically include at least one of the following: periodic scan settings, filter settings, trust file settings, and processing mode settings. , notification settings, proactive defense settings, sample settings, upgrade settings for the security application of the secure virtual machine, and upgrade settings for the secure driver of the secure virtual machine.

The periodic scan setting includes: but not limited to, a periodic scan configuration at system startup, a periodic scan configuration at a specific time point, or a scan type, and the scan type includes a fast scan, a full scan, or a designated scan;

Filter settings: including but not limited to file system protection file types, exclusion paths, real-time scan options, scanning of compressed files, and scan depth;

Trust file settings: including but not limited to whitelist files, paths, file size exclusion; processing mode settings: including but not limited to automatic operations after detecting security risks, such as cleaning, deleting, quarantining, logging, whether to back up, whether to stop corresponding Process or service;

Notification settings: including but not limited to whether to send a security event notification, or whether to send an execution result notification;

Active defense settings: including but not limited to whether to enable "heuristic" active defense and defense level another 'J;

Sample setup: including but not limited to whether to submit samples to the security software vendor's cloud security server;

Upgrade settings for the secure application of the secure virtual machine: including but not limited to configuration security The upgrade cycle of the application. Since the security application can be understood as consisting of the scan engine and the signature, configuring the upgrade period of the security application can also be understood as configuring the scan engine upgrade period or configuring the signature upgrade period.

The upgrade setting of the secure driver of the secure virtual machine includes, but is not limited to, an upgrade period of configuring a secure drive of the secure virtual machine.

Specifically, the corresponding relationship between the operation code and the execution body is configured on the user virtual machine, as shown in Table 1, and of course, Table 1 is merely an exemplary description. After receiving the command from the virtual machine user, the user virtual machine queries the corresponding relationship between the operation code and the execution entity according to the operation code carried by the command, and obtains the execution entity corresponding to the command.

Table 1

As shown in Table 1, if the command from the virtual machine user only carries 0004, then according to Table 1 shows that the execution body of the command is a security driver of the user virtual machine, so that only the driver class command of the first type command is classified according to the execution subject, and the driver class command only includes 0004. If the command from the virtual machine user carries 0004, 0008, and 000C, then the execution body according to Table 1, 0004, and 0008 is the secure driver of the user virtual machine, and the execution entity of 000C is the secure virtual machine, which is obtained according to the execution subject classification. The driver command and the second command of the first type of command.

If a proxy class command is obtained, the secure light proxy is configured to execute the proxy class command, and present an execution result of the proxy class command to the virtual machine user.

If a driver class command or a second class command is obtained, the subsequent steps are performed.

2) The secure light agent sends the driver class command or the second class command to the user's virtual machine security driver.

Since the security light agent distinguishes the driver type command and the second type command by the operation code, the security driver processing interface is called for the driver type command, and the security driver forwarding interface is called for the second type command.

If the driver class command is included, the security driver of the user virtual machine executes the driver class command, and sends the execution result of the driver class command to the secure light agent; the secure light agent, the driver class command The execution result is presented to the virtual machine user.

If a second type of command is also included, the subsequent steps are continued.

3) The secure driver of the user's virtual machine sends a second type of command to the virtualized security platform within Hypervi sor.

4) The virtualized security service platform sends the second type of command to the secure virtual machine.

The virtualization security platform is used to establish an information transmission channel between the virtual machines in Hypervi sor (such as event 10 ring mechanism, memory sharing, authorization mechanism), and security events monitored by the security driver in the user virtual machine. (such as file read and write, process creation), transferred to the secure virtual machine, the security virtual machine performs the corresponding analysis and processing.

5) The secure driver within the secure virtual machine sends a second type of command to the secure application. Specifically, the user of the security application can configure an audit module to audit the received second type of command. The second type of command is executed only when it is determined that the second type of command satisfies a pre-configured security policy. Table 2 is used as an example. If the operation description carried in the command is "Disable all file types", the pre-configured security policy does not allow all file types to be disabled. Then the secure virtual machine will not operate on the second type of commands. . If the operation instructions carried in the command are the upgrade settings of the security application, which is not described in Table 2, it can be understood that the security virtual machine needs to perform the upgrade setting of the security application to meet the pre-configured security policy.

Table 2

For example, the command with the operation code Q00A is executed by the secure virtual machine according to Table 1. The command also carries the instructions for "disable all file types". According to Table 2, the user configuration audit module of the secure virtual machine queries the pre-configured security policy corresponding to "disable all file types" and determines that "disable all file types" meets the pre-configured security policy before performing the filtering settings. The command with the operation code 000B is executed by the secure virtual machine according to Table 1. The command also carries the operating instructions of "Skip system critical path". According to Table 2, the user configuration audit module of the secure virtual machine queries the pre-configured security policy corresponding to "skip system critical path", and determines that the "skip system critical path" meets the pre-configured security policy before executing the trust file setting. .

For configurations that have significant security risks (such as disabling all file types, or skipping system critical paths) or the actual effect is to turn off security protection, the secure virtual machine will provide "default protection" (refers to the protection policy configured by the administrator) Then, the secure virtual machine prompts the virtual machine user to confirm or modify it to avoid user configuration errors or malicious malicious modification of the configuration. Before the security virtual machine sends the result (success or failure) of the second type of command to the virtualization security service platform, it may first determine whether the execution result of the second type of command satisfies the pre-configured notification policy. In the case that the pre-configured notification policy is satisfied, the secure virtual machine sends the execution result (success or failure) of the second type of command to the virtualized security service platform. For example, if the configuration fails, the pre-configured notification policy is "Yes", that is, the execution result of the second type of command needs to be notified to the user virtual machine; if the pre-configured notification policy is "No", That is, the execution result of the second type of command does not need to be notified to the user virtual machine. Of course, the notification policy is configured as "yes" or it can be configured directly as "notify users." If the notification policy is configured to "No", it can also be configured directly as "Do not notify the user." table 3

If you follow the pre-configured notification policy, you need to notify the user. The security application then sends the execution result of the second type of command to the secure driver of the secure virtual machine.

6) The secure driver of the secure virtual machine sends the execution result of the second type of command to the virtual machine monitor.

7) The virtualized security service platform of the virtual machine monitor sends the execution result of the second type of command to the user virtual machine.

8) The security driver of the user virtual machine gives the execution result of the second type of command to the secure light agent. After executing the driver class command, the security driver sends the execution result of the driver class command to the secure light agent. After receiving the execution result of the second type command, the execution result of the second type command is sent to the security light agent. After waiting for the execution result of the second type of command, the execution result of the second type of command is sent to the secure light agent together with the execution result of the driver type command.

9) The security light agent of the user virtual machine presents the execution result of the second type of command to the virtual machine user Now.

The user virtual machine may present the execution result of the first type of command to the virtual machine user, and after receiving the execution result of the second type of command, present the execution result of the second type of command to the virtual machine user; After the execution result of the second type of command, the execution result of the second type of command is presented to the virtual machine user together with the execution result of the driver type command.

The method provided in this embodiment can implement the virtualized security function timing experience through the secure virtual machine. Therefore, the virtualized security is achieved through the cooperation of the secure virtual machine and the user virtual machine, and the application experience of the virtual machine user in the virtualization security function configuration is improved.

As shown in FIG. 4, it is a flow of security function operations provided by an embodiment of the method of the present invention.

Virtual machine users operate the user virtual machine and the secure virtual machine through the software interface provided by the secure light agent according to their own usage habits, which is consistent with the traditional security software. As described in the system embodiment, the user virtual machine includes a secure light agent and a secure driver; the secure virtual machine includes a secure application and a secure driver. The virtual machine monitor includes a virtualized security service platform.

1) After receiving the security function operation of the virtual machine user, the security light agent classifies the operation of the security function to obtain a first type command or a second type command, wherein the first type command is executed by the user virtual machine, and the second type command is executed. Executed by a secure virtual machine.

Specifically, the above functions can be implemented by a security function operation module in the secure light agent.

The antivirus software is used as an example. The common first type of command includes at least one of the following: an upgrade operation of the security light agent of the user virtual machine, an upgrade operation of the security driver of the user virtual machine, viewing the protection status, and viewing the log. , view statistics, view 4 reports, and view quarantined files.

The upgrade operation of the security light agent: including but not limited to the upgrade of the security light agent; the security operation upgrade operation of the user virtual machine: including but not limited to the upgrade of the security driver of the user virtual machine;

View: Includes, but is not limited to, viewing protection status, viewing logs, viewing statistics, viewing 4 reports, or viewing quarantined files. A common second type of command includes at least one of the following: initiating a quick scan, initiating a full scan, initiating a custom scan, upgrading a scan engine, and upgrading a signature.

Initiate a quick scan: including but not limited to quickly scanning memory, scanning for specific paths, scanning for susceptible files, or scanning for common virus infection locations;

Initiate a full scan: including but not limited to scanning memory or all files;

Initiate a custom scan: including but not limited to custom scan memory, scan specified files, scan path;

Upgrade of security applications: Includes but is not limited to upgrades to security applications. Since a security application can be understood as consisting of a scan engine and a signature, an upgrade to a secure application can also be understood as an upgrade to the scan engine or an upgrade to a signature.

Specifically, the corresponding relationship between the operation code and the execution body is configured on the user virtual machine, as shown in Table 4. Of course, Table 4 is merely an exemplary description. After receiving the command from the virtual machine user, the user virtual machine queries the corresponding relationship between the operation code and the execution entity according to the operation code carried by the command, and obtains the execution entity corresponding to the command.

Table 4

As shown in Table 4, if the command from the virtual machine user only carries 1004, then according to Table 4, the execution subject of the command is a secure virtual machine, and therefore only the second type of command is classified according to the execution subject. If the command from the virtual machine user carries 1004, 1008, and 100A, then According to Table 4, the execution entity of 1004 is a secure virtual machine, and the execution entities of 1008 and 100A are user virtual machines. The first type of command is 1008 and 100A, and the second type of command is 1004.

If the first type of command is obtained, the secure light agent is configured to execute the first type of command, and present an execution result of the first type of command to the virtual machine user.

If a second type of command is obtained, the subsequent steps are performed.

2) The security function operation module of the secure light agent sends the second type of command to the security driver of the user virtual machine.

The virtualization security platform is used to establish an information transmission channel between the virtual machines in Hypervi sor (such as event 10 ring mechanism, memory sharing, authorization mechanism), and security events monitored by the security driver in the user virtual machine. (such as file read and write, process creation), transferred to the secure virtual machine, the security virtual machine performs the corresponding analysis and execution.

The virtualized security service platform specifically includes a virtual machine monitoring module. The virtual machine monitoring module is used to utilize Hypervi sor to manage and control real physical resources and virtual machine logical resources, directly access virtual machine disks, memory pages, and CPU registers, and provide support for security virtual machine analysis and execution of security events. information.

5) The security driver in the secure virtual machine sends the second type of command to the security application, which can be sent to the security function processing module of the security application, and the module executes the corresponding security function according to the second type of command.

The security function processing module: receives a security event monitored by a security driver in the user virtual machine or a user-initiated security operation, and invokes a virtual machine monitoring module of the virtualization security service platform to obtain more context information (such as file content, process binary) Image information), analyzes security events and context information, identifies malicious security events, and then performs actions according to preset policies, such as automatically disabling (quarantine or deleting files), or prompting users and receiving user execution choices. Anti-virus application As an example, the antivirus scan engine and virus signature database traditionally located in the user virtual machine are transferred to the secure virtual machine. The antivirus scan engine and virus signature database here form a secure application for a secure virtual machine.

Specifically, it may be determined whether the execution result of the second type of command satisfies a pre-configured notification policy. When the pre-configured notification policy is met, the secure virtual machine sends the execution result (success or failure) of the second type of command to the virtualized security service platform. Table 5 is used as an example. For example, when the signature is upgraded, the pre-configured notification policy is "notify the user". Of course, the notification policy is "yes", that is, the progress of upgrading the signature is required. Notify the user of the virtual machine. If the pre-configured notification policy is "not notify the user", of course, the notification policy can be directly configured to be "No", that is, the user VM is not required to be notified of the progress of upgrading the signature. As shown in Table 5, it is not necessary to notify the user of the progress of the signature upgrade.

table 5

"Discovering virus prompts" may be the result of a "quick scan" with an opcode of 1001, or a "full scan" with an opcode of 1002, or a "custom scan" with an opcode of 1003. Results of the.

"Security Risk Prompt" may be a prompt generated during the execution of "Quick Scan" with an operation code of 1001, or it may be a prompt generated during the execution of "Full Scan" with an operation code of 1002, or the operation code is 1003 "Custom Scan" is generated during the execution Tips.

"Interactive Options" may be an option generated during the execution of "Quick Scan" with an opcode of 1001, or it may be an option generated during the execution of "Full Scan" with an opcode of 1002, or the opcode is The option generated during the execution of the 1003 "Custom Scan".

If you follow the pre-configured notification policy, you need to notify the virtual machine user. The security application then sends the execution result of the second type of command to the secure driver of the secure virtual machine. The execution result of the second type of command here includes the result of the operation or the progress of the operation.

6) The secure virtual machine sends the execution result of the second type of command to the virtualized security service platform.

7) The virtualization security service platform sends the execution result of the second type of command to the user virtual machine.

8) The secure driver of the user virtual machine sends the execution result of the second type of command to the secure light agent.

9) The security light agent of the user virtual machine presents the execution result of the second type of command to the virtual machine user.

The user virtual machine may present the execution result of the first type of command to the virtual machine user, and after receiving the execution result of the second type of command, present the execution result of the second type of command to the virtual machine user; After the execution result of the second type of command, the execution result of the second type of command is presented to the virtual machine user together with the execution result of the first type of command.

The method provided in this embodiment can implement the experience of virtualized security function operation by using a secure virtual machine. Therefore, the virtualized security is achieved through the cooperation of the secure virtual machine and the user virtual machine, and the application experience of the virtual machine user in the operation of the virtualized security function is improved.

As shown in FIG. 5, it is a flow of a security function notification provided by an embodiment of the present invention.

In addition to the description of the execution result of the second type of command described in FIG. 3 and FIG. 4, the user virtual machine can also forward the monitored security event information to the secure virtual machine. The computer performs analysis execution. If the pre-configured policy needs to notify the user of the execution result or requires the user to participate in the interactive selection, the relevant information is sent to the secure light agent, and presented to the user by the secure light agent. The specific process is as follows:

1) The security driver in the user virtual machine monitors security events (such as file read and write, process creation, etc.) in the user's virtual machine, and sends security event information to the virtualized security service platform in the Hypervisor.

2) The virtualization security service platform sends security event information to the secure virtual machine.

3) The secure driver in the secure virtual machine sends the security event information to the security function processing module of the security application, which performs the security function corresponding to the event type. After receiving the security event or user-initiated security operation, the security virtual machine invokes the virtual machine monitoring module of the virtualized security service platform to obtain more context information (such as file content, binary image information of the process), and analyze security events and context information. Identify malicious security events and then follow the preset policies, such as automatically disabling (quarantine or deleting files), or prompting the user and receiving the user's execution choices. If the pre-configured notification policy needs to notify the user of the execution result or requires the user to participate in the interactive selection, the result or interactive selection will be sent to the user's virtual machine.

For anti-virus applications, combined with Table 6 as an example, the common information that needs to be presented to users is: Virus detection: Virus information, completed automatic execution measures (delete, quarantine) Security risk tips: Process suspicious behavior (through heuristics) Active defense discovery), suspicious files (found through sandbox, reputation evaluation)

Interactive selection of actions: Alert the user to viruses, suspicious behavior, suspicious files; Receive user's execution choices (delete, quarantine, ignore).

Table 6 Notification Content Notification Strategy (Available)

Found a virus tip

Security risk warning

Interactive option is If a virus is found, the pre-configured notification policy is "Yes", that is, the user VM needs to be notified of the discovery virus; if the pre-configured notification policy is "No", the virus is not required to be notified to the user VM. Of course, the notification policy is configured as "yes" or it can be configured directly as "notify users." If the notification policy is configured to "No", it can also be configured directly as "Do not notify the user."

If you follow the pre-configured notification policy, you need to notify the virtual machine user. Then perform the next steps.

4) The secure virtual machine sends the notification information generated by the security function processing module to the virtualization security service platform.

5) -7) The virtualization security service platform sends the notification information generated during the execution of the security function to the security driver of the user virtual machine, and then is sent to the secure light agent by the security driver of the user virtual machine, and finally presented to the virtual machine user. And receive confirmation or selection from the user. If user selection is required, the subsequent steps are similar to the embodiment of Figure 4.

Specifically, it is presented to the virtual machine user by the security function notification module of the secure light agent. The method provided in this embodiment implements the virtualization security function notification by the cooperation of the security virtual machine and each module in the user virtual machine, and improves the application experience of the virtual machine user in the notification of the security function. Detailed description.

1) The security protection module of the virtualization security service platform periodically scans the disk and memory of the virtual machine to measure the integrity of the security driver of the user virtual machine. The security-driven metric content includes at least one of the following: the user virtual machine securely drives the code, data in the memory, the driver file and the configuration data saved on the disk. The method of integrity calculation includes: using a one-way cryptographic algorithm (such as HASH algorithm: SHA_1, SHA-256; SM3 algorithm) to calculate a digital digest (digital fingerprint) of the content being measured. Performing an integrity calculation on the security-driven metric content of the user virtual machine results in a security-driven integrity metric of the user virtual machine. The integrity metric is performed, and the metric content of the secure light agent includes at least one of the following: code, data, program files on the disk, and configuration data of the secure light agent in memory. The method of integrity calculation includes: using a one-way cryptographic algorithm (such as HASH algorithm: SHA-1, SHA-256; SM3 algorithm) to calculate a digital digest (digital fingerprint) of the content being measured. Performing an integrity calculation on the metric content of the secure light agent results in an integrity metric of the secure light agent.

If the security driver of the user virtual machine performs an integrity metric to the secure light agent, the security driver of the user virtual machine needs to send the integrity metric value of the secure light agent to the virtualized security service platform.

3) The virtualization security service platform sends the integrity metric of the secure light agent or the security metric integrity metric of the user virtual machine to the secure virtual machine.

4) The security driver in the secure virtual machine sends the integrity metric of the secure light agent or the security metric integrity metric of the user virtual machine to the security application, which may be sent to the security application. Light proxy verification module.

If the light proxy verification module receives the integrity metric of the secure light proxy, the light proxy verification module compares the integrity metric of the secure light proxy of the user virtual machine with the first correct value. The comparison result of the secure light agent is then processed according to a pre-configured first verification policy. The first correct value is a metric that is pre-set, or previously executed correctly, or distributed centrally.

The pre-configured first verification strategy is shown in Table 7.

Table 7

Check 3⁄4^ 明

School insurance success, do not take any measures, continue to wait for the next week

Period check

Verification failed Automatic reinstallation of secure light agents

Verify failure Automatically restore the default configuration of the secure light agent

Inspection failure prompts the user with the security light agent

Risk If the verification succeeds and no action is taken, continue to wait for the next cycle of verification; if the verification fails, according to the pre-configured policy, take repair measures to avoid security risks. Remedial measures include reinstalling the secure light agent and restoring the secure light agent. The default configuration, or prompt the user for this security risk.

If the light proxy verification module receives the integrity metric of the security driver including the user virtual machine, the light proxy verification module performs the security-driven integrity metric and the second correct value of the user virtual machine. The comparison then processes the comparison result of the secure driving of the user virtual machine according to the pre-configured second verification policy. The specific method is similar to the verification of the security light agent, and will not be described again.

5) If prompted to the user, the secure virtual machine sends a prompt message such as the verification result to the virtualized security service platform.

6) -8) The verification information and other prompt information are driven by the virtualized security service platform and the user virtual machine, and finally presented to the user by the secure light agent. If a user selection is required, the subsequent execution steps are similar to the embodiment described in FIG.

The embodiment of the present invention ensures the security of the secure light agent or the security of the user virtual machine through the light agent verification module, and solves the security risk problem that the user virtual machine is located in the untrusted domain.

The foregoing process describes the application of the embodiments of the present invention in various scenarios, and is of course not limited to these scenarios.

As shown in FIG. 7, another system for implementing virtualization security according to an embodiment of the present invention includes: a processor 101, a memory 102, and a system bus (memory bus) 105. The processor 101 and the memory 102 are connected by a system bus 105 and communicate with each other.

Processor 101 may be a single core or multi-core central processing unit, or a particular integrated circuit, or one or more integrated circuits configured to implement embodiments of the present invention.

The memory 102 can be a high speed RAM memory or a nonvolatile memory.

(non-volat i le memory ), such as at least one hard disk storage. The memory 102 is used to store computer execution instructions 1 021. Specifically, the program code may be included in the computer execution instruction 1021.

When the computer is running, the processor 101 executes the computer execution instruction 1 021, and the flow described in any one of Figures 2-6 can be performed.

The embodiment of the present invention further provides a virtualized and secure computer program product, comprising: a computer readable storage medium storing program code, wherein the program code comprises instructions for executing the flow of any one of Figures 2-6.

Those skilled in the art will appreciate that various aspects of the invention, or possible implementations of various aspects, may be embodied as a system, method, or computer program product. Thus, aspects of the invention, or possible implementations of various aspects, may be in the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, etc.), or a combination of software and hardware aspects, They are collectively referred to herein as "circuits," "modules," or "systems." Furthermore, aspects of the invention, or possible implementations of various aspects, may take the form of a computer program product, which is a computer readable program code stored on a computer readable medium.

The computer readable medium can be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium includes, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or any suitable combination of the foregoing, such as random access memory (RAM), read only memory (ROM), Erase programmable read-only memory (EPR0M or flash memory), optical fiber, portable read-only memory (CD-ROM).

The processor in the computer reads the computer readable program code stored in the computer readable medium, such that the processor can perform the functional actions specified in each step or combination of steps in the flowchart; A device that functions as specified in each block, or combination of blocks.

The computer readable program code can be executed entirely on the user's computer, partly on the user's computer, as a separate software package, partly on the user's computer and partly on the remote computer, or entirely on the remote computer or server. . Should also pay attention to In some alternative implementations, the functions noted in the various steps in the flowcharts or in the blocks in the block diagrams may not occur in the order noted in the drawings. For example, two steps, or two blocks shown in succession may be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.

Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the various examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technology solution. A person skilled in the art can use different methods to implement the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.

Claims

Rights request

1. A method for realizing virtualization security. The method is applied to a system including a user virtual machine and a security virtual machine, and is characterized by:

The user virtual machine receives commands from the virtual machine user;

The user virtual machine classifies the command according to the execution subject corresponding to the command, and obtains at least one of the following: a first type of command and a second type of command;

If the first type of command is obtained, the user virtual machine executes the first type of command and presents the execution result of the first type of command to the virtual machine user;

If the second type of command is obtained, the user virtual machine sends the second type of command to the security virtual machine through the virtual machine monitor; the security virtual machine executes the second type of command and processes all the commands. The execution result of the second type of command is sent to the user virtual machine through the virtual machine monitor; the user virtual machine presents the execution result of the second type of command to the virtual machine user;

If the first type of command and the second type of command are obtained, the user virtual machine executes the first type of command, and sends the second type of command to the security virtual machine through the virtual machine monitor; the security virtual machine The virtual machine executes the second type of command and sends the execution result of the second type of command to the user virtual machine through the virtual machine monitor; the user virtual machine sends the execution result of the first type of command to the user virtual machine. The execution result and the execution result of the second type of command are presented to the virtual machine user.

2. The method according to claim 1, characterized in that: a corresponding relationship between an operation code and an execution subject is configured on the user virtual machine, and before classifying the command according to the execution subject corresponding to the command, the method further includes: :

The user virtual machine queries the corresponding relationship between the operation code and the execution subject according to the operation code carried by the command, and obtains the execution subject corresponding to the command.

3. The method according to claim 1 or 2, characterized in that, if the command is a security configuration command, it also includes:

The security light agent of the user virtual machine executes the command according to the execution subject corresponding to the first type of command. The first type of commands is classified to obtain at least one of the following: agent type commands and driver type commands; if an agent type command is obtained, the secure light agent executes the agent type command and replaces the agent type command with The execution results are presented to the virtual machine user;

If the driver class command is obtained, the security light agent sends the driver class command to the security driver of the user virtual machine; the security driver of the user virtual machine executes the driver class command and sends the driver class command to the security driver of the user virtual machine. The execution result of the command is sent to the security light agent; the security light agent presents the execution result of the driver command to the virtual machine user;

If the agent type command and the driver type command are obtained, the security light agent executes the agent type command and sends the driver type command to the security driver of the user virtual machine; the security driver of the user virtual machine executes The driver class command, and sends the execution result of the driver class command to the security light agent; The security light agent sends the execution result of the agent class command and the execution result of the driver class command to the Virtual machine user presentation.

4. The method according to claim 3, characterized in that,

The agent-type commands include at least one of the following: log settings of the security light agent, upgrade settings of the security light agent, and upgrade settings of the security driver of the user virtual machine; or the driver-type commands include the following At least one of: the log settings, cache settings, email protection settings of the security driver of the user virtual machine, the self-protection settings of the security driver of the user virtual machine, the self-protection settings of the security light agent; or

The second type of commands includes at least one of the following: periodic scanning settings, filtering settings, trust file settings, processing mode settings, notification settings, active defense settings, sample settings, and upgrade settings of the security application of the security virtual machine. , and the upgrade settings of the security driver of the secure virtual machine.

5. The method according to any one of claims 1 to 4, characterized in that, if the command is a security configuration command, before the security virtual machine executes the second type of command, it further includes:

The user configuration audit module of the secure virtual machine audits the second type of commands and determines that the second type of commands satisfy the preconfigured security policy.

6. The method according to claim 1 or 2, characterized in that when the command is a safety function operation,

The first type of command includes at least one of the following: an upgrade operation of the security light agent of the user virtual machine, an upgrade operation of the security driver of the user virtual machine, view protection status, view logs, view statistics, view report, and view quarantined files; or

The second type of command includes at least one of the following: initiating a quick scan, initiating a full scan, initiating a custom scan, a scan engine upgrade operation, and a signature upgrade operation.

7. The method according to any one of claims 1 to 6, further comprising: before sending the execution result of the second type of command to the user virtual machine through the virtual machine monitor, The security function processing module of the security virtual machine determines that the execution result of the second type of command satisfies the preconfigured notification policy.

8. The method according to any one of claims 1 to 7, further comprising: the light agent verification module of the security virtual machine comparing the integrity measurement value of the security light agent of the user virtual machine with the first Correct values are compared, and then the comparison results of the secure light agent are processed according to the preconfigured first verification policy. The integrity measurement value of the security light agent is based on the measurement content of the security light agent. Calculated from integrity calculations, the measurement content of the secure light agent includes at least one of the following: the code, data, program files on disk, and configuration data of the secure light agent in memory.

9. The method according to any one of claims 1 to 8, characterized in that the light agent verification module of the secure virtual machine compares the integrity measurement value of the security driver of the user virtual machine with the second correct value. Right, and then process the comparison result of the security driver of the user virtual machine according to the preconfigured second verification policy, and the integrity measurement value of the security driver is the measurement content of the security driver of the user virtual machine. Obtained from the integrity calculation, the measurement content of the security driver includes at least one of the following: the code, data, driver files and configuration data saved in the memory of the security driver of the user virtual machine on the disk.

10. A system for realizing virtualization security. The system includes a user virtual machine and a secure virtual machine. Virtual machine, which is characterized by:

The user virtual machine is used to receive commands from virtual machine users, classify the commands according to the execution subjects corresponding to the commands, and obtain at least one of the following: first type commands and second type commands;

If the first type of command is obtained, the user virtual machine is used to execute the first type of command and present the execution result of the first type of command to the virtual machine user;

If the second type of command is obtained, the user virtual machine is used to send the second type of command to the security virtual machine through the virtual machine monitor; the security virtual machine is used to execute the second type of command. command, and send the execution result of the second type of command to the user virtual machine through the virtual machine monitor; the user virtual machine is also used to send the execution result of the second type of command to the user virtual machine. Presented to the virtual machine user;

If the first type of command and the second type of command are obtained, the user virtual machine is used to execute the first type of command and send the second type of command to the security virtual machine through the virtual machine monitor; The security virtual machine is configured to execute the second type of command, and send the execution result of the second type of command to the user virtual machine through the virtual machine monitor; the user virtual machine, also Used to present the execution result of the first type of command and the execution result of the second type of command to the virtual machine user.

11. The system according to claim 10, wherein a corresponding relationship between an operation code and an execution subject is configured on the user virtual machine, and before the command is classified according to the execution subject corresponding to the command, The user virtual machine is also configured to query the corresponding relationship between the operation code and the execution subject according to the operation code carried by the command, and obtain the execution subject corresponding to the command.

12. The system according to claim 10 or 11, wherein the user virtual machine includes a security light agent and a security driver, and if the command is a security configuration command:

The security light agent of the user virtual machine is used to classify the first type of command according to the execution subject corresponding to the first type of command, and obtain at least one of the following: agent type commands and driver type commands; If a proxy command is obtained, the security light agent is used to execute the proxy command and present the execution result of the proxy command to the virtual machine user;

If the driver command is obtained, the security light agent is used to send the driver command to the security driver of the user virtual machine; the security driver of the user virtual machine is used to execute the driver command, and send the execution result of the driver command to the security light agent; the security light agent is also used to present the execution result of the driver command to the virtual machine user;

If the agent type command and the driver type command are obtained, the security light agent is used to execute the agent type command and send the driver type command to the security driver of the user virtual machine; The security driver is used to execute the driver class command and send the execution result of the driver class command to the security light agent; the security light agent is also used to combine the execution result of the agent class command with all the security driver commands. The execution result of the driver command is presented to the virtual machine user.

13. The system according to claim 12, characterized in that,

14. The system according to any one of claims 10 to 13, characterized in that the security virtual machine includes a user configuration audit module, and if the command is a security configuration command, the security virtual machine is used to execute the first Before the second type of command, the user configuration audit module is used to perform the second type of command. The second-category commands are audited to determine that the second-category commands satisfy the pre-configured security policy.

15. The system according to claim 10 or 11, characterized in that when the command is a safety function operation,

The first type of command includes at least one of the following: upgrade operation of the security light agent of the user virtual machine, upgrade operation of the security driver of the user virtual machine, view protection status, view log, view statistics, view 4 Report, and view quarantined files; or

16. The system according to any one of claims 10 to 15, characterized in that the security virtual machine includes a security function processing module that sends the execution result of the second type of command to the virtual machine monitor through the virtual machine monitor. Before the user virtual machine, the security function processing module is configured to determine that the execution result of the second type of command satisfies the preconfigured notification policy.

17. The system according to any one of claims 10 to 16, characterized in that the security virtual machine includes a light agent verification module:

The light agent verification module is configured to compare the integrity measurement value of the security light agent of the user virtual machine with the first correct value, and then compare the integrity measurement value of the security light agent according to the preconfigured first verification policy. The comparison results are processed. The integrity measurement value of the security light agent is obtained by performing integrity calculation on the measurement content of the security light agent. The measurement content of the security light proxy includes at least one of the following: Secure light agents code, data in memory, program files on disk, and configuration data.

18. The system according to any one of claims 10 to 17, characterized in that the light agent verification module of the security virtual machine is used to compare the integrity measurement value of the security driver of the user virtual machine with the second correct The value is compared, and then the comparison result of the security driver of the user virtual machine is processed according to the preconfigured second verification policy. The integrity measurement value of the security driver is the security driver of the user virtual machine. The measurement content of the security driver is obtained by performing integrity calculations. The measurement content of the security driver includes at least one of the following: The security driver of the user virtual machine is in the memory. Code, data, driver files and configuration data saved on disk.

19. A system for realizing virtualization security, characterized by: including:

Processor, memory and system bus. The processor and the memory are connected through the system bus and communicate with each other;

The memory is used to store computer execution instructions;

The processor is configured to run the computer execution instructions to perform the method described in any one of claims 1-9.

20. A computer program product, including a computer-readable storage medium storing program code, the program code including instructions for executing the method according to any one of claims 1-9.