CN101452397B - Forced access control method and apparatus in virtual environment - Google Patents
Forced access control method and apparatus in virtual environment Download PDFInfo
- Publication number
- CN101452397B CN101452397B CN200810203451XA CN200810203451A CN101452397B CN 101452397 B CN101452397 B CN 101452397B CN 200810203451X A CN200810203451X A CN 200810203451XA CN 200810203451 A CN200810203451 A CN 200810203451A CN 101452397 B CN101452397 B CN 101452397B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- access
- main body
- module
- monitor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a forced access control method and a device applied to a virtual environment in the technical field of computer application. The method comprises: designating a virtual machine in a virtual environment as a credible virtual machine with security management authority, in which, the credible virtual machine uses security classification and security category as a sensitive label to identify the security level of a single virtual machine; establishing an access matrix and setting the access type set of each virtual machine to other virtual machines; and when a certain virtual machine main body gets access to a certain virtual machine object in a certain access type, judging whether the access is permitted according to the sensitive label of both the main body and the object and the access type set of the main body to the object in the access matrix. The device comprises an access control initializing module, a virtual machine state monitoring module, an access judgment module, a security management assisting module and a virtual machine security information management module in the credible virtual machine. The forced access control method and the device can effectively control communication and resource sharing between virtual machines in a virtual environment of multilevel security.
Description
Technical field
What the present invention relates to is the method and the device in a kind of Computer Applied Technology field, specifically is forced access control method and device in a kind of virtualized environment.
Background technology
Intel Virtualization Technology is the most popular technology of current information technology industry; The applying virtual technology can be in the following big advantages of bringing aspect several: 1, integrated service device; Computer system is deployed in the virtual machine can improves the hardware device utilization factor, cut operating costs; 2, utilize resource virtualizing to promote service quality, the minimizing system rolls off the production line the time; 3, the setup time of reduction IT basis instrument, promote the dirigibility of IT investment, promote configuration as required; 4, test and development environment are provided fast, improve development efficiency; 5, operating system of leaving over and application program are moved in the virtual machine the historical investment of protection; 6, utilize the virtualization capability of server that standardized enterprise desktop environment is provided, improve the utilization factor and the manageability of enterprise's information technoloy equipment.
Monitor of virtual machine is the core of Intel Virtualization Technology, and virtual machine operates on the monitor of virtual machine.The monitor of virtual machine major function comprises: 1, managing physical hardware resource; 2, for the virtual machine that operates in above it virtual hardware resource is provided; 3, the running environment of mutual isolation is provided for a plurality of virtual machines that on it, move, makes a plurality of virtual machines can not interfere with each other the other side's operation; 4, for the virtual machine that operates in above it communication and resource sharing support between the virtual machine are provided.
Each major company of IT trade continues to increase to drop into and promotes the Intel Virtualization Technology development at present, formulates the standard that Intel Virtualization Technology is used hand in hand, and communication and shared resource between the different virtual machine more and more come into one's own.In order to set up a safe and reliable virtualization applications environment, must implement access control to communication and resource sharing between the virtual machine.
The object that in the operating process of once communication and resource sharing, is in the actor status is called main body, is in to receive the object of person status to be called object.Each virtual machine both possibly be that main body also possibly be an object in communication process in virtual scene, judged that according to the flow direction of data in the communication process virtual machine is main body or object.At the basic thought of carrying out access control on the computer system is in principal access object critical path, to insert the function that is used for security purpose, and such function is commonly referred to safety door hook subfunction (security hooks).The safety door hook subfunction is performed when the principal access object; The security information of its inspection subject and object judges according to specific security strategy whether main body can visit object; If could visit after its recording-related information the process of principal access object proceed; If cannot visit then it blocks the process of principal access object, and return error messages.It is the core content of access control that the safety door hook subfunction is done the security strategy that is adopted when judging.
Retrieval through to the prior art document is found; With Reiner Sailer is main method (the Reiner Sailer that proposes communication and resource sharing between the control virtual machine; Trent Jaeger; Enriquillo Valdez.Building a MAC-based Security Architecture for the Xen Opensource Hypervisor; (on Xen increases income monitor of virtual machine, setting up a kind of) RC23629 (W0506-051) June 8 based on the security architecture of forcing access control, 2005.IBM Research Report.).This method is based on Chinese Wall (Chinese wall) and simple types is strengthened (Simple Type Enforcement) strategy; This method is that the virtual machine in the virtualized environment is provided with different labels with resource; Label can be represented different tissues or department, and the tag set of conflict is set simultaneously.When the label on two virtual machines was in the conflict set, they can not move simultaneously, and when two virtual machines had identical label, both sides can communicate by letter and shared resource.There are the following problems for this method: 1) this method is bigger to the control dynamics of communication and resource-sharing, does not control concrete communication and resource-sharing type; 2) suppose to use different labels to represent the different security rank, can't communicate by letter and shared resource between the virtual machine of different level of securitys.Therefore this method is not suitable for the multilevel security environment.
Summary of the invention
The objective of the invention is in order to overcome the deficiency of above-mentioned prior art; Forced access control method and device in a kind of virtualized environment are provided; With responsive label and access matrix is core; Access control is forced in the enforcement that is included in the monitor of virtual machine; Can satisfy the multilevel security environment requirement, comprise: express with responsive tag identifier single virtual machine level of security, in access matrix as the virtual machine of main body to as the access type of the virtual machine of object, in monitor of virtual machine according to communication and resource sharing between the information Control virtual machine in responsive label and the access matrix.
The present invention realizes through following technical scheme.
The present invention relates to the forced access control method in a kind of virtualized environment, comprise the steps:
Step 3; Set up the access matrix of credible virtual machine; Each virtual machine of record is to the access type set of other virtual machines in the access matrix; Access type comprises: read-only a, write and read is write three kinds, and the data in the access matrix are loaded into monitor of virtual machine inside when monitor of virtual machine starts;
Step 4; When a virtual machine activation, import its ID number, responsive label into monitor of virtual machine inside as parameter, in these information of monitor of virtual machine internal record; And set up a current accessed for this virtual machine and gather b, to the access type of every other virtual machine;
Step 5; When communication or resource sharing behavior generation; Whether inspection satisfies responsive label security feature and access matrix security feature as the virtual machine of main body with as the responsive label and the access matrix of the virtual machine of object; If satisfy then allow, otherwise do not allow as the virtual machine visit of main body as the virtual machine of object and return error messages as the virtual machine visit of main body virtual machine as object;
Said responsive label security feature is meant: when the virtual machine as main body carries out read-only access to the virtual machine as object, must arrange the responsive label as the virtual machine of object as the responsive label of the virtual machine of main body; When the virtual machine as object being carried out write access, must be used as the responsive label domination of the virtual machine of object as the responsive label of the virtual machine of main body as the virtual machine of main body; When the virtual machine as main body carries out read and write access to the virtual machine as object, must equal responsive label as the virtual machine of object as the responsive label of the virtual machine of main body;
Said access matrix security feature; Be meant when as the virtual machine of main body to the virtual machine as object carry out read-only, only write or during the visit of read-write type, its access type be present in representative in the access matrix as the virtual machine of main body in the access type set as the virtual machine of object.
Step 6, the result who returns when step 5 are when allowing visit, in the current accessed set b as the virtual machine of main body, add a current accessed record;
Step 7, when finishing as the virtual machine of main body to as the once visit of the virtual machine of object the time, deletion is about current accessed record from current accessed set b.
In the step 2; The responsive label of said virtual machine; Safe level of confidentiality wherein adopts the numerical value form, and the big more level of confidentiality of numerical value is high more, and safe category is the set of certain access rights; Each element in the set is represented specific access rights, the relation between two responsive labels be domination with by domination, equal or incomparable relation.As responsive label f
1And f
2When doing comparison, if f
1Safe level of confidentiality be higher than f
2Safe level of confidentiality f simultaneously
1Safe category comprise f
2Safe category, f then
1Domination f
2, f in other words
2By f
1If domination is f
1Safe level of confidentiality and f
2Safe level of confidentiality equate and f
1Safe category and f
2Safe category equate then f
1Equal f
2, otherwise f
1And f
2Be incomparable.
In the step 2, said level of security to other single virtual machines identifies, and is specific as follows: if the virtual machine that is identified does not have responsive label, then directly use the level of security of responsive this virtual machine of tag identifier; If the virtual machine that is identified has had responsive label; Then use new responsive label to identify the level of security of this virtual machine again; Promptly adjust the level of security of this virtual machine; If during the sign level of security, the virtual machine that quilt is identified is moving then needs all current accessed of moving virtual machine set b to satisfy following 6 current accessed set b security feature simultaneously, the success of sign operation ability:
The new responsive label of the virtual machine that is 1. identified can be arranged among the current accessed set b of every other virtual machine the responsive label that this virtual machine is carried out a write access virtual machine;
2. the responsive label that among the current accessed set b virtual machine that is identified is carried out the every other virtual machine of read-only access can be arranged the new responsive label of this virtual machine;
3. the responsive label that among the current accessed set b virtual machine that is identified is carried out the every other virtual machine of read and write access equals the new responsive label of this virtual machine;
The new responsive label of the virtual machine that is 4. identified must be arranged among its current accessed set b all by the responsive label of other virtual machines of this virtual machine read-only access;
5. all can be arranged the new responsive label of this virtual machine by the responsive label of other virtual machines of its write access in the current accessed set b of the virtual machine oneself that is identified;
The new responsive label of the virtual machine that is 6. identified equals among its current accessed set b all by the responsive labels of other virtual machines of this virtual machine read and write access.
In the step 3; Said each virtual machine is to the access type set of other virtual machines; The access type set of other virtual machines to credible virtual machine wherein can not be set; Be that every other virtual machine can not be communicated by letter with credible virtual machine as main body, credible virtual machine can not appear in the communication process as object.
In the step 3; Said each virtual machine is to the access type set of other virtual machines; Be to point in the access type set to increase access type; Or from access type set, delete access type, and the former authorizes as the virtual machine of main body certain access type as the virtual machine of object, and the latter cancels as the virtual machine of main body certain access type as the virtual machine of object.
In the step 5, said access control process comprises following three kinds of situation:
1. when as the virtual machine of main body when doing read-only access as the virtual machine of object, need to satisfy simultaneously two security features and allow as the virtual machine read-only access of the main body virtual machine as object: responsive label security feature: as the virtual machine of main body is credible virtual machine or as the responsive label domination of the virtual machine of the main body responsive label as the virtual machine of object; Access matrix security feature: in access matrix, have read-only access type as the virtual machine of object as the virtual machine of main body;
2. when as the virtual machine of main body when doing write access as the virtual machine of object, need to satisfy simultaneously two security features and allow as the virtual machine write access of the main body virtual machine as object: responsive label security feature: as the virtual machine of main body is credible virtual machine or as the responsive label domination of the virtual machine of the object responsive label as the virtual machine of main body; Access matrix security feature: in access matrix, have a write access type as the virtual machine of object as the virtual machine of main body;
3. when as the virtual machine of main body when doing read and write access as the virtual machine of object, need to satisfy simultaneously two security features and allow: responsive label security feature: be credible virtual machine or equal responsive label as the virtual machine of object as the responsive label of the virtual machine of main body as the virtual machine of main body as the virtual machine read and write access of main body virtual machine as object; Access matrix security feature: in access matrix, have read and write access type as the virtual machine of object as the virtual machine of main body.
In the step 5, said access control process if credible virtual machine is the virtual machine as main body in communication process, does not then receive the constraint of two conditions, and promptly credible virtual machine can be visited other virtual machines as object with any type.
In the step 6, the current accessed of said virtual machine as main body set b is responsible for the information of the each visit of record, and information recorded is included in ID number and the access type as the virtual machine of object that current visit is used as the virtual machine visit of main body.
The invention still further relates to the pressure access control apparatus in a kind of virtualized environment; Comprise: secure virtual machine information management module (Virtual Machine Security Information Manager; Abbreviation VMSIM module), access control initialization module (Access Control Initialization is called for short the ACI module), virtual machine state monitor module (Virtual Machine State Watcher is called for short the VMSW module), visit determination module (Access Decision-maker; Abbreviation AD module), safety management assistance module (Security Managing Assistant; Be called for short the SMA module), wherein
The secure virtual machine information management module is arranged in the credible virtual machine; With the child node of other virtual machines, thereby set up the hierarchical relationship of virtual machine, simultaneously as credible virtual machine; Use the level of security of responsive other virtual machines of tag identifier; The access type set of each virtual machine to other virtual machines is set in access matrix, and the aforesaid operations result is saved in the disk file of credible virtual machine on the one hand, output to monitor of virtual machine inside on the other hand;
The access control initialization module is arranged on monitor of virtual machine inside; The access control initialization module is in the process that monitor of virtual machine starts; From the disk of credible virtual machine, be loaded into access matrix the inside of monitor of virtual machine; Virtual machine activation with close, communicate by letter between the virtual machine and the critical path of resource sharing on the safety door hook subfunction is set, supply virtual machine state monitor module and visit determination module to use;
The virtual machine state monitor module is arranged on monitor of virtual machine inside; Safety door hook subfunction monitoring virtual machine activation incident and close event that the virtual machine state monitor module uses the access control initialization module to be provided with; When a virtual machine activation incident takes place when; The virtual machine state monitor module obtains ID number and responsive label of this virtual machine, is kept at monitor of virtual machine inside, is the current accessed set b of a sky of this virtual machine creating; When a virtual machine close event took place, the virtual machine state monitor module was removed this virtual machine at monitor of virtual machine inner ID number, responsive label and current accessed set b;
The visit determination module is arranged on monitor of virtual machine inside; The incident of communication and resource sharing between the safety door hook subfunction monitoring virtual machine that visit determination module use access control initialization module is provided with; Whether judgement satisfies responsive label security feature and access matrix security feature as the virtual machine of main body with as the responsive label and the access matrix of the virtual machine of object; If satisfy then allow and visit virtual machine as object as the virtual machine of main body; Finish once to as the visit of the virtual machine of object the time when virtual machine as main body takes place, the visit determination module is from as the current accessed record of deletion the current accessed set b of the virtual machine of main body;
The safety management assistance module is arranged on monitor of virtual machine inside; When the safety management assistance module is used the secure virtual machine rank that responsive tag identifier moving at the secure virtual machine information management module, check whether all current accessed of moving virtual machine set b satisfy 6 current accessed set b security features and judge that can the operation of secure virtual machine information management module successful; When the secure virtual machine information management module certain as the virtual machine of main body in as the access type set of the virtual machine of object during the deletion access type; If the virtual machine as main body moves, the safety management assistance module from as deletion the virtual machine current accessed of the main body set b as the virtual machine of main body to access type as the virtual machine of object; The safety management assistance module also provides interface for the secure virtual machine information management module, and the secure virtual machine information management module uses these interfaces using responsive tag identifier secure virtual machine rank and the operating result that access matrix is set to output to monitor of virtual machine inside.
Said secure virtual machine information management module, its hierarchical relationship with the virtual machine of setting up is saved in the hierarchical relationship file on the credible virtual machine disk, and the content in the file is to use tree form data structure to describe the result of hierarchical relationship.
Said secure virtual machine information management module; The data separate storage of responsive label information that it will generate and access matrix is in the disk file of credible virtual machine; Wherein, Responsive label information is kept in the responsive label file of virtual machine, each virtual machine all has the responsive label file of oneself, and responsive label file also has ID number of this virtual machine except the safe level of confidentiality that comprises this virtual machine, safe category; ID number is the index of this virtual machine in access matrix, is remained unchanged before the deletion from system at this virtual machine; The secure virtual machine information management module is kept at the data of access matrix in the access matrix file, and total system has only an access matrix file, and it is a binary file, preserves the binary mode of the one dimension subordinate ordered array of representing access matrix.
Said secure virtual machine information management module, it is transferred to monitor of virtual machine inside through the interface that the safety management assistance module provides with operating result.For the virtual machine that is moving, the secure virtual machine information management module all outputs to monitor of virtual machine inside to level of security that uses responsive tag identifier virtual machine and the operating result that access matrix is set; For not at the virtual machine of running status; The secure virtual machine information management module outputs to monitor of virtual machine inside to the operating result that access matrix is set, and uses responsive other operating result of tag identifier secure virtual machine level not output to monitor of virtual machine inside.After the secure virtual machine information management module outputed to the virtual monitor device to operating result, the visit determination module used the secure virtual machine information management module to upgrade when virtual machine was communicated by letter with other virtual machines responsive label and access matrix were done judgement;
Said access control initialization module;, monitor of virtual machine from the disk file of credible virtual machine, is loaded into monitor of virtual machine inside to the data in the access matrix file when starting; Travel through the one-dimension array of access matrix then; For each element in the array is created a chained list node; In chained list node, preserve the content of array element, connect into orderly doubly linked list to all chained list nodes at last, so that the safety management assistance module increases, deletes element through the interface that provides for the secure virtual machine information management module in matrix.
Said access control initialization module; Its start, close at virtual machine monitoring internal virtual machine and virtual machine between the safety door hook subfunction is set on the critical path of communication and resource sharing, when virtual machine activation, close and virtual machine between communication and these incidents of resource sharing when taking place the safety door hook subfunction be performed.The concrete operations of safety door hook subfunction are realized by virtual machine state monitor module and visit determination module that respectively the return results of safety door hook subfunction is also respectively by virtual machine state monitor module and the decision of visit determination module.
Said visit determination module is communicated by letter and the resource sharing behavior between its safety door hook subfunction monitoring virtual machine that uses the access control initialization module to be provided with.When communication and resource sharing behavior took place between the virtual machine, the safety door hook subfunction at first obtained the access type of this behavior, as the virtual machine S of main body with as the responsive label of the virtual machine O of object; Secondly in queried access matrix as the virtual machine S of main body to access type set as the virtual machine O of object; Reuse information that the safety door hook subfunction obtains and judge as the virtual machine of main body with as the responsive label and the access matrix of the virtual machine of object whether satisfy responsive label security feature and access matrix security feature; If last result of determination is for allowing; Then in virtual machine current accessed set b, add a Visitor Logs as main body; Virtual machine visit as main body is proceeded as the process of the virtual machine of object; If result of determination for not allowing, is then blocked as the virtual machine of main body the access process as the virtual machine of object, and returns error messages.When communication and resource sharing behavior finish between the virtual machine; The safety door hook subfunction is at first obtained as the virtual machine of main body with as ID number of the virtual machine of object; And the access type information of this behavior, this accessed record of deletion in as the current accessed set b of the virtual machine of main body then.
Said safety management assistance module; When it uses the secure virtual machine rank that responsive tag identifier moving at the secure virtual machine information management module; Travel through the current accessed set b of all virtual machines that moving, whether inspection satisfies above-mentioned 6 current accessed set b security feature, if there is arbitrary security feature not satisfy; Then return failed message, secure virtual machine information management module operation failure; If 6 security features all satisfy; Then return success message; The secure virtual machine information management module is operated successfully; The interface that provides through the safety management assistance module immediately after the secure virtual machine information management module is operated successfully outputs to monitor of virtual machine inside to the responsive label that is identified virtual machine, upgrades monitor of virtual machine inside by the responsive label of the successful virtual machine of secure virtual machine information management module operation.If the virtual machine by secure virtual machine information management module sign is not in running status; Then need be not mutual in the process of sign with the safety management assistance module, the responsive label of this virtual machine does not need to output to immediately monitor of virtual machine inside after the sign.
Said safety management assistance module; When the secure virtual machine information management module is provided with access matrix; If the operation of secure virtual machine information management module be as the virtual machine S of main body visit as the access type set of the virtual machine O of object in deletion access type x and move as the virtual machine of the virtual machine S representative of main body; Then need from as deletion the current accessed set b of the virtual machine S representative virtual machine of main body about S with the record of type x visit as the virtual machine O of object; If the operation of secure virtual machine information management module is in the access type set of virtual machine S visit as the virtual machine O of object as main body, to add access type x, then safety management assistance module need not done additional operations.
Compared with prior art, the present invention has following beneficial effect:
1, the present invention distinguishes between the virtual machine access type of communication and resource sharing, and the visit determination module is done when visit is judged need consider concrete access type.Virtual machine as main body has certain access type as the virtual machine of object, but does not have whole access types; Otherwise one as the virtual machine of main body maybe be not to one as certain specific access type of the virtual machine of object, but other access type is arranged.And prior art is not distinguished access type, and two kinds of situation are only considered in access control: 1. allow the communication and the resource sharing of any type between the virtual machine; 2. do not allow the communication and the resource sharing of any type between the virtual machine.The characteristics of doing access control to concrete access type make the present invention more flexible than prior art, can better meet the demand for security that virtual machine technique is used.
2, the present invention makes under the prerequisite of information confidentiality and can communicate by letter and resource sharing between the virtual machine of different level of securitys guaranteeing not destroy, and can promote the application of virtual machine technique under the multilevel security environment.And prior art can adopt label to identify virtual machine different security rank, does not have can not communicate by letter and resource sharing between the virtual machine of same label.Prior art can only stop communication and resource sharing between the virtual machine of different level of securitys in the virtualized environment of multilevel security.
Description of drawings
Fig. 1 is the hierarchical relationship synoptic diagram between the virtual machine in the embodiment of the invention;
Fig. 2 is the relation of Xen monitor of virtual machine and physical hardware in the inventive embodiments, VME operating system;
Fig. 3 is the system architecture diagram of apparatus of the present invention;
Fig. 4 is that two domain of monitor of virtual machine Xen use shared drive swap data synoptic diagram in the embodiments of the invention in communication process;
Communication mechanism synoptic diagram between secure virtual machine information management module and the safety management assistance module in Fig. 5 embodiment of the invention;
The visit determination module is done the process flow diagram of access control in Fig. 6 present embodiment.
Embodiment
Below in conjunction with accompanying drawing embodiments of the invention are elaborated: present embodiment provided detailed embodiment and concrete operating process, but protection scope of the present invention is not limited to following embodiment being to implement under the prerequisite with technical scheme of the present invention.
As shown in Figure 1, be the virtual machine level relation of present embodiment, credible virtual machine is on the root node of hierarchical relationship, and other virtual machines all are the childs of root node.
Present embodiment is implemented on monitor of virtual machine Xen.As shown in Figure 2; The Xen monitor of virtual machine is the monitor of virtual machine project of increasing income of Cambridge University's computer laboratory exploitation; The relation of Xen monitor of virtual machine and physical hardware, virtual machine domain operating system, application program, the direct control hardware resource of Xen monitor of virtual machine is for the domain on it provides virtual resource; The execution environment of isolating each domain operating system is for providing the support of communication and resource sharing mechanism between the domain.The Xen monitor of virtual machine is except providing above-mentioned functions; Also, domain operating system calls for providing hypercalls (Hypercall); Domain operating system is called through this type and can be required the Xen monitor of virtual machine to accomplish the operation that some can not be carried out by operating system self; For example revise the internal memory page table, revise the inner data of monitor of virtual machine.
Communication mechanism has two kinds of event channel (event channel) and shared drives (grant table) between the virtual machine domain that the Xen monitor of virtual machine provides, and is specific as follows:
Event channel is a synchronous method between two domain; An event channel is represented by two binary digits (bit); Wherein a bit representation incident is submitted (pending) state to, when this is changed to 1, will call the event handling function of domain registration in advance and handle this incident.Another one is represented channel mash (mask), and when this position was changed to 1, domain temporarily shielded the event handling of this event channel.Be similar to soft interrupt mechanism at half virtualized domain the inside event channel;
Shared drive is the method that transmits data between the domain; Domain can transmit (transfer) to another one domain with one's own memory block mandate (grant) another one domain visit or with one's own memory block entitlement under the help of Xen monitor of virtual machine; When a domain licenses to another domain with one's own memory block; Two domain can have access to this piece internal memory, can revocation after operation is accomplished; When a domain transmits memory block after entitlement gives another domain, it self can not visit again this internal memory, loses the control to this internal memory simultaneously.
Set up event channel in the present embodiment and do not check concrete access type with transmission event notice visit determination module; As long as be that the then both sides that can communicate by letter can set up event channel and send event notice mutually in access matrix between the domain; Shared drive piece between the domain is done the explanation of access type; As shown in Figure 4, domain-1 shares an one's own memory block and gives domain-2, and domain-2 is the memory address space of this piece memory-mapped to oneself; Then this piece internal memory is carried out certain type operation, claim to save as shared drive in this piece.Domain-2 is considered to main body in current communication process, and domain-1 is considered to object, and domain-2 is equal to the operation to domain-1 to the operation of shared drive, and access type is determined the operation of shared drive by domain-2:
For example domain-2 to shared drive do read-only operation (read, once the visit in have only read operation, do not have write operation), then access type be read-only (
r);
Domain-2 to shared drive do read-write operation (write, once the visit in existing read operation write operation is arranged again), then access type be the read-write (
w);
Domain-2 to shared drive do a write operation (append, once the visit in have only write operation, do not have read operation), then access type be only write (
a), a write operation here only refers to be write in shared drive, does not read the content of shared drive, where does not do requirement as for writing on, and does not more require the end that writes on shared drive in order.
Present embodiment relates to the forced access control method in a kind of virtualized environment, comprises the steps:
In the present embodiment; Virtual machine is called as domain in the Xen virtualized environment, wherein has the authority of other domain of management, is referred to as virtual machine domain-0; Specify the root of domain-0 as credible virtual machine and virtual machine level relation, other domain are the childs of domain-0.
In this enforcement row, safe level of confidentiality set is C={C
1, C
2, C
3, C
4, C
5, C
6, C
7, C
8, C
1>C
2>...>C
8, definition K={K
1, K
2, K
3..., K
16Arbitrary subclass be a safe category, safe level of confidentiality representes that with 3 binary digits safe category is represented with 16 binary digits.Because the magnitude relationship between the safe level of confidentiality can directly be done comparison with numerical values recited, so definition C
1Binary form be shown 111, C
2Binary form be shown 110 ..., C
8Binary form be shown 000, represent 16 binary digits of safe category represent whether have certain access rights K respectively
1, K
2..., K
16, wherein i position (1≤i≤16) are that 1 representative has certain access rights K
i, be that 0 representative does not have certain access rights K
i
Step 3; Credible virtual machine is set up the access matrix file; Each virtual machine of record is to the access type set of other virtual machines in the access matrix file; Access type comprises: read-only a, write and read is write three kinds, and the data in the access matrix file are loaded into monitor of virtual machine inside when monitor of virtual machine starts;
In the present embodiment, the access matrix file is kept in the disk of domain-0, and the access matrix file is a binary file; Preserve an one dimension subordinate ordered array, defining single array element is five-tuple (SID, an OID; R, A, W); Wherein SID is ID number (Identification) as the virtual machine of main body, and OID is ID number as the virtual machine of object, and the value of R is that 1 expression has access type
r, be that 0 expression does not have access type
rThe value of A is that 1 expression has access type
a, be that 0 expression does not have access type
aThe value of W is that 1 expression has access type
w, be that 0 expression does not have access type
wArray is according to key word (SID; OID) value ascending sort; As ID number of the virtual machine of main body with equal domain ID number of their representatives respectively as ID number of the virtual machine of object; Adopt for domain ID number 13 binary digits to represent that R, A and W adopt 1 binary digit to represent respectively, amount to 29 binary digits and express a five-tuple.
Adopt for above-mentioned domain ID number 13 binary digits to represent; Safe level of confidentiality is adopted as 3 binary digits and representes; Safe category adopts 16 binary digits to represent to be the requirement of transmitting the numeric parameter of one 32 bit to monitor of virtual machine when meeting that each domain starts on the Xen monitor of virtual machine, and the numeric parameter of this 32 bit is represented domain ID number, safe level of confidentiality and safe category in the present embodiment.
Step 4; When a virtual machine activation; Import its ID number, responsive label into monitor of virtual machine inside as parameter; In these information of monitor of virtual machine internal record, and set up current accessed set b for this virtual machine, when writing down this virtual machine as the virtual machine of main body to the access type of every other virtual machine;
In the present embodiment, the element among the current accessed set b be (OID,
x)
x∈
r,
w,
a, OID is ID number as the virtual machine of object, equals ID number as the domain of object.
Step 5; When communication or resource sharing behavior generation; Whether inspection satisfies responsive label security feature and access matrix security feature as the virtual machine of main body with as the responsive label and the access matrix of the virtual machine of object; If satisfy then allow, otherwise do not allow as the virtual machine visit of main body as the virtual machine of object and return error messages as the virtual machine visit of main body virtual machine as object;
Said responsive label security feature is meant: when the virtual machine as main body carries out read-only access to the virtual machine as object, must arrange the responsive label as the virtual machine of object as the responsive label of the virtual machine of main body; When the virtual machine as object being carried out write access, must be used as the responsive label domination of the virtual machine of object as the responsive label of the virtual machine of main body as the virtual machine of main body; When the virtual machine as main body carries out read and write access to the virtual machine as object, must equal responsive label as the virtual machine of object as the responsive label of the virtual machine of main body;
Said access matrix security feature; Be meant when as the virtual machine of main body to the virtual machine as object carry out read-only, only write or during the visit of read-write type, its access type be present in representative in the access matrix as the virtual machine of main body in the access type element set as the virtual machine of object.
Step 6, the result who returns when step 5 are when allowing visit, in the current accessed set b as the virtual machine of main body, add a current accessed record;
Step 7, when finishing as the virtual machine of main body to as the once visit of the virtual machine of object the time, deletion is about current accessed record from current accessed set b.
As shown in Figure 3; Present embodiment relates to the pressure access control apparatus in a kind of virtualized environment; Comprise: secure virtual machine information management module, access control initialization module, virtual machine state monitor module, visit determination module, safety management assistance module; Access control initialization module, virtual machine state monitor module, visit determination module and safety management assistance module all are arranged on the inside of Xen monitor of virtual machine, wherein:
The access control initialization module is loaded into access matrix among the Xen in the Xen start-up course from domain-0, start at domain, close, add the safety door hook subfunction on the critical path of communication and resource sharing between the domain;
Communication and resource sharing behavior between visit determination module control domain;
The safety management assistance module is assisted the security information of secure virtual machine information management module management domain;
The secure virtual machine information management module is arranged among the domain-0, represents the security information of credible virtual machine manage domain.
Said access control initialization module; Domain starts and closes in Xen monitor of virtual machine inside for it; The foundation of event channel and shared drive, use and close, the safety door hook subfunction be set on the critical path such as resource sharing; Monitoring domain starts or closes, and the foundation of event channel and shared drive, uses and closes the generation of incidents such as resource sharing.
Said access control initialization module, it is loaded into Xen inside to the access matrix file from domain-0 in the Xen start-up course, travel through the one-dimension array of access matrix then; For each element in the array is created a chained list node; In chained list node, preserve array element five-tuple (SID, OID, R; A; W) each component value connects into orderly doubly linked list to all chained list nodes at last, so that the safety management assistance module increases, deletes element through the interface that provides for the secure virtual machine information management module in matrix.
Said virtual machine state monitor module; When it starts at certain domain; Use the safety door hook subfunction of access control initialization module setting to read in the 32 bit integer parameters of importing into when above-mentioned domain starts; ID number and the responsive label of this domain of record in the virtual machine state monitor module; Be that this domain creates empty current accessed set b, when searching this domain the access type as the domain of object be integrated into the reference position in the access matrix, use this position of pointer record so that the searching of access matrix as main body.
Said visit determination module; When it uses the safety door hook subfunction of access control initialization module setting to monitor as the virtual machine S visit of main body as the shared drive incident of the virtual machine O of object; Its flow process of doing access control is as shown in Figure 6; The visit determination module is at first checked access type, makes a determination according to different types then.Below with access type be read-only (
r) be that example is explained concrete process:
1, the visit determination module finds access matrix, according to as virtual machine ID number of main body with in access matrix, search access type as virtual machine ID number of object
rIf, search success then continue subsequent step, otherwise refusal as the virtual machine S of main body with type
rVisit is as the virtual machine O of object;
2, the visit determination module is relatively as the virtual machine S of main body and safe level of confidentiality as the virtual machine O of object; If as the safe level of confidentiality of the virtual machine S of main body greater than as the safe level of confidentiality of the virtual machine O of object then continue subsequent step, otherwise refusal as the virtual machine S of main body with type
rVisit is as the virtual machine O of object;
3, the visit determination module is relatively as the virtual machine S of main body and safe category as the virtual machine O of object, if comprise as the safe category of the virtual machine O of object as the safe category of the virtual machine S of main body then allow virtual machine S as main body with type
rVisit is as the virtual machine O of object, otherwise refusal as the virtual machine S of main body with type
rVisit is as the virtual machine O of object.
When the visit determination module allows virtual machine S as main body with type
xAfter the visit O, it in domain current accessed set b, add as the virtual machine S of main body representative a record (OID,
x).When the safety door hook subfunction of access control initialization module setting monitors as the virtual machine S of main body as this piece shared drive EO of the virtual machine O of object, when cancelling as the virtual machine S of main body the access authorization of shared drive as the virtual machine O of object; Deletion record (OID the current accessed set b of the domain that the visit determination module will be represented from the virtual machine S as main body
x).
When the safety door hook subfunction of access control initialization module setting monitors the domain close event, the virtual machine state monitor module will be deleted the current accessed set b of this domain, remove ID number and the responsive label information of inner this domain of virtual monitor device.
As shown in Figure 5; Said secure virtual machine information management module; It is inner that it is arranged on credible virtual machine domain-0; It has the function of calling the inner safety management assistance module of Xen monitor of virtual machine; Accomplish the safety information management of domain together, the communication mechanism between secure virtual machine information management module and the safety management assistance module is following: domain-0 is a (SuSE) Linux OS, and the secure virtual machine information management module is a program that operates in user's attitude; When it calls the function of safety management assistance module; It at first uses the libxenctrl routine library of user's attitude to send message to the kernel module privcmd that operates in the domain-0 kernel state, after the privcmd module receives the message from it, calls inner responsive label information of domain and the access matrix of interface function management Xen monitor of virtual machine that the safety management assistance module provides through hypercalls (Hypercall).
Said secure virtual machine information management module can use the level of security of responsive other domain of tag identifier in domain-0, in access matrix, authorize or cancel the access type of certain domain to other domain.In responsive label file and the access matrix file of the operating result of secure virtual machine information management module in being kept at domain-0, it is inner that the interface that also provides through the safety management assistance module is transferred to the Xen monitor of virtual machine.For the domain that is moving, the secure virtual machine information management module all outputs to Xen monitor of virtual machine inside to level of security that uses responsive tag identifier domain and the operating result that access matrix is set; For not at the domain of running status; The secure virtual machine information management module outputs to Xen monitor of virtual machine inside to the operating result that access matrix is set, and uses the operating result of responsive tag identifier domain level of security not output to Xen monitor of virtual machine inside.
When the secure virtual machine information management module uses responsive tag identifier moving the level of security of domain; The safety management assistance module need travel through all current accessed of moving domain set b; Whether inspection satisfies above-mentioned 6 current accessed set b security feature; If there is arbitrary security feature not satisfy, then safety management assistance module is returned failed message, secure virtual machine information management module operation failure; If 6 security features all satisfy; Then safety management assistance module returns success message; The secure virtual machine information management module is operated successfully, and being outputed to virtual monitor device inside by the responsive label of sign domain, upgrades the responsive label of inner this domain of Xen monitor of virtual machine immediately.When the secure virtual machine information management module is provided with access matrix, if in the access type set of virtual machine S visit, delete access type as the virtual machine 0 of object as main body
xAnd the domain as the virtual machine S representative of main body moves, then need from as deletion the current accessed set b of the virtual machine S representative domain of main body about S with type
xVisit is as the record of the virtual machine O of object; If in the access type set of virtual machine S visit, increase access type as the virtual machine O of object as main body
x, then safety management assistance module need not revised the current accessed set b as the virtual machine S representative domain of main body.When the secure virtual machine information management is provided with as the virtual machine S of main body visit as the access type set of the virtual machine O of object; The secure virtual machine information management module also needs output to Xen monitor of virtual machine inside to the modification result of access matrix simultaneously except being saved in access matrix modification result in the access matrix file.
Present embodiment can be controlled the communication and the resource sharing of different access type between the domain more flexibly in the multilevel security virtualized environment, can communicate by letter and resource sharing between the domain of different level of securitys.By contrast, prior art (methods that people such as Reiner Sailer proposes) is not considered communication and the concrete access type of resource sharing between the virtual machine, can't let can communicate by letter or resource sharing between the virtual machine of different level of securitys.
Claims (6)
1. the forced access control method in the virtualized environment is characterized in that, comprises the steps:
Step 1; In virtual scene, specify a virtual machine as credible virtual machine with safety management authority; And be root with this credible virtual machine; Other virtual machines are that the child node of credible virtual machine is set up hierarchical relationship, and all virtual machines of other except that credible virtual machine are in equal status;
Step 2, credible virtual machine use responsive label that other single virtual machine level of securitys are identified, and said responsive label comprises safe level of confidentiality and safe category;
Step 3; Credible virtual machine is set up the access matrix file; Write down each in the access matrix file and comprise credible virtual machine in of the access type set of interior virtual machine to other virtual machines; Access type comprises: read-only a, write and read is write three kinds, and the data in the access matrix are loaded into monitor of virtual machine inside when monitor of virtual machine starts;
Step 4; When a virtual machine activation; Import its ID number, responsive label into monitor of virtual machine inside as parameter,, and set up a current accessed set b for this virtual machine in these information of monitor of virtual machine internal record; Current when writing down this virtual machine, all as main body, with certain type to visit information as the virtual machine of object, current accessed set b comprises the access type set;
Step 5; When communication or resource sharing behavior generation; Whether inspection satisfies responsive label security feature and access matrix security feature as the virtual machine of main body with as the responsive label and the access matrix of the virtual machine of object; Visit object if satisfy then allow as the virtual machine of main body, otherwise do not allow to visit object and return error messages as the virtual machine of main body;
Said responsive label security feature is meant: when the virtual machine as main body carries out read-only access to the virtual machine as object, must arrange the responsive label as the virtual machine of object as the responsive label of the virtual machine of main body; When the virtual machine as object being carried out write access, must be used as the responsive label domination of the virtual machine of object as the responsive label of the virtual machine of main body as the virtual machine of main body; When the virtual machine as main body carries out read and write access to the virtual machine as object, must equal responsive label as the virtual machine of object as the responsive label of the virtual machine of main body;
Said access matrix security feature; Be meant when as the virtual machine of main body to the virtual machine as object carry out read-only, only write or during the visit of read-write type, its access type be present in representative in the access matrix as the virtual machine of main body in the access type set as the virtual machine of object;
Step 6, the result who returns when step 5 are when allowing visit, in the current accessed set b as the virtual machine of main body, add a current accessed record;
Step 7, when finishing as the virtual machine of main body to as the once visit of the virtual machine of object the time, deletion is about current accessed record from current accessed set b;
The responsive label of the virtual machine except that credible virtual machine; Safe level of confidentiality wherein adopts the numerical value form; Safe category is the set of certain access rights; Each element in the set is represented specific access rights, the relation between two responsive labels be domination with by domination, equal or incomparable relation;
Said level of security to the single virtual machine identifies, and is specific as follows: if the virtual machine that is identified does not have responsive label, then directly use the level of security of responsive this virtual machine of tag identifier; If the virtual machine that is identified has had responsive label; Then use new responsive label to identify the level of security of this virtual machine again; Promptly adjust the level of security of this virtual machine; If during the sign level of security, virtual machine is moving the current accessed that then needs all virtual machines that moving and is gathering the security feature that b satisfies following 6 current accessed set b simultaneously, and the sign operation could be successful:
The new responsive label of the virtual machine that is 1. identified can be arranged the current accessed of the every other virtual machine that is moving and gather the responsive label that the virtual machine that among the b quilt is identified carries out the virtual machine of a write access;
The responsive label that among the current accessed of the 2. every other virtual machine that is the moving set b virtual machine that is identified is carried out the virtual machine of read-only access can be arranged the new responsive label of the every other virtual machine that is moving;
The responsive label that among the current accessed of the 3. every other virtual machine that is the moving set b virtual machine that is identified is carried out the virtual machine of read and write access equals the new responsive label of this virtual machine;
The new responsive label of the virtual machine that is 4. identified must be arranged among its current accessed set b all by the responsive label of other virtual machines of this virtual machine read-only access;
All can be arranged the new responsive label of this virtual machine among the current accessed set b of the virtual machine that is 5. identified oneself by the responsive label of other virtual machines of its write access;
The new responsive label of the virtual machine that is 6. identified equals among its current accessed set b all by the responsive label of other virtual machines of this virtual machine read and write access;
Said each virtual machine is to the access type set of other virtual machines; The access type set of other virtual machines to credible virtual machine wherein can not be set; Be that every other virtual machine can not be communicated by letter with credible virtual machine as main body, credible virtual machine can not appear in the communication process as object;
When said communication or resource sharing behavior take place; If the virtual machine as main body in communication process is a credible virtual machine; Then do not receive the constraint of responsive label security feature and two conditions of access matrix security feature, promptly credible virtual machine can be visited other virtual machines with any type.
2. one kind according to the pressure access control apparatus in the virtualized environment of the said method of claim 1; It is characterized in that; Comprise: secure virtual machine information management module, access control initialization module, virtual machine state monitor module, visit determination module, safety management assistance module, wherein
The secure virtual machine information management module is arranged in the credible virtual machine; With the child node of other virtual machines, set up the hierarchical relationship of virtual machine, simultaneously as credible virtual machine; Use the level of security of responsive other virtual machines of tag identifier; The access type set of each virtual machine to other virtual machines is set in access matrix, and the aforesaid operations result is saved in the disk file of credible virtual machine on the one hand, output to monitor of virtual machine inside on the other hand;
The access control initialization module is arranged on monitor of virtual machine inside; The access control initialization module is in the process that monitor of virtual machine starts; From the disk of credible virtual machine, be loaded into access matrix the inside of monitor of virtual machine; Virtual machine activation with close, communicate by letter between the virtual machine and the critical path of resource sharing on the safety door hook subfunction is set, supply virtual machine state monitor module and visit determination module to use;
The virtual machine state monitor module is arranged on monitor of virtual machine inside; Safety door hook subfunction monitoring virtual machine activation incident and close event that the virtual machine state monitor module uses the access control initialization module to be provided with; When a virtual machine activation incident takes place when; The virtual machine state monitor module obtains ID number and responsive label of this virtual machine, is kept at monitor of virtual machine inside, is the current accessed set b of a sky of this virtual machine creating; When a virtual machine close event took place, the virtual machine state monitor module was removed this virtual machine at monitor of virtual machine inner ID number, responsive label and current accessed set b;
The visit determination module is arranged on monitor of virtual machine inside; The incident of communication and resource sharing between the safety door hook subfunction monitoring virtual machine that visit determination module use access control initialization module is provided with; Whether judgement satisfies responsive label security feature and access matrix security feature as the virtual machine of main body with as the responsive label and the access matrix of the virtual machine of object; If satisfy then allow and visit virtual machine as object as the virtual machine of main body; Finish once to as the visit of the virtual machine of object the time when virtual machine as main body takes place, the visit determination module is from as the current accessed record of deletion the current accessed set b of the virtual machine of main body;
The safety management assistance module is arranged on monitor of virtual machine inside; When the safety management assistance module is used the secure virtual machine rank that responsive tag identifier moving at the secure virtual machine information management module, check that the security feature whether all current accessed of moving virtual machine set b satisfy above-mentioned 6 current accessed set b judges that can the operation of secure virtual machine information management module successful; When the secure virtual machine information management module certain as the virtual machine of main body in as the access type set of the virtual machine of object during the deletion access type; If the virtual machine as main body moves, the safety management assistance module from as deletion the current accessed set b of the virtual machine of main body as the virtual machine of main body to access type as the virtual machine of object; The safety management assistance module also provides interface for the secure virtual machine information management module, and the secure virtual machine information management module uses these interfaces using responsive tag identifier secure virtual machine rank and the operating result that access matrix is set to output to monitor of virtual machine inside.
3. the pressure access control apparatus in the virtualized environment according to claim 2; It is characterized in that; Said secure virtual machine information management module; Its hierarchical relationship with the virtual machine of setting up is saved in the hierarchical relationship file on the credible virtual machine disk, and the content in the file is to use tree form data structure to describe the result of hierarchical relationship; With the data separate storage of responsive label information that generates and access matrix in the disk file of credible virtual machine; Wherein, Responsive label information is kept in the responsive label file of virtual machine, each virtual machine all has the responsive label file of oneself, and responsive label file also has ID number of this virtual machine except the safe level of confidentiality that comprises this virtual machine, safe category; ID number is the index of this virtual machine in access matrix, is remained unchanged before the deletion from system at this virtual machine; The secure virtual machine information management module is kept at the data of access matrix in the access matrix file, and total system has only an access matrix file, and it is a binary file, preserves the binary mode of the one dimension subordinate ordered array of representing access matrix;
The secure virtual machine information management module is transferred to monitor of virtual machine inside through the interface that the safety management assistance module provides with operating result; For the virtual machine that is moving, the secure virtual machine information management module all outputs to monitor of virtual machine inside to level of security that uses responsive tag identifier virtual machine and the operating result that access matrix is set; For not at the virtual machine of running status; The secure virtual machine information management module outputs to monitor of virtual machine inside to the operating result that access matrix is set; Use responsive other operating result of tag identifier secure virtual machine level not output to monitor of virtual machine inside; After the secure virtual machine information management module outputed to the virtual monitor device to operating result, the visit determination module used the secure virtual machine information management module to upgrade when virtual machine was communicated by letter with other virtual machines responsive label and access matrix were done judgement.
4. the pressure access control apparatus in the virtualized environment according to claim 2; It is characterized in that; Said access control initialization module is loaded into monitor of virtual machine inside to the data in the access matrix file from the disk file of credible virtual machine when monitor of virtual machine starts, travel through the one-dimension array of access matrix then; For each element in the array is created a chained list node; In chained list node, preserve the content of array element, connect into orderly doubly linked list to all chained list nodes at last so that the safety management assistance module through the increase in the matrix of its interface that provides for the secure virtual machine information management module, delete element;
The access control initialization module virtual machine activation with close, communicate by letter between the virtual machine and the critical path of resource sharing on the safety door hook subfunction is set; When virtual machine activation, close and virtual machine between communication and these incidents of resource sharing when taking place the safety door hook subfunction be performed; The concrete operations of safety door hook subfunction are realized by virtual machine state monitor module and visit determination module that respectively the return results of safety door hook subfunction is also respectively by virtual machine state monitor module and the decision of visit determination module.
5. the pressure access control apparatus in the virtualized environment according to claim 2; It is characterized in that; Said visit determination module; When it uses communication and resource sharing behavior between safety door hook subfunction monitoring virtual machine that access control initialization module is provided with, when between the virtual machine during communication and resource sharing behavior generation, the safety door hook subfunction at first obtains the access type of this behavior, as the virtual machine S of main body with as the responsive label of the virtual machine O of object; Secondly in queried access matrix as the virtual machine S of main body to access type set as the virtual machine O of object; Reuse information that the safety door hook subfunction obtains and judge as the virtual machine of main body with as the responsive label and the access matrix of the virtual machine of object whether satisfy responsive label security feature and access matrix security feature; If last result of determination is for allowing; Then in virtual machine current accessed set b, add a Visitor Logs as main body; Virtual machine visit as main body is proceeded as the process of the virtual machine of object; If result of determination for not allowing, is then blocked as the virtual machine of main body the access process as the virtual machine of object, and returns error messages;
Communication and resource sharing behavior finish between the safety door hook subfunction monitoring virtual machine that visit determination module use access control initialization module is provided with; When this type of incident takes place; The safety door hook subfunction is at first obtained as the virtual machine of main body with as ID number of the virtual machine of object; And the type information of this visit, this accessed record of deletion in as the virtual machine current accessed set b of main body then.
6. the pressure access control apparatus in the virtualized environment according to claim 2; It is characterized in that; Said safety management assistance module when it uses the secure virtual machine rank that responsive tag identifier moving at the secure virtual machine information management module, travels through the current accessed set b of all virtual machines that moving; Whether inspection satisfies the security feature of above-mentioned 6 current accessed set b; If have arbitrary security feature not satisfy, then return failed message, secure virtual machine information management module operation failure; If 6 security features all satisfy; Then return success message; The secure virtual machine information management module is operated successfully; The interface that provides through the safety management assistance module immediately after the secure virtual machine information management module is operated successfully outputs to monitor of virtual machine inside to the responsive label that is identified virtual machine; Upgrade monitor of virtual machine inside by the responsive label of the successful virtual machine of secure virtual machine information management module operation; If the virtual machine by secure virtual machine information management module sign is not in running status, then need be not mutual in the process of sign with the safety management assistance module, the responsive label of this virtual machine does not need to output to immediately monitor of virtual machine inside after the sign;
When the safety management assistance module is provided with access matrix at the secure virtual machine information management module; If the operation of secure virtual machine information management module be as the virtual machine S of main body visit as the access type set of the virtual machine O of object in deletion access type x and move as another virtual machine of the virtual machine S representative of main body; Then need from as deletion the current accessed set b of the virtual machine S representative virtual machine of main body about S with the record of type x visit as the virtual machine O of object; If the operation of secure virtual machine information management module is in the access type set of virtual machine S visit as the virtual machine O of object as main body, to add access type x, then safety management assistance module need not done additional operations.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810203451XA CN101452397B (en) | 2008-11-27 | 2008-11-27 | Forced access control method and apparatus in virtual environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810203451XA CN101452397B (en) | 2008-11-27 | 2008-11-27 | Forced access control method and apparatus in virtual environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101452397A CN101452397A (en) | 2009-06-10 |
| CN101452397B true CN101452397B (en) | 2012-08-22 |
Family
ID=40734645
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810203451XA Expired - Fee Related CN101452397B (en) | 2008-11-27 | 2008-11-27 | Forced access control method and apparatus in virtual environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101452397B (en) |
Families Citing this family (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102200925B (en) * | 2010-03-22 | 2015-04-29 | 联想(北京)有限公司 | Data access method of application virtual domains, virtual machine manager and computer |
| WO2011148376A2 (en) * | 2010-05-27 | 2011-12-01 | Varonis Systems, Inc. | Data classification |
| CN101917410B (en) * | 2010-07-26 | 2013-03-13 | 中国科学院计算技术研究所 | Method for verifying unipolarity of information flow for authorization system |
| EP2609539B1 (en) * | 2010-08-27 | 2016-10-05 | Hewlett-Packard Development Company, L.P. | Virtual hotplug techniques |
| CN102571698B (en) * | 2010-12-17 | 2017-03-22 | ***通信集团公司 | Access authority control method, system and device for virtual machine |
| CN102368760B (en) * | 2010-12-31 | 2014-10-22 | 中国人民解放军信息工程大学 | Data secure transmission method among multilevel information systems |
| CN102707985A (en) * | 2011-03-28 | 2012-10-03 | 中兴通讯股份有限公司 | Access control method and system for virtual machine system |
| CN102811239B (en) * | 2011-06-03 | 2017-09-12 | 中兴通讯股份有限公司 | A kind of dummy machine system and its method of controlling security |
| WO2012159231A1 (en) * | 2011-07-25 | 2012-11-29 | 华为技术有限公司 | Access control method and access control server |
| TWI451245B (en) * | 2011-09-14 | 2014-09-01 | Inst Information Industry | Virtual machine monitoring method, system and computer readable storage medium for storing thereof |
| CN102495988A (en) * | 2011-12-19 | 2012-06-13 | 北京诺思恒信科技有限公司 | Domain-based access control method and system |
| EP2696303B1 (en) * | 2012-08-03 | 2017-05-10 | Alcatel Lucent | Mandatory access control (MAC) in virtual machines |
| US8997080B2 (en) * | 2013-02-11 | 2015-03-31 | Citrix Systems, Inc. | System updates with personal virtual disks |
| CN103442033A (en) * | 2013-08-06 | 2013-12-11 | 杭州华三通信技术有限公司 | Running state information synchronizing method and device |
| CN104751061B (en) * | 2013-12-30 | 2018-04-27 | ***股份有限公司 | Equipment and device for safety information interaction |
| CN104991809A (en) * | 2015-06-18 | 2015-10-21 | 浪潮电子信息产业股份有限公司 | Virtual machine admission method and apparatus based on trusted computing |
| CN105117273A (en) * | 2015-09-11 | 2015-12-02 | 中科信息安全共性技术国家工程研究中心有限公司 | Method and system for obtaining client process information in xen virtualization platform |
| CN105335212A (en) * | 2015-10-23 | 2016-02-17 | 浪潮电子信息产业股份有限公司 | Cloud computing mandatory access control method based on distributed implementation |
| CN105511940B (en) * | 2015-11-30 | 2019-02-01 | 云宏信息科技股份有限公司 | The method and system of authorization virtual machine access Xenstore in a kind of Xen virtualization |
| CN105701416B (en) | 2016-01-11 | 2019-04-05 | 华为技术有限公司 | Forced access control method, device and physical host |
| CN105678176A (en) * | 2016-01-15 | 2016-06-15 | 瑞达信息安全产业股份有限公司 | Mandatory access control method under virtual environment |
| CN107203722B (en) * | 2016-03-16 | 2020-01-14 | 中国电子科技集团公司电子科学研究院 | Virtualization data isolation exchange method and device |
| CN108345491B (en) * | 2017-01-24 | 2021-08-13 | 北京航空航天大学 | Cross-platform virtual machine mandatory access control method in cloud computing environment |
| CN109445902B (en) * | 2018-09-06 | 2021-05-07 | 新华三云计算技术有限公司 | Data operation method and system |
| CN109951527B (en) * | 2019-02-20 | 2020-08-25 | 华东师范大学 | Virtualization system-oriented hypervisor integrity detection method |
| CN110197062B (en) * | 2019-05-29 | 2022-03-15 | 轲飞(北京)环保科技有限公司 | Virtual machine dynamic access control method and control system |
| CN110381040A (en) * | 2019-06-28 | 2019-10-25 | 中国人民解放军63921部队 | A kind of system of High Security Level net concurrent access Low Security Level net |
| CN113407304B (en) * | 2021-05-28 | 2023-04-11 | 济南浪潮数据技术有限公司 | Virtual machine scheduling and security access method, device, equipment and readable medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1918549A (en) * | 2003-12-22 | 2007-02-21 | 太阳微***有限公司 | Framework for providing a security context and configurable firewall for computing systems |
| WO2007130386A2 (en) * | 2006-05-01 | 2007-11-15 | Mediatek Inc. | Method and apparatus for secure context switching in a system including a processor and cached virtual memory |
| CN101290586A (en) * | 2008-06-06 | 2008-10-22 | 华中科技大学 | Dummy machine concealed flow control method based on priority china wall policy |
| CN101305333A (en) * | 2003-11-26 | 2008-11-12 | 国际商业机器公司 | Tamper-resistant trusted virtual machine |
-
2008
- 2008-11-27 CN CN200810203451XA patent/CN101452397B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101305333A (en) * | 2003-11-26 | 2008-11-12 | 国际商业机器公司 | Tamper-resistant trusted virtual machine |
| CN1918549A (en) * | 2003-12-22 | 2007-02-21 | 太阳微***有限公司 | Framework for providing a security context and configurable firewall for computing systems |
| WO2007130386A2 (en) * | 2006-05-01 | 2007-11-15 | Mediatek Inc. | Method and apparatus for secure context switching in a system including a processor and cached virtual memory |
| CN101290586A (en) * | 2008-06-06 | 2008-10-22 | 华中科技大学 | Dummy machine concealed flow control method based on priority china wall policy |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101452397A (en) | 2009-06-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101452397B (en) | Forced access control method and apparatus in virtual environment | |
| US5787427A (en) | Information handling system, method, and article of manufacture for efficient object security processing by grouping objects sharing common control access policies | |
| CN102460382B (en) | Annotating virtual application processes | |
| US6233576B1 (en) | Enhanced security for computer system resources with a resource access authorization control facility that creates files and provides increased granularity of resource permission | |
| CN102592077B (en) | Method for providing a security boundary | |
| US9146735B2 (en) | Associating workflows with code sections in a document control system | |
| US9176713B2 (en) | Method, apparatus and program storage device that provides a user mode device interface | |
| CN104112089A (en) | Multi-strategy integration based mandatory access control method | |
| US6766457B1 (en) | Method for controlling access to a multiplicity of objects using a customizable object-oriented access control hook | |
| CN101221499A (en) | Method and apparatus for configuring application software | |
| WO2011147887A1 (en) | Context aware data protection | |
| CN107358096A (en) | File virus checking and killing method and system | |
| CN109923547B (en) | Program behavior monitoring device, distributed object generation management device, storage medium, and program behavior monitoring system | |
| CN101853358A (en) | Method for implementing file object authority management | |
| US20220261489A1 (en) | Capability management method and computer device | |
| TWI260507B (en) | System and method to facilitate access to SMBus and SMBus event handling | |
| US8819231B2 (en) | Domain based management of partitions and resource groups | |
| US9971613B2 (en) | Tag based permission system and method for virtualized environments | |
| Li et al. | Pagurus: Eliminating cold startup in serverless computing with inter-action container sharing | |
| CN104298519B (en) | For configuring the devices and methods therefor of operating system | |
| CN111858020B (en) | User resource limiting method and device and computer storage medium | |
| GB2308688A (en) | Controlling access to objects in an information handling system | |
| CN116150089A (en) | Authority management method, system and device for tree structure file system | |
| CN105678176A (en) | Mandatory access control method under virtual environment | |
| CN1645856B (en) | Deterministic rule-based dispatch of objects to code |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120822 Termination date: 20141127 |
|
| EXPY | Termination of patent right or utility model |