CN103384195B - A kind of partition method based on XEN platform desktop protocol - Google Patents
A kind of partition method based on XEN platform desktop protocol Download PDFInfo
- Publication number
- CN103384195B CN103384195B CN201310278593.3A CN201310278593A CN103384195B CN 103384195 B CN103384195 B CN 103384195B CN 201310278593 A CN201310278593 A CN 201310278593A CN 103384195 B CN103384195 B CN 103384195B
- Authority
- CN
- China
- Prior art keywords
- function
- update
- data
- detour
- desktop protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of partition method based on XEN platform desktop protocol, belong to information security field, comprise the following steps: S1, intercept and capture the view data of VNC agreement;S2, is encrypted the view data intercepted and captured;S3, the data receiving VNC client are decrypted.Beneficial effects of the present invention is as follows: the desktop protocol provided due to XEN acquiescence is unsafe; data are transmitted without the protective measure of any encryption; this method controls and data transfer command by separating VNC; VNC data transmission reception process is carried out encryption based on key mechanism, deciphering, solves the unsafe problems in VNC transmission.
Description
Technical field
The present invention relates to a kind of partition method based on XEN platform desktop protocol, belong to information security field.
Background technology
XEN is the virtual machine platform of increasing income developed by univ cambridge uk, and its feature there is provided a kind of quilt
It is referred to as the half virtualization mode virtualizing (para-virtualize).Realization in this virtualization mode
In mode, need to revise the source code of VME operating system so that it is by VMM(Virtual Machine
Monitor, virtual machine) the interface interchange hardware resource that provides, rather than the virtualization mode as the most traditional needs
Virtual hardware is provided, is thus greatly improved the efficiency that virtual machine runs.
Desktop protocol is an indispensable important component part in XEN, and desktop protocol can allow user lead to
That crosses remote terminal connects the virtual machine resource used in Cloud Server, is currently based on the virtual table of XEN
Face product is used widely in part 500 tops of the world enterprise, and its major advantage is to concentrate
Management enterprise computer resource, improves the efficiency of management, and the advantages such as management cost, Huawei Company are greatly lowered
Substantially have been completed and intra-company's computer is cut cloud, obtained good effect.
Currently in order to minimizing waist performance, distributed system is deployed in virtual platform, and each comprising modules is respectively
It is deployed on different virtual machines and has become as a kind of conventional means.Usual for realizing the allomeric function of system
Needing close cooperation between modules, this just requires can safely and effectively transmit between each virtual machine letter
Breath.
But, under XEN default situations, from VGA(Video Graphics Array, Video Graphics Array)
Equipment obtain desktop picture information, to being sent in Terminal Server Client program process, be all by image information with
Frame is that unit obtains and sends, and does not use any compression, optimized algorithm under default situations, and remotely
The transmission acquiescence of mouse and keyboard is also sent by raw form.XEN acquiescence provides desktop protocol to be not
Safety.It is thus desirable to a kind of security isolation method, by the protection of this security isolation method, though middle
People can grasp at the packet of XEN desktop protocol, can not correctly resolve the implication understanding its content.
Desktop protocol in XEN i.e. VNC(Virtual Network Computing, Virtual network computer)
Protocol realization is fairly simple, it is simply that reads display frame data from VGA equipment, then encodes, after coding
It is sent directly to VNC client, without any encipherment protection measure.Only separate VNC to control
And data transfer command, VNC data transmission reception process is carried out encryption based on key mechanism, decryption side
Case could solve the unsafe problems in VNC transmission.
Summary of the invention
The purpose of the present invention is in order to improve the Information Security of XEN desktop protocol, it is ensured that protocol data is with extraneous
Isolation and a kind of based on XEN platform desktop protocol the partition method that proposes.
In order to realize above goal of the invention, the technical scheme that the present invention takes is as follows: a kind of based on XEN platform
The partition method of desktop protocol, comprises the following steps:
S1, intercepts and captures the view data of VNC agreement;
S2, is encrypted the view data intercepted and captured;
S3, the data receiving VNC client are decrypted.
Preferably: described step S1 comprises the following steps: the graphic console initialization function of USB interface
Corresponding following four static function: vga_update_display, vga_invalidate_display,
vga_screen_dump、vga_update_text;Above four functions returned into viewing area before calling
Buffer address, territory, is then write by above four static function, performs thread block at four
Static function, after four static function perform to return, upper layer functions directly obtains from viewing area buffer
View data.
Preferably: when data are encrypted by described step S2, use post-Hooks technology.
Preferably: described step S2 include following step by step:
S2.1 defines one group of Detour function, including dt_update function, dt_invalidate function,
Dt_screen_dump function and dt_text_update function;
S2.2 allows the dgraphic_console_init function in VNC agreement by process function corresponding for equipment
It is entered as four Detour functions, after Detour function is replaced, when update operates, first adjusts
Using Detour function, when Detour function is called, Detour function directly invokes original
Vga_update_display function, and block wait vga_update_display perform return, when this
After function returns, Detour completes buffer cryptographic operation by post-Hooks technology;
Dt_update function is added AES by S2.3, and dt_update function is for when display updates
View data is encrypted;
Dt_invalidate function is added AES by S2.4, and dt_invalidate function is used for
Carry out forcing during full frame redrawing, data to be encrypted;
Dt_screen_dump function is added AES by S2.5, and dt_screen_dump function is used for
Dump is encrypted when display image is saved as ppm form by operation;
Dt_text_update function is added AES by S2.6, and dt_text_update function is for right
It is encrypted during word console.
Preferably: the AES that described step S2 is added is aes algorithm.
Preferably: the AES that described step S2 is added is DES algorithm.
Preferably: the AES that described step S2 is added is ECC algorithm.
Beneficial effects of the present invention is as follows: the desktop protocol provided due to XEN acquiescence is unsafe, logarithm
According to being transmitted without the protective measure of any encryption, this method controls and data transfer command by separating VNC,
VNC data transmission reception process is carried out encryption based on key mechanism, deciphering, solves in VNC transmission
Unsafe problems.
Accompanying drawing explanation
Fig. 1 is that in XEN, VNC realizes schematic diagram;
Fig. 2 is the procedure chart that embodiment of the present invention desktop protocol partition method realizes;
Fig. 3 is embodiment of the present invention post-Hooks procedure chart;
Fig. 4 is that embodiment of the present invention VNC deciphers flow chart;
Fig. 5 is the overall flow figure of the embodiment of the present invention.
Detailed description of the invention
For making the purpose of the present invention, technical scheme and advantage clearer, develop simultaneously reality referring to the drawings
Execute example, the present invention is described in further details.
Principle illustrates:
At XEN platform, virtual machine output information is provided the output Console(control station of two ways)
With virtual VGA equipment, desktop protocol VNC primary in XEN is exactly based on what virtual VGA equipment obtained
Image display information.
Graphic Console layer is in the status of a kind of central hub in desktop virtual framework, to upper
Desktop protocol (VNC, ICA) the offer video data that layer is different, different virtual hardware compatible for lower floor
(s1d13745, ssd0323 etc.), status residing in systems is illustrated in fig. 1 shown below.
Owing to Graphic Console layer not only shields the different virtual hardwares of lower floor, and directly up
Layer desktop protocol provides video data interface, therefore for video data encryption side that any desktop protocol is general
Case should be started with from Graphic Console layer.Phase direct with video data in Graphic Console layer
The member closed is TextConsole structure, and this structure contains one group of function directly related with video data
Pointer, these function pointers can be endowed real process function in use.Therefore, as long as according to Fig. 1
In to these functions, Detour operation is carried out for the mode of block device Data acquisition, just can complete for
The intercepting and capturing of display device data.
Operate to complete the Detour of video data, first have to define one group complete with original function parameter
Consistent Detour function, the several Detour functions being specifically related to are defined as follows shown in table 1.
Table 1
| Numbering | Function pointer type | Detour function name | Explanation |
| 1 | vga_hw_update_ptr | dt_update | Video data renewal function |
| 2 | vga_hw_invalidate_ptr | dt_invalidate | Force full frame redrawing |
| 3 | vga_hw_screen_dump_ptr | dt_screen_dump | Dump screen |
| 4 | vga_hw_text_update_ptr | dt_text_update | Lteral data updates |
It is exactly more than all Detour functions required for Detour process, is described in detail below and how to utilize
Above Detour function carries out Post-Hooks and implements.
In QEMU (Quick EMUlator, Power Simulator) system in XEN platform, any virtual display sets
Standby, when initializing TextConsole structure, graphic_console_init function all can be called,
This function is responsible for the function pointer being assigned in TextConsole by the image processing function of virtual unit,
Graphic_console_init prototype definition is as follows:
Graphic_console_init function will be called owing to all display devices initialize, therefore,
As long as this function is juggled things by we, allowing this function is that we carried just now by process function assignment corresponding for equipment
Four the Detour functions arrived, perform flow process and are controlled by Detour function, reach the effect of Post-Hooks
Really.
The method based on the isolation of XEN platform desktop protocol of the embodiment of the present invention, comprises the following steps and (sees
Fig. 2):
S1, intercepts and captures the view data of VNC agreement: by the intercepting and capturing inputted VNC protocol data, export,
Obtain the point of penetration to VNC agreement insulation blocking.
S2, is encrypted the view data intercepted and captured: will use prior art Post-Hooks in ciphering process.
S3, the data receiving VNC client are decrypted: the image information after encryption, need
Decipher accordingly in VNC client, could normally use, reach the purpose of the isolation of desktop protocol.
S1, capturing images data, specifically comprise the following steps that
Above four function effects are all to display output buffer(relief area) refresh, calling it
Before return into buffer address, viewing area, then write by above four static function, perform
Thread block is four static function, and after four static function perform to return, upper layer functions is directly from display
District buffer obtains view data;
S2, is encrypted the view data intercepted and captured:
S2.1 defines one group of Detour function, including dt_update function, dt_invalidate function,
Dt_screen_dump function and dt_text_update function;
S2.2 is as it is shown on figure 3, allow the dgraphic_console_init function in VNC agreement by equipment pair
The process function assignment answered is four Detour functions, after Detour function is replaced, works as update
During operation, first calling Detour function, when Detour function is called, Detour function is directly adjusted
With original vga_update_display function, and block wait vga_update_display and perform to return
Returning, after this function returns, Detour completes buffer cryptographic operation by post-Hooks technology;
Dt_update function is added AES by S2.3, and dt_update function is for when display updates
View data is encrypted;
Dt_invalidate function is added AES by S2.4, and dt_invalidate function is used for
Carry out forcing during full frame redrawing, data to be encrypted;
Dt_screen_dump function is added AES by S2.5, and dt_screen_dump function is used for
Dump is encrypted when display image is saved as ppm form by operation;
Dt_text_update function is added AES by S2.6, and dt_text_update function is for right
It is encrypted during word console.
After the function encrypting of above 6 steps completes, just complete whole post-Hooks encrypted
Journey, the algorithm used in ciphering process is aes algorithm.
S3, is decrypted VNC client: specifically comprise the following steps that
RAW, RRE and Hextile coded system communication in TightVNC under amendment Windows
Image display function, the function name of the correspondence being modified function is as follows:
ClientConnection::ReadRawRect//RAW respective function
ClientConnection::ReadRRERect//RRE respective function
ClientConnection::ReadHextileRect//Hextile respective function
In order to more clearly revise process with superior function, details below will be realized abstract for false code, it is desirable to pass through
False code can shield details, its handling principle of apparent description, and false code is as follows:
The whole of isolation module that can be completed for XEN desktop protocol by above step are realized, except
Aes algorithm, it is also possible to use DES algorithm and ECC algorithm.
Those of ordinary skill in the art is it will be appreciated that embodiment described here is to aid in reader's reason
Solve the implementation of the present invention, it should be understood that protection scope of the present invention is not limited to such the oldest
State and embodiment.Those of ordinary skill in the art can make according to these technology disclosed by the invention enlightenment
Various other various concrete deformation and combinations without departing from essence of the present invention, these deformation and combination are still at this
In the protection domain of invention.
Claims (6)
1. a partition method based on virtual machine XEN platform desktop protocol of increasing income, is characterized in that: include as follows
Step:
S1, intercepts and captures the view data of Virtual network computer VNC agreement;
S2, is encrypted the view data intercepted and captured;
S3, the data receiving VNC client are decrypted;
Described step S1 comprises the following steps: the dgraphic_console_init of Video Graphics Array USB interface
Function is corresponding following four static function: vga_update_display,
vga_invalidate_display、vga_screen_dump、vga_update_text;Described four quiet
State function returned into viewing area buffer zone address before calling, and was then entered by above four static function
Row write enters, and performs thread block at four static function, upper strata letter after four static function perform to return
Number directly obtains view data from relief area, viewing area.
A kind of partition method based on XEN platform desktop protocol the most according to claim 1, is characterized in that:
Post-Hooks technology is used when data are encrypted by described step S2.
A kind of partition method based on XEN platform desktop protocol the most according to claim 2, is characterized in that:
Described step S2 include following step by step:
S2.1 defines one group of Detour function, including dt_update function, dt_invalidate function,
Dt_screen_dump function and dt_text_update function;
S2.2 allows the dgraphic_console_init function in VNC agreement by corresponding for equipment described four
Static function is entered as four Detour functions respectively, after Detour function is replaced, when data update
During operation, first calling Detour function, when Detour function is called, Detour function is directly adjusted
With original vga_update_display function, and block wait vga_update_display function and hold
Row returns, and after this function returns, Detour function completes viewing area buffering by post-Hooks technology
District's data encryption operation;
Dt_update function is added AES by S2.3, and dt_update function is for when display updates
View data is encrypted;
Dt_invalidate function is added AES by S2.4, and dt_invalidate function is used for
Carry out forcing during full frame redrawing, data to be encrypted;
Dt_screen_dump function is added AES by S2.5, and dt_screen_dump function is for literary composition
Part backup operation is encrypted when display image is saved as ppm form;
Dt_text_update function is added AES by S2.6, and dt_text_update function is for right
It is encrypted during word console.
A kind of partition method based on XEN platform desktop protocol the most according to claim 3, is characterized in that:
The AES that described step S2 is added is Advanced Encryption Standard aes algorithm.
A kind of partition method based on XEN platform desktop protocol the most according to claim 3, is characterized in that:
The AES that described step S2 is added is DES Cipher algorithm.
A kind of partition method based on XEN platform desktop protocol the most according to claim 3, is characterized in that:
The AES that described step S2 is added is error checking and corrects ECC algorithm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310278593.3A CN103384195B (en) | 2013-07-04 | 2013-07-04 | A kind of partition method based on XEN platform desktop protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310278593.3A CN103384195B (en) | 2013-07-04 | 2013-07-04 | A kind of partition method based on XEN platform desktop protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103384195A CN103384195A (en) | 2013-11-06 |
| CN103384195B true CN103384195B (en) | 2016-08-10 |
Family
ID=49491899
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310278593.3A Expired - Fee Related CN103384195B (en) | 2013-07-04 | 2013-07-04 | A kind of partition method based on XEN platform desktop protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103384195B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109639652B (en) * | 2018-11-22 | 2021-08-27 | 贵州华云创谷科技有限公司 | Method and system for accessing internetwork data based on security isolation |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101217544A (en) * | 2008-01-02 | 2008-07-09 | 浪潮电子信息产业股份有限公司 | A remote frame buffer area to enhance the security |
| CN103036897A (en) * | 2012-12-20 | 2013-04-10 | 曙光云计算技术有限公司 | Communication method based on long distance desktop connection between thin client-side and server-side |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8589683B2 (en) * | 2009-10-27 | 2013-11-19 | Red Hat, Inc. | Authentication of a secure virtual network computing (VNC) connection |
-
2013
- 2013-07-04 CN CN201310278593.3A patent/CN103384195B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101217544A (en) * | 2008-01-02 | 2008-07-09 | 浪潮电子信息产业股份有限公司 | A remote frame buffer area to enhance the security |
| CN103036897A (en) * | 2012-12-20 | 2013-04-10 | 曙光云计算技术有限公司 | Communication method based on long distance desktop connection between thin client-side and server-side |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103384195A (en) | 2013-11-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9760721B2 (en) | Secure transaction method from a non-secure terminal | |
| US20190260748A1 (en) | Securing a transaction performed from a non-secure terminal | |
| JP5628831B2 (en) | Digital video guard | |
| US10659226B2 (en) | Data encryption method, decryption method, apparatus, and system | |
| CN103281193B (en) | Identity authentication method and system and data transmission method and device based on identity authentication system | |
| US8996883B2 (en) | Securing inputs from malware | |
| CN102033781B (en) | Desktop system switching method for virtual machine | |
| EP2798769B1 (en) | Preventing pattern recognition in electronic code book encryption | |
| CN101695107B (en) | Method of soft keyboard for safely inputting code of set top box of digital television | |
| CN105933113A (en) | Secret key backup recovering method and system, and related devices | |
| CN104238986A (en) | Screen transfer display method and device | |
| CN103996117B (en) | Safe mobile phone | |
| CN103618737A (en) | VNC console optimization scheme of virtual machines in cloud computing environment | |
| CN103559451A (en) | Method and device for protecting and displaying privacy information | |
| CN105046123B (en) | It is a kind of to realize cipher safety system and its setting method using picture | |
| CN103716166A (en) | Self-adaptation hybrid encryption method and device and encryption communication system | |
| CN106209903A (en) | A kind of remote access financial system with encryption device | |
| Zheng et al. | TrustPAY: Trusted mobile payment on security enhanced ARM TrustZone platforms | |
| CN102502368A (en) | Contract number-combined operation authority management method and contract number-combined operation authority management system for elevator control system | |
| EP2811401B1 (en) | Method and apparatus for inputting data | |
| CN105160278A (en) | Screen privacy displaying/reading method and system | |
| Egawa et al. | Dependable and secure remote management in iaas clouds | |
| CN103384195B (en) | A kind of partition method based on XEN platform desktop protocol | |
| CN103259689A (en) | Method for changing password of equipment and recovering password after failure | |
| WO2018082930A1 (en) | Method for securely performing a sensitive operation using a non-secure terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160810 Termination date: 20170704 |