CN103413093B - A kind of XEN cloud platform virtual machine partition method based on internal memory isolation - Google Patents
A kind of XEN cloud platform virtual machine partition method based on internal memory isolation Download PDFInfo
- Publication number
- CN103413093B CN103413093B CN201310298806.9A CN201310298806A CN103413093B CN 103413093 B CN103413093 B CN 103413093B CN 201310298806 A CN201310298806 A CN 201310298806A CN 103413093 B CN103413093 B CN 103413093B
- Authority
- CN
- China
- Prior art keywords
- function
- acm
- authorization list
- grant
- xsm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of XEN cloud platform virtual machine partition method based on internal memory isolation, belong to information security field, comprise the steps: S1: authorization list operation is intercepted and captured; S2: expansion ACM mechanism, realizes the validation verification to authorization list operation, by then letting pass; S3: control is carried out to the authorization list operation of letting pass and performs.Beneficial effect of the present invention is as follows: by intercepting and capturing the operation of XEN internal memory authorization list, carry out the memory-mapped relation between analyzing virtual machine, then the validation verification for Authorized operation is completed by the ACM of expansion, after being verified, ability is let pass to operation, eventually through the Secure isolation control of authorization list being completed to internal memory between virtual machine, belong to Hypervisor security study field, the Secure isolation to memory source can be reached, improve the security of XEN cloud environment.
Description
Technical field
The present invention relates to a kind of XEN cloud platform virtual machine partition method based on internal memory isolation, belong to information security field.
Background technology
The concept of cloud is as far back as twentieth century nineties, and proposed by American JohnMcCarthy, he pointed out that computer resource can be supplied to the public as one service as water, electricity at that time.In March, 2006, Amazon releases elastic calculation cloud (EC2) service, proposes " the concept of cloud computing first thereafter by Google CEO Eric Schmidt in search engine conference.Cloud computing is a kind of increase of the related service based on internet, use and delivery mode, is usually directed to provide dynamically easily expansion by internet and is often virtualized resource.
Cloud develop rapidly, affects the life of people gradually.Report display according to market research agency IHSiSuppli, cloud service active user total amount is about 3.75 hundred million, expects the end of this year this numeral and may will rise to 500,000,000.While cloud changes people's life gradually, increasing sensitive data is migrated to high in the clouds, and therefore the security requirement of high in the clouds data is also promoting thereupon.Nowadays, cloud security problem becomes cloud and develops one of maximum obstruction.XEN is as the topmost carrier of cloud, and most situation still " is run nakedly " in the machine room of operator, and the security threat from cloud inside is threaten the data security of all cloud users.Therefore, the Secure isolation technical research of safer XEN virtual machine cloud environment is provided to have very important realistic meaning.
The domestic and international research to XEN secure virtual machine at present mainly concentrates on Hypervisor security study, Research on Trusted Computing, intrusion detection applied research three aspect:
Hypervisor security study: Hypervisor is also referred to as VMM(VMMVirtualMachineMonitor, virtual machine monitor) be core in virtual machine structure, therefore a lot of people wants to solve secure virtual machine problem by research Hypervisor.For the isolation scheme based on XEN virtual machine, domestic research is substantially all in the starting stage, foreign study is more domestic deeper a little, the independent isolation technology based on internal memory, file is proposed feasible scheme and is achieved, however, external researchist does not realize for cloud desktop office aspect yet, and for the isolation of the sensitive informations such as internal memory, file and desktop protocol, each cloud service provider also fails to provide the credible isolation scheme that can be verified simultaneously.
Research on Trusted Computing: in cloud security, some researchists propose to utilize trusted computing method to solve cloud environment isolating problem.Trust computing comprises 5 key technical concepts: endorsement key, safe input and output, and reservoir shields, sealed storage, remote authentication.At present, domestic and international expert all proposes some feasible isolation schemes.
Intrusion detection applied research: the middle layer VMM(Hypervisor in virtual framework can be moved to due to traditional Intrusion Detection Technique easily), therefore, the security of some researchists by utilizing the technology such as traditional Intrusion Detection Technique to reinforce virtualization system.But, change excessive for XEN environment during this technology actual deployment, be not easy to join in actual XEN environment.
In sum, research at home and abroad for cloud environment dummy machine system safety occurs, great majority rest in the research for traditional security problems, and the fact and deployment issue are not considered in part research, also do not occur the analysis and research carried out in conjunction with XEN source code, one-piece construction.
Summary of the invention
The object of the invention is by improving XEN internal memory authorization list mechanism thus a kind of XEN cloud platform virtual machine partition method of isolating based on internal memory of proposing to improve the security of XEN cloud environment of the isolation reaching XEN internal memory safety.
In order to realize above goal of the invention, the technical scheme that the present invention takes is as follows: a kind of XEN cloud platform virtual machine partition method based on internal memory isolation, comprises the following steps:
S1: authorization list (GrantTable) operation is intercepted and captured;
S2: expansion ACM (Accesscontrolmodule, access control module) mechanism, realizes the validation verification to authorization list operation, by then letting pass;
S3: control is carried out to the authorization list operation of letting pass and performs.
Preferably: S1: intercepting authorisation table handling as follows step by step:
S11: when the called generation of authorization list hypercalls, caught by Hypervisor;
S12: search corresponding process function from hvm_hypercall32_table or hvm_hypercall64_table function;
S13: call authorization list process function do_grant_table_op and carry out authorization list operation, and realize the map operation to internal memory by gnttab_map_grant_ref function;
S14: start with from gnttab_map_grant_ref function and realize intercepting authorisation table handling, and judge whether memory-mapped operation is legal.
Preferably: S14 starts with from gnttab_map_grant_ref function and realizes the as follows step by step of intercepting authorisation table handling:
S141: the inspection function xsm_grant_table_op adding capturing operation in do_grant_table_op function;
S142: implant XsmHooks function in gnttab_map_grant_ref function.
Preferably: S2: expand the as follows step by step of ACM mechanism:
S21, the Hooks function in expansion XSM (XenSecurityModules, XEN secure virtual machine module) framework, improves XSM framework to call the Hooks function in ACM module;
Hooks function in S22, expansion ACM module, improves ACM module to realize the validation verification to authorization list operation.
Preferably: expand Hooks function in XSM framework in described step S21 and comprise as follows step by step:
S211: add authorization list operational order unsignedintcmd and store authorization list operation information structure XEN_GUEST_HANDLE (void) uop in the xsm_operations structure in Xsm.h;
S212: add inline function xsm_grant_table_op in Xsm.h.
Preferably: the Hooks function expanded in described step S22 in ACM module comprises as follows step by step:
S221: add ACM to the process function acm_grant_table_op of authorization list and corresponding pre handling function acm_pre_grant_table_op in Acm_xsm_hooks.c;
S222: add ACM to XSM function pointer assignment statement in do_acm_op function.
Beneficial effect of the present invention: method of the present invention is by the research to XEN inherently safe mechanism, start with from XEN memory management mechanism and propose a kind of internal memory Secure isolation technical scheme, concrete operates by intercepting and capturing XEN internal memory authorization list, carry out the memory-mapped relation between analyzing virtual machine, then the validation verification for Authorized operation is completed by the ACM of expansion, after being verified, ability is let pass to operation, eventually through the Secure isolation control of authorization list being completed to internal memory between virtual machine, belong to Hypervisor security study field, the Secure isolation to memory source can be reached, improve the security of XEN cloud environment.
Accompanying drawing explanation
Fig. 1 is that the present invention expands ACM control table schematic diagram;
Fig. 2 is that the present invention improves authorization list ACMHooks flowchart.
Embodiment
For making object of the present invention, technical scheme and advantage clearly understand, to develop simultaneously embodiment referring to accompanying drawing, the present invention is described in further details.
Principle illustrates: a kind of XEN cloud platform virtual machine partition method based on internal memory isolation that the embodiment of the present invention proposes, by intercepting and capturing the operation of XEN internal memory authorization list, carry out the memory-mapped relation between analyzing virtual machine, then the validation verification for Authorized operation is completed by the ACM of expansion, after being verified, ability is let pass to operation, eventually through the Secure isolation control of authorization list being completed to internal memory between virtual machine.
The invention provides a kind of XEN cloud platform virtual machine partition method based on internal memory isolation, comprise the steps:
S1: authorization list operation is intercepted and captured;
S2: expansion ACM mechanism, realizes the validation verification to authorization list operation, by then letting pass;
S3: control is carried out to the authorization list operation of letting pass and performs.(this step is prior art)
Here step S1 intercepting authorisation table handling can adopt as follows step by step:
S11: when the called generation of authorization list hypercalls, caught by Hypervisor;
S12: search corresponding process function from hvm_hypercall32_table or hvm_hypercall64_table function;
S13: call authorization list process function do_grant_table_op and carry out authorization list operation, and realize the map operation to internal memory by gnttab_map_grant_ref function;
S14: to start with intercepting authorisation table handling from gnttab_map_grant_ref function, and judge whether memory-mapped operation is legal.
Wherein, S14 is as follows step by step from the intercepting authorisation table handling of starting with of gnttab_map_grant_ref function:
S141: the inspection function xsm_grant_table_op adding capturing operation at do_grant_table_op function;
S142: implant XsmHooks function in gnttab_map_grant_ref function.
Following code is added in gnttab_map_grant_ref function:
Here step S2 expands the as follows step by step of ACM mechanism:
Hooks function in S21, expansion XSM framework, improves XSM framework to call the Hooks function in ACM module;
Hooks function in S22, expansion ACM module, improves ACM module to realize the validation verification to authorization list operation.
Expand Hooks function in XSM framework in described step S21 specifically to comprise the steps:
S211: add to give a definition in the xsm_operations structure in Xsm.h:
S212: add inline function xsm_grant_table_op in Xsm.h:
The Hooks function expanded in described step S22 in ACM module specifically comprises the steps:
S221: two functions below adding in Acm_xsm_hooks.c:
S222: for making Hooks function in ACM module be called by Xsm framework, add ACM to Xsm function pointer assignment statement in do_acm_op function:
acm_xsm_ops.grant_table_op=acm_grant_table_op;
Implant Hooks function to GrantTable in described step S23 specifically to comprise the steps:
As shown in Figure 1, comprise the following steps:
S1, intercepts and captures authorization list operation;
Authorization list operates in XEN and realizes mainly through hypercalls, when the called generation of authorization list hypercalls, after being caught by Hypervisor, first from hvm_hypercall32_table or hvm_hypercall64_table, search corresponding process function, call function do_grant_table_op carries out authorization list operation afterwards, realize the map operation to internal memory by gnttab_map_grant_ref function in this process, and the large category information of input and output two can be analyzed.Therefore, because gnttab_map_grant_ref function is the only way which must be passed of memory-mapped, and there is enough information to carry out discriminating judgement, so directly start with can intercept and capture from gnttab_map_grant_ref function, and judge whether memory-mapped operation is legal.
S2, expansion ACM mechanism, realizes the validation verification to authorization list operation, by then letting pass;
In XEN, ACM controlling mechanism is realized by XSM framework, and XSM framework is primarily of control module, and Hooks function, regular three parts form.Expanding packet is carried out containing three actions to ACM in XSM: Hooks function and implant calling of Hooks function to authorization list (GrantTable) in Hooks function, expansion ACM in expansion XSM framework.
S3, carries out control to the authorization list operation of letting pass and performs.
Utilize ACMHooks mechanism to complete the restriction operated authorization list, before specific operation performs, first execution ACM checks function, if operation satisfies condition, then execution of letting pass, if do not satisfied condition, returns ACM_ACCESS_DENIED and refuse operation execution.
As shown in Figure 2: now provide following concrete execution flow instance in conjunction with S1.S2 and S3:
S31: call function do_grant_table_op carries out authorization list operation;
S32: enter the map operation that internal memory searched in Switch-Case statement, if cmd code (switch statement variable name) is corresponding gnttab_map_grant_ref function, turns to S33, otherwise turns to S38;
S33: the ACM entering expansion checks, from then on step starts to enter inspection phase, by the access control process improved to GR(GrantReference, authorizes and quotes) access of sender verifies;
S34: check Uop.flags, if GNTMAP_device_map, then indication equipment request Granttable operates, and directly lets pass, turns to S38, otherwise turn to step S35;
S35: to non-device request memory-mapped operation coupling ACM control law (user-defined policy document, STE strategy and rule based on ACM module itself);
S36: if operation meets clearance condition (this inspection completes in function acm_pre_grant_table_op), the operation allowed is let pass, turns to S38, otherwise turn to step S37;
S37: ACM_ACCESS_DENIED is returned to unallowed operation, and refusal performs;
S38: operation of letting pass.
For S31, what need detailed description is, although the mechanism slightly difference that x86 framework and x64 framework adopt authorization list, be finally all that call function do_grant_table_op carries out authorization list operation, therefore the present embodiment is only analyzed from function do_grant_table_op.
For S32, what need detailed description is, it is a very large Switch-Case structure in do_grant_table_op function inside, by judging that different cmd codes carries out different operations, the present embodiment only studies the map operation of internal memory, therefore only need search corresponding gnttab_map_grant_ref function.The memory-mapped operation of intercepting and capturing in gnttab_map_grant_ref function is herein stored in information structure Uop.
For S34, what need detailed description is, the structure gnttab_map_grant_ref_t that one important is had in gnttab_map_grant_ref function, this structure be mainly used in GrantEntry(authorize enter) mapping in, construction inner contains two large category informations, one class is the parameter for importing into, and another kind is as output parameter.The address of mapping, GrantMap zone bit, GrantRef reference and DomainID (territory ID) is included in input.Flags(GrantMap zone bit) for representing during GNTMAP_device_map that memory-mapped operation is from equipment; For GNTMAP_host_map represents that non-device map operates, will turn back in the virtual address of active address space after mapping; During for GNTMAP_contains_pte, address can turn back in host_addr.Directly allow to let pass to the operation of device request memory-mapped in the present embodiment.
For S36, need to describe in detail, operation herein judges to carry out according to user-defined policy document, STE based on ACM self is tactful and regular, and the resource that such as virtual machine DomA can access can be defined as: STE-typeA={ResA, ResB, ResC, ResD}, the resource that virtual machine DomB can access is: STE-typeB={ResD, ResE, ResF, ResG}, then the sharable resource of A and B is ResD, and other resources are respective exclusive resource.If DomA request access ResE, then this operation is judged as and does not allow operation.If in ACM rule, ResA is restricted to and can not writes in addition, and ResA is write in DomA request, then this operation is judged as equally and does not allow operation.
Comparatively accurately the operation of internal memory authorization list can be carried out detection and isolation by above-mentioned steps, can by using the regular restriction (as only allowed access) completed for internal storage access scope of ACM, also only can be allowed the memory-mapped of device access by the flags zone bit judging in gnttab_map_grant_ref, stop the illegal mapping from user.
Internal memory isolation can be completed by above-mentioned steps.
Those of ordinary skill in the art will appreciate that, embodiment described here is to help reader understanding's implementation method of the present invention, should be understood to that protection scope of the present invention is not limited to so special statement and embodiment.Those of ordinary skill in the art can make various other various concrete distortion and combination of not departing from essence of the present invention according to these technology enlightenment disclosed by the invention, and these distortion and combination are still in protection scope of the present invention.
Claims (5)
1., based on an XEN cloud platform virtual machine partition method for internal memory isolation, it is characterized in that: comprise the steps:
S1: authorization list operation is intercepted and captured;
This step as follows step by step:
S11: when the called generation of authorization list hypercalls, caught by Hypervisor;
S12: search corresponding process function from hvm_hypercall32_table or hvm_hypercall64_table function;
S13: call authorization list process function do_grant_table_op and carry out authorization list operation, and realize the map operation to internal memory by gnttab_map_grant_ref function;
S14: start with from gnttab_map_grant_ref function and realize intercepting authorisation table handling, and judge whether memory-mapped operation is legal;
S2: expansion ACM mechanism, realizes the validation verification to authorization list operation, by then letting pass;
S3: control is carried out to the authorization list operation of letting pass and performs.
2. a kind of XEN cloud platform virtual machine partition method based on internal memory isolation according to claim 1, is characterized in that: S14 starts with from gnttab_map_grant_ref function and realizes the as follows step by step of intercepting authorisation table handling:
S141: the inspection function xsm_grant_table_op adding capturing operation in do_grant_table_op function;
S142: implant XsmHooks function in gnttab_map_grant_ref function.
3. a kind of XEN cloud platform virtual machine partition method based on internal memory isolation according to claim 1, is characterized in that: S2: expand the as follows step by step of ACM mechanism:
Hooks function in S21, expansion XSM framework, improves XSM framework to call the Hooks function in ACM module;
Hooks function in S22, expansion ACM module, improves ACM module to realize the validation verification to authorization list operation.
4. a kind of XEN cloud platform virtual machine partition method based on internal memory isolation according to claim 3, is characterized in that: expand Hooks function in XSM framework in described S21 and comprise as follows step by step:
S211: add authorization list operational order unsignedintcmd and store authorization list operation information structure XEN_GUEST_HANDLE (void) uop in the xsm_operations structure in Xsm.h;
S212: add inline function xsm_grant_table_op in Xsm.h.
5. a kind of XEN cloud platform virtual machine partition method based on internal memory isolation according to claim 4, is characterized in that: the Hooks function expanded in described S22 in ACM module comprises as follows step by step:
S221: add ACM to the process function acm_grant_table_op of authorization list and corresponding pre handling function acm_pre_grant_table_op in Acm_xsm_hooks.c;
S222: add ACM to XSM function pointer assignment statement in do_acm_op function.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310298806.9A CN103413093B (en) | 2013-07-17 | 2013-07-17 | A kind of XEN cloud platform virtual machine partition method based on internal memory isolation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310298806.9A CN103413093B (en) | 2013-07-17 | 2013-07-17 | A kind of XEN cloud platform virtual machine partition method based on internal memory isolation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103413093A CN103413093A (en) | 2013-11-27 |
| CN103413093B true CN103413093B (en) | 2016-04-06 |
Family
ID=49606103
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310298806.9A Expired - Fee Related CN103413093B (en) | 2013-07-17 | 2013-07-17 | A kind of XEN cloud platform virtual machine partition method based on internal memory isolation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103413093B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103955362A (en) * | 2014-04-03 | 2014-07-30 | 广东工业大学 | Xen-based operating system kernel monitoring method |
| CN104573553A (en) * | 2014-12-30 | 2015-04-29 | 中国航天科工集团第二研究院七O六所 | Xen-oriented memory sharing security isolation method for virtual machines |
| CN106295385B (en) | 2015-05-29 | 2019-10-22 | 华为技术有限公司 | A kind of data guard method and device |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102244682A (en) * | 2011-07-19 | 2011-11-16 | 中国科学院软件研究所 | Covert communication method under cloud computing environment |
-
2013
- 2013-07-17 CN CN201310298806.9A patent/CN103413093B/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102244682A (en) * | 2011-07-19 | 2011-11-16 | 中国科学院软件研究所 | Covert communication method under cloud computing environment |
Non-Patent Citations (3)
| Title |
|---|
| XEN虚拟IO的调度优化;王宇新等;《微电子学与计算机》;20100831;第27卷(第8期);第44-48页 * |
| 基于Xen 的I/O 准虚拟化驱动研究;胡冷非等;《计算机工程》;20091231;第35卷(第23期);第258-262页 * |
| 基于Xen虚拟机的***日志安全研究;吴佳民等;《计算机应用与软件》;20100430;第27卷(第4期);第125-126页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103413093A (en) | 2013-11-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11157616B2 (en) | Mobile application management | |
| Sultan et al. | Container security: Issues, challenges, and the road ahead | |
| US9787681B2 (en) | Systems and methods for enforcing access control policies on privileged accesses for mobile devices | |
| CN101866408B (en) | Transparent trust chain constructing system based on virtual machine architecture | |
| CN107679393B (en) | Android integrity verification method and device based on trusted execution environment | |
| Do et al. | Enhancing user privacy on android mobile devices via permissions removal | |
| CN110445769B (en) | Access method and device of business system | |
| Singh et al. | Analysis of malicious behavior of android apps | |
| CN104573553A (en) | Xen-oriented memory sharing security isolation method for virtual machines | |
| CN106911814A (en) | Large-scale data distributed storage method | |
| CN107147649A (en) | Data-optimized dispatching method based on cloud storage | |
| CN112182560B (en) | Efficient isolation method, system and medium for Intel SGX interior | |
| CN108228353A (en) | resource access control method, device and corresponding terminal | |
| Gadyatskaya et al. | Security in the Firefox OS and Tizen mobile platforms | |
| CN107135223A (en) | The data persistence method of Mass Data Management system | |
| CN103413093B (en) | A kind of XEN cloud platform virtual machine partition method based on internal memory isolation | |
| Huang et al. | A11y and Privacy don't have to be mutually exclusive: Constraining Accessibility Service Misuse on Android | |
| US20220413903A1 (en) | Framework for migrating applications across public and private clouds | |
| CN105354485A (en) | Data processing method for portable device | |
| Stirparo et al. | In-memory credentials robbery on android phones | |
| Zhang et al. | A Small Leak Will Sink Many Ships: Vulnerabilities Related to mini-programs Permissions | |
| Paju et al. | SoK: A Systematic Review of TEE Usage for Developing Trusted Applications | |
| Jain | Android security: Permission based attacks | |
| Zhang et al. | iFlask: Isolate flask security system from dangerous execution environment by using ARM TrustZone | |
| Khadiranaikar et al. | Improving Android application security for intent based attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160406 Termination date: 20170717 |