CN108170567B - Method for detecting integrity of storage area in virtual machine based on copy-on-write characteristic - Google Patents
Method for detecting integrity of storage area in virtual machine based on copy-on-write characteristic Download PDFInfo
- Publication number
- CN108170567B CN108170567B CN201711416235.9A CN201711416235A CN108170567B CN 108170567 B CN108170567 B CN 108170567B CN 201711416235 A CN201711416235 A CN 201711416235A CN 108170567 B CN108170567 B CN 108170567B
- Authority
- CN
- China
- Prior art keywords
- mirror image
- storage area
- address
- information
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/22—Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
- G06F11/2273—Test methods
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/22—Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
- G06F11/26—Functional testing
Abstract
The invention provides a method for detecting the integrity of a storage area in a virtual machine based on copy-on-write characteristics, which comprises the steps of firstly providing information of the storage area and mirror image information which need integrity measurement under the condition that the virtual machine uses a basic mirror image and an incremental mirror image, then obtaining the information needed by the integrity measurement in the basic mirror image, wherein the information comprises mirror image blocks corresponding to a starting address and an ending address of the storage area, and information abstracts of data belonging to the storage area in the two mirror image blocks and mirror image index items corresponding to the two mirror image blocks; and finally, in the incremental mirror image, detecting the integrity of the storage area according to the information, the mirror image index and the copy-on-write characteristic acquired in the basic mirror image. The method can reduce the used data amount and the calculation amount and accelerate the speed of integrity measurement.
Description
Technical Field
The invention relates to safety protection of a virtual machine, in particular to a method for detecting the integrity of a storage area in the virtual machine based on copy-on-write characteristics, and belongs to the technical field of computer science.
Background
The virtual machine uses the image file as a storage carrier. There are many mirror formats, such as qcow2, vmdk, vdi, raw, etc. Partial image formats, such as qcow2, vmdk, vdi, can represent a larger fixed size virtual address space with a smaller file. The images are composed of image blocks with fixed sizes, and the content borne by the image blocks is mainly divided into three types which are respectively used for storing the attributes of the images, and the indexes of the image blocks used by data and index data in the virtual machine. The index refers to the order of the mirror block used to record the stored data in virtual space and the starting address in the mirror file. If the address stored in a certain index entry is null, it indicates that the mirror block corresponding to the index block does not store data and does not exist in the mirror file. In order to save storage space and simplify deployment, virtual machine images can be divided into basic images and incremental images, and the structures of the two images are the same. Based on copy-on-write characteristics, the incremental mirror takes the mirror block as a unit, and the change or the new content of the basic mirror is stored. If the address stored in a certain index entry is not null in the incremental mirror index and the basic mirror index, it indicates that the data in the mirror block corresponding to the index entry in the basic mirror is changed.
In order to detect whether data in a certain storage area in a virtual machine is tampered, integrity detection technology is a very important method. The traditional integrity detection technology is based on an information abstract algorithm, and whether a file is falsified or not is judged by comparing whether a basic information abstract is the same as a new information abstract generated at any other time point or not. If the information digests are different, the file is tampered; otherwise the file is complete.
The problem of the existing integrity detection method mainly comes from an information summary algorithm, and the method mainly comprises two points: (1) the amount of data used is large: the information summarization algorithm takes the entire contents of a file or storage area as input. (2) The amount of calculation required is large: the information summarization algorithm is high in complexity, and meanwhile, the use amount of data is large, so that the calculation amount is very large.
Disclosure of Invention
In order to solve the above problems, the present invention provides a method for detecting integrity of a storage area in a virtual machine based on copy-on-write characteristics, wherein when the virtual machine uses a basic mirror image and an incremental mirror image, storage area information and mirror image information which need integrity measurement are first given, then the information which needs integrity measurement is obtained in the basic mirror image, the information comprises mirror image blocks corresponding to a start address and an end address of the storage area, and information summaries of data belonging to the storage area in the two mirror image blocks and mirror image index items corresponding to the two mirror image blocks; and finally, in the incremental mirror image, detecting the integrity of the storage area according to the information, the mirror image index and the copy-on-write characteristic acquired in the basic mirror image. The method can reduce the used data amount and the calculation amount and accelerate the speed of integrity measurement.
The difference between the method for detecting the integrity of the storage area in the virtual machine based on the copy-on-write characteristic and the method for measuring the integrity of the storage area in the virtual machine based on the information digest algorithm is as follows:
(1) the applicable scenarios are different: the method is suitable for scenes in which the virtual machine uses basic images and incremental images.
(2) The methods for determining whether a storage area is tampered with are different: and judging whether the content in the storage area is tampered or not by combining the mirror image index and the information digest algorithm.
The invention provides a method for detecting the integrity of a storage area in a virtual machine based on copy-on-write characteristics, which comprises 6 steps as follows:
step 1: creating a basic mirror image and acquiring basic mirror image information, wherein the basic mirror image information comprises the size of a mirror image block, the corresponding relation between the mirror image block and a mirror image index and the like;
step 2: installing an operating system in the basic mirror image and acquiring partition information, wherein the partition information comprises a partition name, a starting address of a partition in a virtual space and the like;
and step 3: specifying storage area information needing integrity measurement in a partition, wherein the storage area information comprises a partition name of the storage area, and a starting address and an ending address in the partition;
and 4, step 4: acquiring information required by integrity measurement in a basic mirror image, wherein the information comprises mirror image blocks corresponding to a starting address and an ending address of a storage area, and information digests of data belonging to the storage area in the two mirror image blocks and mirror image index items corresponding to the two mirror image blocks;
and 5: creating an incremental image based on the base image;
step 6: in the incremental mirroring, the integrity of a storage area requiring integrity measurement is detected according to information acquired in the base mirroring, a mirror index and copy-on-write characteristics.
Wherein, step 4 includes:
step 41: converting the starting address and the ending address of the storage area in the partition into virtual space addresses according to the name and the starting address of the partition;
step 42: acquiring mirror image index items corresponding to the starting address and the ending address according to the corresponding relation between the virtual space address and the mirror image index items;
step 43: if the address in the mirror index entry corresponding to the storage area start address is empty, go to step 44. Otherwise, reading data belonging to the storage area in the mirror block corresponding to the index item, and calculating the information abstract of the data;
step 44: and if the address in the mirror image index entry corresponding to the storage area end address is empty, the step 5 is carried out. Otherwise, reading the data belonging to the storage area in the mirror block corresponding to the index item, and calculating the information abstract of the data.
Wherein, step 6 includes:
step 61: if the address in the mirror image index entry corresponding to the initial address of the storage area is empty, according to the copy-on-write characteristic, the data in the mirror image block corresponding to the mirror image index entry is complete; otherwise, reading data belonging to the storage area in the mirror image block corresponding to the index item, and calculating a new information abstract, wherein if the new information abstract is the same as the information abstract acquired from the basic mirror image, the data in the mirror image block is complete, otherwise, the data is incomplete;
step 62: if the address in the mirror image index entry corresponding to the storage area end address is empty, according to the copy-on-write characteristic, data in the mirror image block corresponding to the mirror image index entry is complete; otherwise, reading data belonging to the storage area in the mirror image block corresponding to the index item, and calculating a new information abstract, wherein if the new information abstract is the same as the information abstract acquired from the basic mirror image, the data in the mirror image block is complete, otherwise, the data is incomplete;
and step 63: checking whether an address in an index entry between mirror image index entries corresponding to a start address and an end address of a storage area is empty, and if the address in one mirror image index entry is not empty according to the copy-on-write characteristic, data in a mirror image block corresponding to the index entry is incomplete; otherwise, the data is complete;
step 64: if the results of the detection in step 61, step 62 and step 63 are all data integrity, the data in the storage area is complete, otherwise it is incomplete.
The advantages of the invention include:
compared with the prior art, the method for detecting the integrity of the storage area in the virtual machine based on the copy-on-write characteristic has the main advantages that:
(1) reduction of the amount of data required: the information summarization algorithm takes the entire content of a file or a storage area as input, and the amount of data used is large. In the method, the contents at two ends of the storage area are measured by using an information summarization algorithm. And in other parts, the used data is only a mirror index item, so that the data volume required by the integrity measurement is reduced.
(2) Reducing the amount of computation required: the information summarization algorithm has high calculation complexity and large used data volume, so the calculation amount is large. In the method, except for the contents at the two ends of the storage area, only whether the address in the index entry is empty needs to be detected, so that the calculation amount is reduced.
Drawings
FIG. 1 is a flow chart of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in detail with reference to the accompanying drawings and specific embodiments, but the present invention is not limited thereto. In an example, the used image format is the Qcow2 format, the size of the virtual space of the image is 10GB, and the operating system is Linux, and the specific contents are as follows:
FIG. 1 shows a flow chart of the present invention.
A method for detecting the integrity of a storage area in a virtual machine based on copy-on-write characteristics comprises the following 6 steps:
step 1: and creating a basic mirror image and acquiring basic mirror image information. A base mirror in Qcow2 format with a virtual space of 10GB is created, with a mirror block size of cluster _ size. The index is divided into two levels, namely a first level index L1Table and a second level index L2 Table. Both L1Table and L2Table are stored in mirror blocks, with L1Table using contiguous mirror blocks and L2Table using non-contiguous mirror blocks. The index entry in the L1Table records the start address of the mirror block used by the L2Table, and the entry index entry in the L2Table records the start address of the mirror block used by the virtual machine data. Therefore, the start address of the mirror block storing the virtual machine data in the mirror file can be represented using the position of the index entry in the two level indexes, set to < L1Table _ index, L2Table _ index >. Given the address offset in the virtual space, the method for obtaining the corresponding index entry is as follows:
L2_entries=(cluster_size/sizeof(uint64_t))
L1Table_index=(offset/cluster_size)/L2_entries
L2Tabel_index=(offset/cluster_size)%L2_entries
step 2: and installing a linux operating system in the basic mirror image, and setting three partitions, namely a boot partition of 1GB, a partition of 8GB and a SWAP partition of 1 GB. The correspondence between the name of the partition and the start address is [ ("boot", 0), ("/", 1GB), ("SWAP", 9GB) ].
And step 3: the method comprises the steps of specifying storage area information needing integrity measurement in a partition, setting the name of the partition where the storage area is located as "/", and setting the start address and the end address of the storage area in the partition as start _ in _ partition and end _ in _ partition respectively.
And 4, step 4: acquiring information required by integrity measurement in a basic mirror image, wherein the information comprises mirror image blocks corresponding to a starting address and an ending address of a storage area, and information digests of data belonging to the storage area in the two mirror image blocks and mirror image index items corresponding to the two mirror image blocks;
step 41: converting the start address and the end address of the storage area in the partition into virtual space addresses, [ start _ in _ virtual space, end _ in _ virtual space ];
step 42: acquiring mirror image index entries corresponding to the starting address and the ending address according to the corresponding relation between the virtual space address and the mirror image index entries, and setting the mirror image index entries as < start _ L1, start _ L2> and < end _ L1, end _ L2 >;
step 43: if the address in the mirror index entry < start _ L1, start _ L2> is empty, go to step 44. Otherwise, reading data belonging to the storage area in the mirror block corresponding to the index item, calculating an information abstract of the data, and setting the abstract as start _ base;
step 44: if the address in the mirror index entry < end _ L1, end _ L2> is empty, go to step 5. Otherwise, reading the data belonging to the storage area in the mirror block corresponding to the index item, calculating the information abstract of the data, and setting the information abstract as end _ base.
And 5: creating an incremental image based on the base image;
step 6: in the incremental mirroring, the integrity of a storage area requiring integrity measurement is detected according to information acquired in the base mirroring, a mirror index and copy-on-write characteristics.
Step 61: if the addresses in the mirror index entries < start _ L1, start _ L2> are null, the data in the mirror block corresponding to the mirror index entry is complete according to the copy-on-write characteristic; if not, reading data belonging to the storage area in the mirror block corresponding to the index item, calculating a new information abstract, and setting the new information abstract as start _ new, wherein if end _ new is end _ start, the data in the mirror block is complete, otherwise, the data is incomplete;
step 62: if the addresses in the mirror index entries < end _ L1, end _ L2> are null, the data in the mirror block corresponding to the mirror index entry is complete according to the copy-on-write characteristic; otherwise, reading data belonging to the storage area in the mirror block corresponding to the index item, calculating a new information summary, and setting the new information summary as end _ new, wherein if the end _ new is end _ start, the data in the mirror block is complete, and if not, the data is incomplete;
and step 63: checking whether an address in an index entry between mirror image index entries corresponding to a start address and an end address of a storage area is empty, and if the address in one mirror image index entry is not empty according to the copy-on-write characteristic, data in a mirror image block corresponding to the index entry is incomplete; otherwise, the data is complete;
step 64: if the results of the detection in step 61, step 62 and step 63 are all data integrity, the data in the storage area is complete, otherwise it is incomplete.
The present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof, and it should be understood that various changes and modifications can be effected therein by one skilled in the art without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (2)
1. The method for detecting the integrity of the storage area in the virtual machine based on the copy-on-write characteristic is characterized by comprising the following steps of:
step 1: creating a basic mirror image and acquiring basic mirror image information, wherein the basic mirror image information comprises the size of a mirror image block and the corresponding relation between the mirror image block and a mirror image index;
step 2: installing an operating system in the basic mirror image and acquiring partition information, wherein the partition information comprises a partition name and an initial address of a partition in a virtual space;
and step 3: specifying storage area information needing integrity measurement in a partition, wherein the storage area information comprises a partition name of the storage area, and a starting address and an ending address in the partition;
and 4, step 4: acquiring information required by integrity measurement in a basic mirror image, wherein the information comprises mirror image blocks corresponding to a starting address and an ending address of a storage area, and information digests of data belonging to the storage area in the two mirror image blocks and mirror image index items corresponding to the two mirror image blocks;
and 5: creating an incremental image based on the base image;
step 6: in the incremental mirror image, detecting the integrity of a storage area needing integrity measurement according to the information, mirror image index and copy-on-write characteristics acquired in the basic mirror image;
step 6 includes the following steps 61 to 64:
step 61: if the address in the mirror image index entry corresponding to the initial address of the storage area is empty, according to the copy-on-write characteristic, the data in the mirror image block corresponding to the mirror image index entry is complete; otherwise, reading data belonging to the storage area in the mirror image block corresponding to the index item, and calculating a new information abstract, wherein if the new information abstract is the same as the information abstract acquired from the basic mirror image, the data in the mirror image block is complete, otherwise, the data is incomplete;
step 62: if the address in the mirror image index entry corresponding to the storage area end address is empty, according to the copy-on-write characteristic, data in the mirror image block corresponding to the mirror image index entry is complete; otherwise, reading data belonging to the storage area in the mirror image block corresponding to the index item, and calculating a new information abstract, wherein if the new information abstract is the same as the information abstract acquired from the basic mirror image, the data in the mirror image block is complete, otherwise, the data is incomplete;
and step 63: checking whether an address in an index entry between mirror image index entries corresponding to a start address and an end address of a storage area is empty, and if the address in one mirror image index entry is not empty according to the copy-on-write characteristic, data in a mirror image block corresponding to the index entry is incomplete; otherwise, the data is complete;
step 64: if the results of the detection in step 61, step 62 and step 63 are all data integrity, the data in the storage area is complete, otherwise it is incomplete.
2. The method of claim 1, wherein step 4 comprises:
step 41: converting the starting address and the ending address of the storage area in the partition into virtual space addresses according to the name and the starting address of the partition;
step 42: acquiring mirror image index items corresponding to the starting address and the ending address according to the corresponding relation between the virtual space address and the mirror image index items;
step 43: if the address in the mirror image index entry corresponding to the initial address of the storage area is empty, go to step 44, otherwise, read the data belonging to the storage area in the mirror image block corresponding to the index entry, calculate the information summary of the data;
step 44: if the address in the mirror image index entry corresponding to the storage area ending address is empty, the step 5 is carried out, otherwise, the data belonging to the storage area in the mirror image block corresponding to the index entry is read, and the information abstract of the data is calculated.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711416235.9A CN108170567B (en) | 2017-12-25 | 2017-12-25 | Method for detecting integrity of storage area in virtual machine based on copy-on-write characteristic |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711416235.9A CN108170567B (en) | 2017-12-25 | 2017-12-25 | Method for detecting integrity of storage area in virtual machine based on copy-on-write characteristic |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108170567A CN108170567A (en) | 2018-06-15 |
| CN108170567B true CN108170567B (en) | 2020-11-20 |
Family
ID=62524061
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711416235.9A Active CN108170567B (en) | 2017-12-25 | 2017-12-25 | Method for detecting integrity of storage area in virtual machine based on copy-on-write characteristic |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108170567B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109388474A (en) * | 2018-09-25 | 2019-02-26 | 郑州云海信息技术有限公司 | A kind of detection method and system of Qemu virtual credible root data integrity |
| CN109725983B (en) * | 2018-11-22 | 2021-07-27 | 海光信息技术股份有限公司 | Data exchange method, device, related equipment and system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101512488A (en) * | 2006-08-07 | 2009-08-19 | Bea***公司 | System and method for providing hardware virtualization in a virtual machine environment |
| CN107256368A (en) * | 2017-06-06 | 2017-10-17 | 北京航空航天大学 | File integrality measure in virtual machine based on copy-on-write characteristic |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080201455A1 (en) * | 2007-02-15 | 2008-08-21 | Husain Syed M Amir | Moving Execution of a Virtual Machine Across Different Virtualization Platforms |
-
2017
- 2017-12-25 CN CN201711416235.9A patent/CN108170567B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101512488A (en) * | 2006-08-07 | 2009-08-19 | Bea***公司 | System and method for providing hardware virtualization in a virtual machine environment |
| CN107256368A (en) * | 2017-06-06 | 2017-10-17 | 北京航空航天大学 | File integrality measure in virtual machine based on copy-on-write characteristic |
Non-Patent Citations (1)
| Title |
|---|
| 面向QEMU的分布式块存储***的设计与实现;张沪滨 等;《微型电脑应用》;20161231;第32卷(第4期);54-57 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108170567A (en) | 2018-06-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2458249A1 (en) | A method for managing multiple file states for replicated files | |
| CN108170567B (en) | Method for detecting integrity of storage area in virtual machine based on copy-on-write characteristic | |
| CN102737205B (en) | Protection comprises can the file of editing meta-data | |
| JP2012074026A5 (en) | ||
| CN112115002B (en) | Method and device for recovering file from damaged or untrusted mechanical hard disk | |
| US20040088474A1 (en) | NAND type flash memory disk device and method for detecting the logical address | |
| CN106484719B (en) | Method and terminal for expanding mobile phone storage | |
| US8219858B2 (en) | Method for testing hard disks under an extensible firmware interface | |
| US20150213103A1 (en) | Computer system and asynchronous replication management method | |
| CN107256368B (en) | Method for measuring file integrity in virtual machine based on copy-on-write characteristic | |
| US20160092111A1 (en) | Method and apparatus for determining media information associated with data stored in storage device | |
| US20110307525A1 (en) | Virtual storage device | |
| TWI461904B (en) | Recovery method and device for linux using fat file system | |
| US20060195652A1 (en) | Boot techniques involving tape media | |
| CN107943415A (en) | The method and system of lookup free cluster based on FAT file system | |
| CN111475101B (en) | Method, system, device and storage medium for repairing flash memory card | |
| CN114048485A (en) | Dynamic monitoring method for integrity of process code segment in Docker container | |
| KR100932096B1 (en) | Method for storing data to nand flash memory | |
| CN102956270B (en) | Movable storage device detection method and device | |
| CN102969026B (en) | Based on movable storage device detection method and the device of data handling system | |
| CN102214479B (en) | Hard disk data processing method and video stream pushing server | |
| CN112015672A (en) | Data processing method, device, equipment and storage medium in storage system | |
| CN112235599A (en) | Video processing method and system | |
| CN112783711A (en) | Method and storage medium for analyzing program memory on NodeJS | |
| KR100925523B1 (en) | Method Of Generating Error In Storage Device And Method Of Selecting Error Generating Location In Storage Device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |