CN105007261A - Security protection method for image file in virtual environment - Google Patents
Security protection method for image file in virtual environment Download PDFInfo
- Publication number
- CN105007261A CN105007261A CN201510295527.6A CN201510295527A CN105007261A CN 105007261 A CN105007261 A CN 105007261A CN 201510295527 A CN201510295527 A CN 201510295527A CN 105007261 A CN105007261 A CN 105007261A
- Authority
- CN
- China
- Prior art keywords
- image file
- virtual machine
- mark
- file
- illegal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/131—Protocols for games, networked simulations or virtual reality
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The present invention discloses a security protection method for an image file in a virtual environment, concretely comprising the following steps: obtaining information of an image file of a virtual machine; generating a unique identifier corresponding to the image file; verifying the identifier and judging whether the image is legal when the virtual machine is started, normally starting the virtual machine when the verification is passed, and otherwise, judging the image file of the virtual machine to be an illegal image and disenabling starting of the virtual machine by destroying the structure of the image file through a certain method. It is important to note that the behavior for destroying the image file is reversible, i.e., the destroyed image file can be recovered. The security protection method of the present invention ensures security of the loaded image file during starting of the virtual machine every time, and effectively performs security protection for the image file by utilizing the uniqueness of the generated identifier and a series of measures such as destroying the illegal image file, thereby improving security of the whole system.
Description
Technical field
The invention belongs to field of cloud calculation, more specifically, relate to the safety protecting method of image file under a kind of virtualized environment.
Background technology
Cloud computing represents a kind of new business computation schema, its practical application in every respect also has a lot of uncertain place, is faced with a lot of security challenges.Wherein, especially outstanding for the problem of secure user data in cloud platform, be mainly manifested in following aspect: the virtual machine of the multiple tissue of virtualized efficiency requirements coexists in Same Physical resource in cloud.Although the safety of traditional data center stands good in cloud environment, physical isolation and hardware based safety can not protect the attack prevented on same server between virtual machine.Management access is by the Internet, instead of adhere in conventional data centers pattern in check and restriction directly or to on-the-spot connection.Which increase the risk of local virtual machine mirror image and disk file and expose chance, monitor closely is carried out in the change needed Systematical control and access control restriction.
Summary of the invention
For the defect that data security under current cloud environment exists; the object of the present invention is to provide the safety protecting method of image file under a kind of virtualized environment; be intended to the protection strengthening secure user data on current basal; also safety inspection is made to occur when user starts virtual machine at every turn; improve the mandatory and accuracy of verification; stop it to start for unsafe virtual machine very first time simultaneously, thus improve the safe class of the entirety of system.
For achieving the above object, the invention provides the safety protecting method of image file under a kind of virtualized environment, comprise the following steps:
(1) obtain the essential information of the image file needing protection, comprise filename, file type, file size and file creation time;
(2) extract the non-legible information in the essential information of described image file, and these information are formed final effective information according to preset order combination, generate unique identification corresponding to this image file according to effective information;
(3), after obtaining the correspondence mark of image file, the image file binding that identify corresponding to it is carried out;
(4) when virtual machine activation load images file, the mark corresponding to this image file carries out validity checking to this image file, if this image file binding logo and identify legal, normal load image file also starts virtual machine; Otherwise think that this virtual machine is illegal, lock this virtual machine image file and stop it to start.
In one embodiment of the present of invention, in described step (2), the generating mode of mark is secret, and the mark generated is unique.
In one embodiment of the present of invention, the generation method of described mark is: use public signature algorithm, or designed, designed algorithm.
In one embodiment of the present of invention, in described step (3), the image file binding that identify corresponding to it specifically comprises: corresponding to image file and its mark is bound by usage data storehouse technology, maybe by any position of mark write image file.
In one embodiment of the present of invention, described any position by mark write image file specifically comprises: mark is write image file end, or being stored in image file of hash.
In one embodiment of the present of invention, carry out validity checking to this image file in described step (4) specifically to comprise: whether verification image file has bound corresponding mark, and generated the correspondence mark of this image file by the method in step (2), verify newly-generated this correspondence identify whether identify with corresponding in image file consistent legal.
In one embodiment of the present of invention, described method also comprises:
(5) when judging that this virtual machine is illegal, the startup of illegal virtual machine is stoped by the method destroying image file structure.
In one embodiment of the present of invention, the method for described destruction image file structure is specially: the file header rewriteeing image file.
In one embodiment of the present of invention, the destruction of described image file is reversible, and namely keeper can to the XOR rewriting again of 128 bytes before image file head, can recover disrupted virtual machine image file, makes it can normal load again.
By the above technical scheme that the present invention conceives, compared with prior art, the present invention has following beneficial effect:
(1) mark generating method owing to using in step (3) has flexible and changeable characteristic, and keeper to its regular update, to eliminate out-of-date algorithm, can use signature algorithm more safely and efficiently.
(2) checking procedure owing to using in step (4) realizes by revising virtualization system source code and recompilating to install, therefore the process verified is compulsory, not can bypass, verify and all can be performed before each unlatching virtual machine, namely open virtual machine at every turn and all can check its legitimacy.
(3) mode that user cannot be identified by direct copying passes through verification, reason is as follows: the mark of image file generates according to the attribute information of respective file, they have the feature of uniqueness, and these file attributes are including, but not limited to filename, file size, creation-time etc.Therefore the mark generated has the feature of uniqueness equally.
(4) can perform immediately when verifying unsuccessfully for the destruction of illegal image file in step (5), therefore will come into force during this startup virtual machine, namely failure is started, and this step stops it to load by destroying file structure, user cannot recover voluntarily, recovery routine except by correspondence could unlock image file, makes it can normal load.
Accompanying drawing explanation
Fig. 1 is the flow chart of image file means of defence under virtualized environment in the present invention.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearly understand, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
As shown in Figure 1, in the present invention, under virtualized environment, the safety protecting method of image file comprises the following steps:
(1) obtain the essential information of the image file needing protection, include but not limited to filename, file type, file size and file creation time etc.These information can be unique this image file of representative, as next step generate image file mark foundation.
(2) the non-legible information in the essential information of the image file obtained before extraction, and these information are formed final effective information according to preset order combination, generate unique identification corresponding to this image file according to effective information.
Wherein, the generating mode of mark is secret, does not also limit to: can use disclosed signature algorithm, also can designed, designed algorithm realization, only need guarantee that the mark generated has uniqueness and irreversible feature.
(3), after obtaining the correspondence mark of image file, the image file binding that identify corresponding to it is carried out.
Wherein, mark is various with the binding mode of image file, includes but are not limited to: following method: corresponding with it for image file mark is bound by usage data storehouse technology, maybe by any position of mark write image file, as image file end, or hash to be stored in image file medium.
(4) work as virtual machine activation, during load images file, the mark corresponding to this image file carries out validity checking to this image file, if this image file binding logo and identify legal, normal load image file also starts virtual machine; Otherwise think that this virtual machine is illegal, lock this virtual machine image file and stop it to start.
Particularly, can, by the method for amendment virtualization system source code, be the functional module of virtualization system interpolation verification image file mark.
The process wherein verified is compulsory, not can bypass, and verifies and all can be performed before each unlatching virtual machine, namely opens virtual machine at every turn and all can check its legitimacy.The major function of this module is whether verification image file has bound corresponding mark, and by generating the process of image file mark before simulation, whether unanimously legally verifies concrete image file mark.
(5) method by destroying image file structure stops the startup of illegal virtual machine, namely the file header of image file is rewritten, 128 byte XORs before top of file are rewritten, just can not correct file reading header during such load images file, thus stop this virtual machine activation.
It is to be noted that be reversible to the destruction of image file, namely keeper to the XOR rewriting again of 128 bytes before image file head, so just can recover disrupted virtual machine image file, makes it can normal load again.
In addition to the illegal image file verified unsuccessfully, should destroy its file structure immediately, namely lock this image file, make it normally not start, after unlocking except by extra recovery routine, this image file ability normal load also starts virtual machine.
Those skilled in the art will readily understand; the foregoing is only preferred embodiment of the present invention; not in order to limit the present invention, all any amendments done within the spirit and principles in the present invention, equivalent replacement and improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. an image file safety protecting method under virtualized environment, comprises the following steps:
(1) obtain the essential information of the image file needing protection, comprise filename, file type, file size and file creation time;
(2) extract the non-legible information in the essential information of described image file, and these information are formed final effective information according to preset order combination, generate unique identification corresponding to this image file according to effective information;
(3), after obtaining the correspondence mark of image file, the image file binding that identify corresponding to it is carried out;
(4) when virtual machine activation load images file, the mark corresponding to this image file carries out validity checking to this image file, if this image file binding logo and identify legal, normal load image file also starts virtual machine; Otherwise think that this virtual machine is illegal, lock this virtual machine image file and stop it to start.
2. method according to claim 1, is characterized in that, in described step (2), the generating mode of mark is secret, and the mark generated is unique.
3. method according to claim 2, is characterized in that, the generation method of described mark is: use public signature algorithm, or designed, designed algorithm.
4. method according to claim 1 and 2, it is characterized in that, in described step (3), the image file binding that identify corresponding to it specifically comprises: corresponding to image file and its mark is bound by usage data storehouse technology, maybe by any position of mark write image file.
5. method according to claim 4, is characterized in that, described any position by mark write image file specifically comprises: mark is write image file end, or being stored in image file of hash.
6. method according to claim 1 and 2, it is characterized in that, carry out validity checking to this image file in described step (4) specifically to comprise: whether verification image file has bound corresponding mark, and generated the correspondence mark of this image file by the method in step (2), verify newly-generated this correspondence identify whether identify with corresponding in image file consistent legal.
7. method according to claim 1 and 2, is characterized in that, described method also comprises:
(5) when judging that this virtual machine is illegal, the startup of illegal virtual machine is stoped by the method destroying image file structure.
8. method according to claim 7, is characterized in that, the method for described destruction image file structure is specially: the file header rewriteeing image file.
9. method according to claim 8, it is characterized in that, the destruction of described image file is reversible, and namely keeper can to the XOR rewriting again of 128 bytes before image file head, disrupted virtual machine image file can be recovered, make it can normal load again.
10. method according to claim 7, it is characterized in that, to the illegal image file verified unsuccessfully, destroy its file structure immediately, namely this image file is locked, make it normally not start, after unlocking except by extra recovery routine, this image file ability normal load also starts virtual machine.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510295527.6A CN105007261A (en) | 2015-06-02 | 2015-06-02 | Security protection method for image file in virtual environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510295527.6A CN105007261A (en) | 2015-06-02 | 2015-06-02 | Security protection method for image file in virtual environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105007261A true CN105007261A (en) | 2015-10-28 |
Family
ID=54379784
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510295527.6A Pending CN105007261A (en) | 2015-06-02 | 2015-06-02 | Security protection method for image file in virtual environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105007261A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106911744A (en) * | 2015-12-23 | 2017-06-30 | 北京神州泰岳软件股份有限公司 | The management method and managing device of a kind of image file |
| CN107704731A (en) * | 2017-09-28 | 2018-02-16 | 成都安恒信息技术有限公司 | A kind of cloud platform mirror image method for preventing piracy based on HOTP |
| CN109154903A (en) * | 2016-05-02 | 2019-01-04 | 微软技术许可有限责任公司 | Recovery environment for virtual machine |
| CN110489209A (en) * | 2019-07-24 | 2019-11-22 | 联想(北京)有限公司 | A kind of information processing method and equipment |
| CN111125725A (en) * | 2019-11-22 | 2020-05-08 | 苏州浪潮智能科技有限公司 | Encryption and decryption method, equipment and medium for mirror image verification |
| CN112235427A (en) * | 2020-12-14 | 2021-01-15 | 广东睿江云计算股份有限公司 | Merging method and system for mirror image files |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101465770A (en) * | 2009-01-06 | 2009-06-24 | 北京航空航天大学 | Method for disposing inbreak detection system |
| US20100299315A1 (en) * | 2005-08-09 | 2010-11-25 | Nexsan Technologies Canada Inc. | Data archiving system |
| CN101976317A (en) * | 2010-11-05 | 2011-02-16 | 北京世纪互联工程技术服务有限公司 | Virtual machine image safety method in private cloud computing application |
| CN102214118A (en) * | 2010-04-08 | 2011-10-12 | 中国移动通信集团公司 | Method, system and device for controlling virtual machine (VM) |
| CN102419803A (en) * | 2011-11-01 | 2012-04-18 | 成都市华为赛门铁克科技有限公司 | Method, system and device for searching and killing computer virus |
| CN102917046A (en) * | 2012-10-17 | 2013-02-06 | 广州杰赛科技股份有限公司 | Virtual machine starting control method in cloud system |
| CN103064706A (en) * | 2012-12-20 | 2013-04-24 | 曙光云计算技术有限公司 | Starting method and device for virtual machine system |
| CN103092650A (en) * | 2013-01-09 | 2013-05-08 | 华中科技大学 | Virtual machine mirror image generating method and device based on software preinstallation in cloud environment |
| CN103457974A (en) * | 2012-06-01 | 2013-12-18 | 中兴通讯股份有限公司 | Safety control method and device for virtual machine mirror images |
| CN103906068A (en) * | 2012-12-26 | 2014-07-02 | 华为技术有限公司 | Virtual base station establishment method and device |
| CN104463012A (en) * | 2014-11-24 | 2015-03-25 | 东软集团股份有限公司 | Virtual machine image file exporting and importing method and device |
-
2015
- 2015-06-02 CN CN201510295527.6A patent/CN105007261A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100299315A1 (en) * | 2005-08-09 | 2010-11-25 | Nexsan Technologies Canada Inc. | Data archiving system |
| CN101465770A (en) * | 2009-01-06 | 2009-06-24 | 北京航空航天大学 | Method for disposing inbreak detection system |
| CN102214118A (en) * | 2010-04-08 | 2011-10-12 | 中国移动通信集团公司 | Method, system and device for controlling virtual machine (VM) |
| CN101976317A (en) * | 2010-11-05 | 2011-02-16 | 北京世纪互联工程技术服务有限公司 | Virtual machine image safety method in private cloud computing application |
| CN102419803A (en) * | 2011-11-01 | 2012-04-18 | 成都市华为赛门铁克科技有限公司 | Method, system and device for searching and killing computer virus |
| CN103457974A (en) * | 2012-06-01 | 2013-12-18 | 中兴通讯股份有限公司 | Safety control method and device for virtual machine mirror images |
| CN102917046A (en) * | 2012-10-17 | 2013-02-06 | 广州杰赛科技股份有限公司 | Virtual machine starting control method in cloud system |
| CN103064706A (en) * | 2012-12-20 | 2013-04-24 | 曙光云计算技术有限公司 | Starting method and device for virtual machine system |
| CN103906068A (en) * | 2012-12-26 | 2014-07-02 | 华为技术有限公司 | Virtual base station establishment method and device |
| CN103092650A (en) * | 2013-01-09 | 2013-05-08 | 华中科技大学 | Virtual machine mirror image generating method and device based on software preinstallation in cloud environment |
| CN104463012A (en) * | 2014-11-24 | 2015-03-25 | 东软集团股份有限公司 | Virtual machine image file exporting and importing method and device |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106911744A (en) * | 2015-12-23 | 2017-06-30 | 北京神州泰岳软件股份有限公司 | The management method and managing device of a kind of image file |
| CN106911744B (en) * | 2015-12-23 | 2019-11-08 | 北京神州泰岳软件股份有限公司 | A kind of management method and managing device of image file |
| CN109154903A (en) * | 2016-05-02 | 2019-01-04 | 微软技术许可有限责任公司 | Recovery environment for virtual machine |
| CN109154903B (en) * | 2016-05-02 | 2022-09-23 | 微软技术许可有限责任公司 | Recovery environment for virtual machines |
| CN107704731A (en) * | 2017-09-28 | 2018-02-16 | 成都安恒信息技术有限公司 | A kind of cloud platform mirror image method for preventing piracy based on HOTP |
| CN107704731B (en) * | 2017-09-28 | 2021-03-09 | 成都安恒信息技术有限公司 | Cloud platform mirror image anti-piracy method based on HOTP |
| CN110489209A (en) * | 2019-07-24 | 2019-11-22 | 联想(北京)有限公司 | A kind of information processing method and equipment |
| CN111125725A (en) * | 2019-11-22 | 2020-05-08 | 苏州浪潮智能科技有限公司 | Encryption and decryption method, equipment and medium for mirror image verification |
| CN112235427A (en) * | 2020-12-14 | 2021-01-15 | 广东睿江云计算股份有限公司 | Merging method and system for mirror image files |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| TWI782970B (en) | Computer-implemented methods for securing blockchain transaction based on undetermined data, electronic device, and a computer readable storage | |
| CN105007261A (en) | Security protection method for image file in virtual environment | |
| US11223484B1 (en) | Enhanced authentication method for Hadoop job containers | |
| US11074139B2 (en) | Dynamic block chain system using metadata for backing up data based on digest rules | |
| CN102208000B (en) | Method and system for providing security mechanisms for virtual machine images | |
| US7853780B2 (en) | Core initialization code validation | |
| US9276752B2 (en) | System and method for secure software update | |
| JP5703391B2 (en) | System and method for tamper resistant boot processing | |
| CN104572168B (en) | System and method is protected in a kind of BIOS self refreshes | |
| TW202036347A (en) | Method and apparatus for data storage and verification | |
| CN101436141A (en) | Firmware upgrading and encapsulating method and device based on digital signing | |
| CN103530548B (en) | Startup method that built-in terminal based on mobile trustable computation module is credible | |
| US20100313011A1 (en) | Identity Data Management in a High Availability Network | |
| CN104573490A (en) | Method for protecting installed software on Android platform | |
| CN101983375A (en) | Binding a cryptographic module to a platform | |
| KR20200071682A (en) | Self-encryption drive (sed) | |
| CN105308610A (en) | Method and system for platform and user application security on a device | |
| CN112817621A (en) | BIOS firmware refreshing method and device and related components | |
| KR20170089352A (en) | Firmware integrity verification for performing the virtualization system | |
| CN107247643A (en) | A kind of data base management method, device, system, storage medium and equipment | |
| CN104361298B (en) | The method and apparatus of Information Security | |
| KR20100106110A (en) | Secure boot data total management system, methods for generating and verifying a verity of matadata for managing secure boot data, computer-readable recording medium storing program for executing any of such methods | |
| WO2016024967A1 (en) | Secure non-volatile random access memory | |
| CN102833296A (en) | Method and equipment for constructing safe computing environment | |
| CN112733126B (en) | Product license authentication method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20151028 |
|
| RJ01 | Rejection of invention patent application after publication |