[go: up one dir, main page]

CN105701400A - Virtual machine platform safety control method and device - Google Patents

Virtual machine platform safety control method and device Download PDF

Info

Publication number
CN105701400A
CN105701400A CN201610025684.XA CN201610025684A CN105701400A CN 105701400 A CN105701400 A CN 105701400A CN 201610025684 A CN201610025684 A CN 201610025684A CN 105701400 A CN105701400 A CN 105701400A
Authority
CN
China
Prior art keywords
virtual machine
service
sub
virtual
machines
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610025684.XA
Other languages
Chinese (zh)
Inventor
孙磊
户家富
胡翠云
窦睿彧
杨杰
郭松辉
胡永进
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PLA Information Engineering University
Original Assignee
PLA Information Engineering University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PLA Information Engineering University filed Critical PLA Information Engineering University
Priority to CN201610025684.XA priority Critical patent/CN105701400A/en
Publication of CN105701400A publication Critical patent/CN105701400A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

本申请提供了一种虚拟机平台的安全控制方法实施例,本实施例将服务虚拟机划分为多个最小子服务虚拟机,并将若干最小子服务虚拟机合并获得至少两个子服务虚拟机,根据用户虚拟机的服务调用请求建立与用户虚拟机及服务虚拟机之间的连接,在划分子服务虚拟机后,利用子服务虚拟机为用户虚拟机提供虚拟服务。可见,本实施例将该服务虚拟机划分为多个子服务虚拟机,子服务虚拟机独立提供虚拟服务。从可信计算基角度分析,分离出的子服务虚拟机并不属于虚拟机平台的可信计算基,减小了虚拟机平台的可信计算基和攻击表面,且实现了用户虚拟机和子服务虚拟机之间的双向隔离,从而提高了虚拟机平台的安全性。本申请还提供了虚拟机平台的安全控制装置。

The present application provides an embodiment of a security control method for a virtual machine platform. In this embodiment, a service virtual machine is divided into multiple minimum sub-service virtual machines, and several minimum sub-service virtual machines are combined to obtain at least two sub-service virtual machines. The connection between the user virtual machine and the service virtual machine is established according to the service call request of the user virtual machine, and after sub-service virtual machines are divided, the sub-service virtual machines are used to provide virtual services for the user virtual machine. It can be seen that, in this embodiment, the service virtual machine is divided into multiple sub-service virtual machines, and the sub-service virtual machines independently provide virtual services. From the perspective of trusted computing base, the separated sub-service virtual machine does not belong to the trusted computing base of the virtual machine platform, which reduces the trusted computing base and attack surface of the virtual machine platform, and realizes the user virtual machine and sub-service Two-way isolation between virtual machines improves the security of the virtual machine platform. The application also provides a security control device for a virtual machine platform.

Description

一种虚拟机平台的安全控制方法及装置Security control method and device for a virtual machine platform

技术领域technical field

本申请涉及虚拟机技术领域,尤其是一种虚拟机平台的安全控制方法及装置。The present application relates to the field of virtual machine technology, in particular to a method and device for controlling security of a virtual machine platform.

背景技术Background technique

虚拟机平台,是使用虚拟化技术的计算机平台。其中,虚拟化技术,是一种资源管理技术,可以将计算机的硬件实体资源,如处理器、内存管理器等模拟为多个,以供多个操作系统使用。虽然虚拟机并非真正的硬件实体资源,但运行在虚拟机上的程序如同运行在真正计算机上。A virtual machine platform is a computer platform using virtualization technology. Among them, the virtualization technology is a resource management technology, which can simulate multiple hardware physical resources of a computer, such as a processor and a memory manager, for use by multiple operating systems. Although a virtual machine is not a real hardware resource, programs running on a virtual machine are like running on a real computer.

需要说明的是,安全性是虚拟机平台的一个重要考虑方面。然而,目前虚拟机平台的可信计算基和攻击表面较大,导致安全性较低。It should be noted that security is an important consideration of the virtual machine platform. However, the trusted computing base and attack surface of the current virtual machine platform are large, resulting in low security.

发明内容Contents of the invention

有鉴于此,本申请提供了一种虚拟机平台的安全控制方法,用以解决现有技术中虚拟机平台可信计算基和攻击表面较大,安全性较低的技术问题。另外,本申请还提供了一种虚拟机平台的安全控制装置,用以保证所述方法在实际中的应用及实现。In view of this, the present application provides a security control method for a virtual machine platform to solve the technical problems in the prior art that the trusted computing base and attack surface of the virtual machine platform are large and the security is low. In addition, the present application also provides a security control device for a virtual machine platform to ensure the practical application and realization of the method.

为实现所述目的,本申请提供的技术方案如下:In order to achieve said purpose, the technical scheme provided by the application is as follows:

本申请的第一方面提供了一种虚拟机平台的安全控制方法,包括:The first aspect of the present application provides a security control method for a virtual machine platform, including:

确定虚拟机平台中的服务虚拟机;Determine the service virtual machine in the virtual machine platform;

依据最小粒度分离算法,将所述服务虚拟机划分为多个最小子服务虚拟机;其中,各个所述最小子服务虚拟机提供的服务不存在交集;According to the minimum granularity separation algorithm, divide the service virtual machine into a plurality of minimum sub-service virtual machines; wherein, the services provided by each of the minimum sub-service virtual machines do not overlap;

依据预设合并规则,将若干最小子服务虚拟机合并,获得至少两个子服务虚拟机;其中,各个所述子服务虚拟机独立提供虚拟服务;Merging several minimum sub-service virtual machines according to preset merging rules to obtain at least two sub-service virtual machines; wherein each of the sub-service virtual machines independently provides virtual services;

当接收到所述虚拟平台中用户虚拟机的服务调用请求时,在各个所述子服务虚拟机中,确定与所述服务调用请求对应的目标子服务虚拟机;When receiving a service invocation request from a user virtual machine in the virtual platform, in each of the sub-service virtual machines, determine a target sub-service virtual machine corresponding to the service invocation request;

建立与所述目标子服务虚拟机的第一连接以及与所述用户虚拟机的第二连接,所述第一连接及所述第二连接以供所述目标子服务虚拟机为所述用户虚拟机提供虚拟服务,以保证实现用户虚拟机和子服务虚拟机之间的双向隔离。Establishing a first connection with the target sub-service virtual machine and a second connection with the user virtual machine, the first connection and the second connection are used for the target sub-service virtual machine to virtualize for the user The virtual machine provides virtual services to ensure the two-way isolation between user virtual machines and sub-service virtual machines.

本申请的第二方面提供了一种虚拟机平台的安全控制装置,该装置包括:A second aspect of the present application provides a security control device for a virtual machine platform, the device comprising:

服务域确定模块,用于确定虚拟机平台中的服务虚拟机;A service domain determination module, configured to determine the service virtual machine in the virtual machine platform;

最小虚拟机划分模块,用于依据最小粒度分离算法,将所述服务虚拟机划分为多个服务粒度最小的子服务虚拟机;其中,各个所述最小子服务虚拟机提供的服务不存在交集;The minimum virtual machine division module is configured to divide the service virtual machine into multiple sub-service virtual machines with the smallest service granularity according to the minimum granularity separation algorithm; wherein, the services provided by each of the minimum sub-service virtual machines do not overlap;

最小虚拟机合并模块,用于依据预设合并规则,将若干最小子服务虚拟机合并,获得至少两个子服务虚拟机;其中,各个所述子服务虚拟机独立提供虚拟服务;The smallest virtual machine merging module is used to merge several smallest sub-service virtual machines according to preset merging rules to obtain at least two sub-service virtual machines; wherein, each of the sub-service virtual machines independently provides virtual services;

服务请求模块,用于当接收到所述虚拟平台中用户虚拟机的服务调用请求时,在各个所述子服务虚拟机中,确定与所述服务调用请求对应的目标子服务虚拟机;A service request module, configured to, when receiving a service invocation request from a user virtual machine in the virtual platform, determine a target sub-service virtual machine corresponding to the service invocation request among each of the sub-service virtual machines;

连接建立模块,用于建立与所述目标子服务虚拟机的第一连接以及与所述用户虚拟机的第二连接,所述第一连接及所述第二连接以供所述目标子服务虚拟机为所述用户虚拟机提供虚拟服务,以实现用户虚拟机和子服务虚拟机之间的双向隔离。A connection establishment module, configured to establish a first connection with the target sub-service virtual machine and a second connection with the user virtual machine, the first connection and the second connection are used for the target sub-service virtual machine The machine provides a virtual service for the user virtual machine, so as to realize bidirectional isolation between the user virtual machine and the sub-service virtual machine.

由以上可知,本申请提供的虚拟机平台的安全控制方法实施例,用于增强虚拟机平台的安全性,其中,虚拟机平台包括服务虚拟机,首先依据最小粒度分离算法将服务虚拟机划分为多个最小子服务虚拟机,并将若干最小子服务虚拟机合并获得至少两个子服务虚拟机,进而根据用户虚拟机的服务调用请求建立与用户虚拟机及服务虚拟机之间的连接,从而实现在划分子虚拟服务机后,利用划分后的子服务虚拟机为用户虚拟机提供虚拟服务的目的。可见,本实施例将该服务虚拟机划分为多个子服务虚拟机,每个子服务虚拟机各自独立提供虚拟服务。从可信计算基的角度讲,分离出的子服务虚拟机并不属于虚拟机平台的可信计算基,从而本实施例减小了虚拟机平台的可信计算基和攻击表面,且实现了用户虚拟机和子服务虚拟机之间的双向隔离,提高了虚拟机平台的安全性。As can be seen from the above, the embodiment of the security control method for the virtual machine platform provided by the present application is used to enhance the security of the virtual machine platform, wherein the virtual machine platform includes a service virtual machine, and first divides the service virtual machine into A plurality of minimum sub-service virtual machines, combining several minimum sub-service virtual machines to obtain at least two sub-service virtual machines, and then establishing a connection with the user virtual machine and the service virtual machine according to the service call request of the user virtual machine, thereby realizing After the sub-virtual server machines are divided, the divided sub-service virtual machines are used to provide virtual services for user virtual machines. It can be seen that, in this embodiment, the service virtual machine is divided into multiple sub-service virtual machines, and each sub-service virtual machine independently provides virtual services. From the perspective of the trusted computing base, the separated sub-service virtual machines do not belong to the trusted computing base of the virtual machine platform, so this embodiment reduces the trusted computing base and attack surface of the virtual machine platform, and realizes The two-way isolation between user virtual machines and sub-service virtual machines improves the security of the virtual machine platform.

当然,实施本申请的任一产品并不一定需要同时达到以上所述的所有优点。Of course, implementing any product of the present application does not necessarily need to achieve all the above-mentioned advantages at the same time.

附图说明Description of drawings

为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only It is an embodiment of the present application, and those skilled in the art can also obtain other drawings according to the provided drawings without creative work.

图1为本申请提供的虚拟机平台的安全控制方法实施例1的流程图;FIG. 1 is a flow chart of Embodiment 1 of a security control method for a virtual machine platform provided by the present application;

图2为本申请提供的虚拟机平台的示意图;Fig. 2 is the schematic diagram of the virtual machine platform provided by the present application;

图3为本申请提供的虚拟机平台的安全控制方法实施例2的流程图;FIG. 3 is a flow chart of Embodiment 2 of the security control method for the virtual machine platform provided by the present application;

图4为本申请提供的超级调用的示意图;FIG. 4 is a schematic diagram of a hypercall provided by the present application;

图5为本申请提供的服务虚拟机的分离示意图;FIG. 5 is a schematic diagram of the separation of the service virtual machine provided by the present application;

图6为本申请提供的虚拟机平台的安全控制装置实施例1的结构示意图;FIG. 6 is a schematic structural diagram of Embodiment 1 of a security control device for a virtual machine platform provided by the present application;

图7为本申请提供的虚拟机平台的安全控制装置实施例2的结构示意图。FIG. 7 is a schematic structural diagram of Embodiment 2 of a security control device for a virtual machine platform provided by the present application.

具体实施方式detailed description

下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the application with reference to the drawings in the embodiments of the application. Apparently, the described embodiments are only some of the embodiments of the application, not all of them. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the scope of protection of this application.

参见图1,其示出了本申请提供的虚拟机平台的安全控制方法实施例1的流程。如图1所示,本实施例可以包括步骤S101~步骤S105。Referring to FIG. 1 , it shows the flow of Embodiment 1 of the security control method for a virtual machine platform provided by the present application. As shown in FIG. 1 , this embodiment may include step S101 to step S105.

步骤S101:确定虚拟机平台中的服务虚拟机。Step S101: Determine the service virtual machine in the virtual machine platform.

其中,本实施例用于控制虚拟机平台的安全运行,虚拟机平台的一个示例如图2所示,具体包括:服务虚拟机、用户虚拟机及监控器。需要说明的是,本实施例1应用在监控器上,以使该监控器实现控制虚拟机平台的安全运行的功能。Wherein, this embodiment is used to control the safe operation of the virtual machine platform. An example of the virtual machine platform is shown in FIG. 2 , which specifically includes: a service virtual machine, a user virtual machine, and a monitor. It should be noted that Embodiment 1 is applied to a monitor, so that the monitor can realize the function of controlling the safe operation of the virtual machine platform.

其中,图2所示的虚拟机平台可以是Xen。Xen为基于开源代码的系统虚拟机,其可以在单一的物理机器上同时运行多个操作系统实例。Xen包括服务虚拟机,服务虚拟机又可以称为服务域,或管理虚拟机(Domain0),或进一步简称为Dom0。另外,Xen还包括监管程序(Hypervisor),其运行在物理硬件设备与操作系统之间,可以将物理硬件设备虚拟为多个虚拟机使用的虚拟硬件资源。Wherein, the virtual machine platform shown in FIG. 2 may be Xen. Xen is a system virtual machine based on open source code, which can simultaneously run multiple operating system instances on a single physical machine. Xen includes a service virtual machine, and the service virtual machine may be called a service domain, or a management virtual machine (Domain0), or further referred to as Dom0 for short. In addition, Xen also includes a supervisory program (Hypervisor), which runs between the physical hardware device and the operating system, and can virtualize the physical hardware device into a virtual hardware resource used by multiple virtual machines.

服务虚拟机,作为监管程序的扩展,可以提供系统的管理服务和I/O资源虚拟化等虚拟服务。具体地,服务虚拟机拥有硬件输入及输出设备,同时具有对这些设备的原生驱动程序,可以认为是设备驱动域。用户虚拟机,并不具有物理硬件设备,其通过向服务虚拟机申请服务,从而实现对物理硬件设备的访问。The service virtual machine, as an extension of the hypervisor, can provide virtual services such as system management services and I/O resource virtualization. Specifically, the service virtual machine has hardware input and output devices and native drivers for these devices, which can be considered as a device driver domain. The user virtual machine does not have a physical hardware device, and it implements access to the physical hardware device by applying for services from the service virtual machine.

服务虚拟机承载的服务种类较多,如存储服务、网络服务及显卡等,导致服务虚拟机的安全性较低。具体来讲,各个服务均由同一台服务虚拟机提供,若服务虚拟机出现问题,则全部的服务均不能被调用,安全性较低。从可信计算基的角度来讲,服务虚拟机整体成为虚拟机平台的TCB(TrustedComputingBase,可信计算基)的各部分,导致虚拟机平台的TCB较为庞大臃肿,攻击表面巨大,安全性较低。The service virtual machine carries many types of services, such as storage service, network service, and graphics card, etc., resulting in low security of the service virtual machine. Specifically, each service is provided by the same service virtual machine. If there is a problem with the service virtual machine, all services cannot be called, and the security is low. From the perspective of Trusted Computing Base, the service virtual machine as a whole becomes part of the TCB (Trusted Computing Base, Trusted Computing Base) of the virtual machine platform, resulting in a relatively large and bloated TCB of the virtual machine platform, a huge attack surface, and low security .

为了改进这一点,本申请提供的监控器(ServiceVisor)对服务虚拟机进行划分,即将服务虚拟机划分为多个子服务虚拟机,多个子服务虚拟机之间是相互独立的,各自提供虚拟服务。换句话说,每个子服务虚拟机包含自身提供服务所需的全部资源,在提供虚拟服务时,并不需要调用其他子服务虚拟机。具体地划分方式如下步骤S102及步骤S103。In order to improve this point, the monitor (ServiceVisor) provided in this application divides the service virtual machine, that is, divides the service virtual machine into multiple sub-service virtual machines, and the multiple sub-service virtual machines are independent of each other and provide virtual services respectively. In other words, each sub-service virtual machine contains all resources required to provide services by itself, and does not need to invoke other sub-service virtual machines when providing virtual services. The specific division method is as follows in steps S102 and S103.

步骤S102:依据最小粒度分离算法,将服务虚拟机划分为多个最小子服务虚拟机;其中,各个最小子服务虚拟机提供的服务不存在交集。Step S102: Divide the service virtual machine into multiple minimum sub-service virtual machines according to the minimum granularity separation algorithm; wherein, the services provided by each minimum sub-service virtual machine do not overlap.

其中,最小粒度分离算法,用于将某个对象划分为最小单位的子对象。在本申请中,最小粒度算法用于将服务虚拟机划分为最小单位的子服务虚拟机。最小单位体现在各个子服务虚拟机所提供的服务之间不存在交集且服务粒度最小。Among them, the minimum granularity separation algorithm is used to divide an object into sub-objects of the smallest unit. In this application, the minimum granularity algorithm is used to divide the service virtual machine into the smallest unit of sub-service virtual machines. The smallest unit is reflected in the fact that there is no intersection between the services provided by each sub-service virtual machine and the service granularity is the smallest.

例如,利用最小粒度分离算法,将服务虚拟机分离出三个子服务虚拟机,分别为网络虚拟机、存储虚拟机及日志虚拟机,分别用于提供网络服务、存储服务及日志服务。但是,网络虚拟机不能提供任何存储和日志服务;存储虚拟机不能提供任何网络和日志服务;且日志虚拟机不能提供任何网络和存储服务。当然,该示例中的三个子服务虚拟机仅仅是示例说明,在实际应用中,分离出的子服务虚拟机并不局限于该三个子服务虚拟机,子服务虚拟机可以是其他个数,也可以是其他类型。For example, using the minimum granularity separation algorithm, the service virtual machine is separated into three sub-service virtual machines, namely network virtual machine, storage virtual machine and log virtual machine, which are used to provide network service, storage service and log service respectively. However, a network virtual machine cannot provide any storage and log services; a storage virtual machine cannot provide any network and log services; and a log virtual machine cannot provide any network and storage services. Of course, the three sub-service virtual machines in this example are just examples. In practical applications, the separated sub-service virtual machines are not limited to the three sub-service virtual machines. Other numbers of sub-service virtual machines can also be used. Can be other types.

该种分离方式,分离出的子服务虚拟机提供的服务单一,任何一个子服务虚拟机的崩溃,都不会影响到其他的子服务虚拟机,从而虚拟平台的安全性较高。In this separation method, the separated sub-service virtual machines provide a single service, and the crash of any sub-service virtual machine will not affect other sub-service virtual machines, so the security of the virtual platform is relatively high.

步骤S103:依据预设合并规则,将若干最小子服务虚拟机合并,获得至少两个子服务虚拟机;其中,各个子服务虚拟机独立提供虚拟服务。Step S103: Merge several smallest sub-service virtual machines according to preset merging rules to obtain at least two sub-service virtual machines; wherein each sub-service virtual machine independently provides virtual services.

其中,预设合并规则,是预先设置的规则,其中包含有进行合并的最小子服务虚拟机。需要说明的是,最小子服务虚拟机即依据最小分离算法分离出的子服务虚拟机。Wherein, the preset merging rule is a preset rule, which includes the smallest sub-service virtual machine for merging. It should be noted that the minimum sub-service virtual machine is a sub-service virtual machine separated according to the minimum separation algorithm.

例如,预设合并规则是想要将日志虚拟机及存储虚拟机合并,其中,日志虚拟机及存储虚拟机为最小子服务虚拟机。For example, the default merging rule is to merge the log virtual machine and the storage virtual machine, wherein the log virtual machine and the storage virtual machine are the smallest sub-service virtual machines.

当然,进行合并的最小子服务虚拟机并非局限于两个,可以是依据实际情况设置的任意个数。但是,需要说明的是,合并后的子服务虚拟机的个数为至少两个,以保证将服务虚拟机分离为多个子服务虚拟机。Of course, the minimum sub-service virtual machines for merging are not limited to two, and may be any number set according to actual conditions. However, it should be noted that the number of sub-service virtual machines after merging is at least two, so as to ensure that the service virtual machine is separated into multiple sub-service virtual machines.

预设合并规则,需要满足安全策略。也就是说,合并后的子服务虚拟机满足虚拟机平台应用场景对安全性的要求。例如,虚拟机平台应用在网络环境中,可以被外部设备访问。网络环境要求存储数据的安全,因此,网络虚拟机并不能与存储虚拟机合并。The preset merge rules need to meet the security policy. That is to say, the merged sub-service virtual machine meets the security requirements of the virtual machine platform application scenario. For example, the virtual machine platform is applied in a network environment and can be accessed by external devices. The network environment requires the security of stored data, therefore, network virtual machines cannot be combined with storage virtual machines.

步骤S104:当接收到虚拟平台中用户虚拟机的服务调用请求时,在各个子服务虚拟机中,确定与服务调用请求对应的目标子服务虚拟机。Step S104: When receiving a service invocation request from a user virtual machine in the virtual platform, among each sub-service virtual machine, determine a target sub-service virtual machine corresponding to the service invocation request.

其中,监控器可以实现划分后的子服务虚拟机与用户虚拟机之间的隔离,从而可以进一步提高虚拟机平台的安全性。Wherein, the monitor can realize isolation between divided sub-service virtual machines and user virtual machines, thereby further improving the security of the virtual machine platform.

如图2所示,虚拟机平台中不仅包括服务虚拟机,还包括用户虚拟机。用户虚拟机的运行,需要使用服务虚拟机提供的虚拟服务,如使用服务虚拟机提供的网络服务。As shown in Figure 2, the virtual machine platform includes not only service virtual machines, but also user virtual machines. The operation of the user virtual machine needs to use the virtual service provided by the service virtual machine, such as using the network service provided by the service virtual machine.

当监控器接收到用户虚拟机发送的服务调用请求时,监控器根据服务调用请求的类型,在多个子服务虚拟机中,确定与该服务调用请求类型对应的子服务虚拟机,为了便于描述,将确定出的子服务虚拟机称为目标子服务虚拟机。例如,用户虚拟机想要请求网络服务,则监控器确定出的目标子服务虚拟机为网络虚拟机。When the monitor receives the service invocation request sent by the user virtual machine, the monitor determines the sub-service virtual machine corresponding to the service invocation request type among multiple sub-service virtual machines according to the type of the service invocation request. For the convenience of description, The determined sub-service virtual machine is called a target sub-service virtual machine. For example, if a user virtual machine wants to request a network service, the target sub-service virtual machine determined by the monitor is a network virtual machine.

步骤S105:建立与目标子服务虚拟机的第一连接以及与用户虚拟机的第二连接,第一连接及第二连接以供目标子服务虚拟机为用户虚拟机提供虚拟服务。Step S105: Establish a first connection with the target sub-service virtual machine and a second connection with the user virtual machine, the first connection and the second connection are used for the target sub-service virtual machine to provide virtual services for the user virtual machine.

其中,监控器可以建立两个连接,分别是与目标子服务虚拟机及用户虚拟机之间的连接,为了便于描述,分别称为第一连接及第二连接。用户虚拟机向目标子服务虚拟机发送的数据,发送至监控器,监控器将该数据转发至目子服务虚拟器。同理,目标子服务虚拟器向用户虚拟机发送的数据也是通过监控器转发。Wherein, the monitor may establish two connections, which are respectively connections with the target sub-service virtual machine and the user virtual machine, which are respectively referred to as a first connection and a second connection for ease of description. The data sent by the user virtual machine to the target sub-service virtual machine is sent to the monitor, and the monitor forwards the data to the target sub-service virtual machine. Similarly, the data sent by the target sub-service virtual machine to the user virtual machine is also forwarded by the monitor.

现有技术中,用户虚拟机直接向服务虚拟机发送服务调用请求,然而,本申请中,服务虚拟机被划分为多个子服务虚拟机,用户虚拟机并不直接与子服务虚拟机进行数据交互,而是向监控器转发,实现了子服务虚拟机与用户虚拟机之间的双向隔离,从而可以进一步提高虚拟机平台的安全性。In the prior art, the user virtual machine directly sends a service call request to the service virtual machine. However, in this application, the service virtual machine is divided into multiple sub-service virtual machines, and the user virtual machine does not directly interact with the sub-service virtual machines. , but forwarded to the monitor, realizing the two-way isolation between the sub-service virtual machine and the user virtual machine, so that the security of the virtual machine platform can be further improved.

由以上的技术方案可知,本申请提供的虚拟机平台的安全控制方法实施例,用于控制虚拟机平台的安全性,其中,虚拟机平台包括服务虚拟机,首先依据最小粒度分离算法将服务虚拟机划分为多个最小子服务虚拟机,并将若干最小子服务虚拟机合并获得至少两个子服务虚拟机,进而根据用户虚拟机的服务调用请求建立与用户虚拟机及服务虚拟机之间的连接,从而实现在划分子虚拟服务机后,利用划分后的子服务虚拟机为用户虚拟机提供虚拟服务的目的。可见,本实施例将该服务虚拟机划分为多个子服务虚拟机,每个子服务虚拟机各自独立提供虚拟服务。从可信计算基的角度讲,分离的子服务虚拟机并不属于虚拟机平台的可信计算基,从而本实施例减小了虚拟机平台的可信计算基和攻击表面,从而提高了虚拟机平台的安全性。It can be seen from the above technical solutions that the embodiment of the security control method for the virtual machine platform provided by the present application is used to control the security of the virtual machine platform, wherein the virtual machine platform includes a service virtual machine, and the service virtual machine is first separated according to the minimum granularity separation algorithm. The machine is divided into multiple minimum sub-service virtual machines, and several minimum sub-service virtual machines are combined to obtain at least two sub-service virtual machines, and then the connection between the user virtual machine and the service virtual machine is established according to the service call request of the user virtual machine , so as to achieve the purpose of providing virtual services for user virtual machines by using the divided sub-service virtual machines after dividing the sub-virtual server machines. It can be seen that, in this embodiment, the service virtual machine is divided into multiple sub-service virtual machines, and each sub-service virtual machine independently provides virtual services. From the perspective of the trusted computing base, the separated sub-service virtual machines do not belong to the trusted computing base of the virtual machine platform, so this embodiment reduces the trusted computing base and attack surface of the virtual machine platform, thus improving the virtual machine platform. machine platform security.

简单来讲,本实施例将集成在同一服务虚拟机上的各项服务进行分离,并分布在不同的子服务虚拟机上,避免服务虚拟机出现某个故障导致全部服务均受影响的情况,从而提高了虚拟机平台的安全性。To put it simply, this embodiment separates various services integrated on the same service virtual machine and distributes them on different sub-service virtual machines, so as to avoid the situation that all services are affected due to a failure of a service virtual machine. Therefore, the security of the virtual machine platform is improved.

服务虚拟机所提供的服务类型由配置文件决定,划分服务虚拟机的具体过程可以是:获取服务虚拟机的配置文件,从配置文件中获取服务虚拟机提供的多种类型的服务,将该多种类型的服务划分为多个服务集合。The service type provided by the service virtual machine is determined by the configuration file. The specific process of dividing the service virtual machine can be: obtain the configuration file of the service virtual machine, obtain various types of services provided by the service virtual machine from the configuration file, and divide the multiple Each type of service is divided into multiple service collections.

具体地,可以将每种类型的服务各自作为一个服务集合,也可以是多种类型的服务作为一个服务集合,经过划分后,获得至少两个服务集合。为每个服务集合,生成各自的配置文件,根据配置文件,为每个服务集合创建各自的子服务虚拟机。Specifically, each type of service can be used as a service set, or multiple types of services can be used as a service set, and at least two service sets can be obtained after division. A respective configuration file is generated for each service collection, and a respective sub-service virtual machine is created for each service collection according to the configuration file.

当然,在实际应用中,某些分离出的子服务虚拟机并非被频繁地使用,上述分离方式可能造成资源的浪费。因此,本申请还可以将分离出的某些子服务虚拟机关闭或者合并,具体如下步骤A1及步骤A2。Of course, in practical applications, some separated sub-service virtual machines are not frequently used, and the above separation method may cause waste of resources. Therefore, the present application may also shut down or merge some of the separated sub-service virtual machines, specifically as follows in steps A1 and A2.

步骤A1:若某个子服务虚拟机处于待机状态,关闭某个子服务虚拟机。Step A1: If a certain sub-service virtual machine is in a standby state, shut down a certain sub-service virtual machine.

其中,监控器分离出子服务虚拟机后,可以启动各个子服务虚拟机。其中,某些子服务虚拟机在启动后,可能并未被经常使用到,此时认为该子服务虚拟机进入待机状态。Wherein, after the monitor separates the sub-service virtual machines, each sub-service virtual machine may be started. Wherein, after some sub-service virtual machines are started, they may not be frequently used, and at this time, the sub-service virtual machines are considered to be in a standby state.

子服务虚拟机提供服务的方式是,子服务虚拟机向服务请求对象发送服务数据。因此,确定子服务虚拟机处于待机状态的方式可以是,监控器获取子服务虚拟机发送的服务数据,若发送的服务数据量少于某个阈值,可以认为子服务虚拟机处于待机状态。The manner in which the sub-service virtual machine provides the service is that the sub-service virtual machine sends service data to the service request object. Therefore, the manner of determining that the sub-service virtual machine is in the standby state may be that the monitor obtains the service data sent by the sub-service virtual machine, and if the amount of service data sent is less than a certain threshold, the sub-service virtual machine may be considered to be in the standby state.

若监测到某个子服务虚拟机处于待机状态,则关闭该子服务虚拟机。当然,若子服务虚拟机处于待机状态,还可以执行步骤A2。If it is detected that a sub-service virtual machine is in a standby state, the sub-service virtual machine is shut down. Of course, if the sub-service virtual machine is in a standby state, step A2 may also be performed.

步骤A2:若某个子服务虚拟机处于待机状态,将某个子服务虚拟机与其他子服务虚拟机合并。Step A2: If a certain sub-service virtual machine is in a standby state, merge the certain sub-service virtual machine with other sub-service virtual machines.

其中,监控器可以关闭该子服务虚拟机,释放该子服务虚拟机所占的资源。或者,监控器可以将该子服务虚拟机,与其他子服务虚拟机合并,将该子服务虚拟机所占的资源提供给其他子服务虚拟机使用。需要说明的是,合并的子服务虚拟机后成为一个子服务虚拟机。Wherein, the monitor may shut down the sub-service virtual machine to release resources occupied by the sub-service virtual machine. Alternatively, the monitor may merge the sub-service virtual machine with other sub-service virtual machines, and provide the resources occupied by the sub-service virtual machine for use by other sub-service virtual machines. It should be noted that the merged sub-service virtual machine becomes a sub-service virtual machine.

例如,若网络虚拟机处于待机状态,可以将网络虚拟机关闭,或者,将网络虚拟机与日志虚拟机合并。For example, if the network virtual machine is in a standby state, the network virtual machine may be shut down, or the network virtual machine and the log virtual machine may be merged.

虚拟机平台中包括多个虚拟机,虚拟机并不能直接访问本虚拟机之外的物理资源,包括监管程序本身。但是,虚拟机可以通过超级调用(Hypercalls)向监管程序申请各种服务。超级调用像操作系统中的系统调用,监管程序通过它向各个虚拟机提供各种服务。The virtual machine platform includes multiple virtual machines, and the virtual machines cannot directly access physical resources other than the virtual machine, including the hypervisor itself. However, the virtual machine can apply for various services from the hypervisor through hypercalls (Hypercalls). A hypercall is like a system call in an operating system through which a hypervisor provides various services to individual virtual machines.

本申请划分出的多个子服务虚拟机,加上用户虚拟机,都可以作为上述申请超级调用的虚拟机。这些虚拟机,并不存在权限控制,可以随意发送超级调用,来调用各种类型的物理资源。因此,虚拟机发送的超级调用,可能是申请超出自身功能之外的物理资源。该种情况之下,需要对虚拟机的超级调用进行权限控制。The plurality of sub-service virtual machines divided by this application, together with the user virtual machines, can all be used as the virtual machines for the above-mentioned application hypercall. These virtual machines do not have permission control, and can send hypercalls at will to call various types of physical resources. Therefore, the hypercall sent by the virtual machine may apply for physical resources beyond its own functions. In this case, it is necessary to control the permission of the hypercall of the virtual machine.

具体地,参见图3,其示出了虚拟机平台的安全控制方法实施例2的流程。在上述虚拟机平台的安全控制方法实施例1的基础上,还可以包括步骤S106及步骤S107。需要说明的是,本实施例中的步骤S101~步骤S105与上述图1中的步骤S101~步骤S105相同,此处并不赘述,仅对步骤S106及步骤S107进行说明。Specifically, refer to FIG. 3 , which shows the flow of Embodiment 2 of the security control method for a virtual machine platform. On the basis of Embodiment 1 of the above-mentioned security control method for a virtual machine platform, step S106 and step S107 may also be included. It should be noted that steps S101 to S105 in this embodiment are the same as steps S101 to S105 in FIG. 1 above, and will not be repeated here, only steps S106 and S107 will be described.

步骤S106:当监测到超级调用请求时,判断发送超级调用请求的调用虚拟机是否具有对应的权限;若具有,执行步骤S107。Step S106: When a hypercall request is detected, determine whether the invoking virtual machine sending the hypercall request has the corresponding authority; if so, execute step S107.

其中,监控器可以接收到超级调用请求,该超级调用请求是本虚拟机平台中的各个虚拟机发送的,既可以是用户虚拟机,也可以是子服务虚拟机。为了便于描述,可以将发送超级调用的虚拟机,称为调用虚拟机。Wherein, the monitor may receive a hypercall request, which is sent by each virtual machine in the virtual machine platform, which may be a user virtual machine or a sub-service virtual machine. For ease of description, the virtual machine that sends the hypercall may be referred to as the calling virtual machine.

判断该调用虚拟机是否具有发送该超级调用请求的权限,若具有,则执行步骤S107。若不具有,则拒绝该调用虚拟机的超级调用请求。It is judged whether the invoking virtual machine has the authority to send the hypercall request, and if so, step S107 is executed. If not, reject the hypercall request of the invoking virtual machine.

步骤S107:为调用虚拟机提供与超级调用请求对应的服务。Step S107: Provide the calling virtual machine with a service corresponding to the hypercall request.

以上方案可以结合图4所示的超级调用示例进行说明。The above solutions can be described in conjunction with the hypercall example shown in FIG. 4 .

如图4所示,DomS1、DomSm是各个服务虚拟机,DomU1、DomUm是各个用户虚拟机。这些虚拟机为发送超级调用请求的主体,即调用虚拟机。As shown in FIG. 4 , DomS 1 and DomS m are service virtual machines, and DomU 1 and DomU m are user virtual machines. These virtual machines are subjects for sending hypercall requests, that is, calling virtual machines.

访问控制点1可以接收到调用虚拟机发送的不同类型的超级调用请求(超级调用),但是,经过访问控制点1的判断后,只有与调用虚拟机的功能对应的超级调用请求,才会被发送至访问控制点2。访问控制点2再对该超级调用请求进行后续安全控制,该后续安全控制包括Flask安全模块实施的访问控制决策等,访问控制点2的安全控制为现有技术,此处并不赘述。The access control point 1 can receive different types of hypercall requests (hypercalls) sent by the calling virtual machine, but after the judgment of the access control point 1, only the hypercall request corresponding to the function of the calling virtual machine will be accepted. Sent to Access Control Point 2. The access control point 2 performs follow-up security control on the hypercall request. The follow-up security control includes the access control decision implemented by the Flask security module, etc. The security control of the access control point 2 is a prior art and will not be described here.

以上方案依据的是最小特权原理,实现了虚拟机平台的安全控制需求。The above solution is based on the principle of least privilege, and realizes the security control requirements of the virtual machine platform.

在实际应用中,服务虚拟机的一种具体划分方式,可以参见图5。如图5所示,可以将服务虚拟机Dom0划分为以下几种子服务虚拟机:In practical applications, a specific manner of dividing service virtual machines can be referred to in FIG. 5 . As shown in Figure 5, the service virtual machine Dom0 can be divided into the following sub-service virtual machines:

(1)设备模型虚拟机(DeviceModelDomain):设备模型是Xen硬件虚拟化的重要组成部份,作为一个进程运行在Dom0的用户空间,负责为HVM(硬件虚拟机)提供IO设备的模拟。将其从Dom0中分离出来的原因主要有,1)隔离性差,由于每一个HVM在Dom0中都对应有一个设备模型守护进程,因而HVM之间的IO隔离问题变成了两个进程之间的隔离问题,然而,进程之间的隔离性较弱,且一个进程的崩溃可能导致另一个进程的崩溃,因此,HVM之间的隔离性无法保证;2)性能低,设备模型守护进程在Dom0中作为一个进程被调度,显然其不能及时响应HVM对IO操作的请求,导致HVM的性能降低;3)特权较高,由于设备模型为HVM提供IO设备模拟,因此其具有访问硬件设备等较高的访问权限,若其被恶意软件攻击,带来的危害性较大。将其从Dom0中分离出来,自成一个迷你设备模型域,且一个HVM对应一个设备模型域,从而解决了上述问题。(1) Device Model Domain (DeviceModelDomain): The device model is an important part of Xen hardware virtualization. It runs as a process in the user space of Dom0 and is responsible for providing IO device simulation for HVM (hardware virtual machine). The main reasons for separating it from Dom0 are: 1) Poor isolation. Since each HVM corresponds to a device model daemon process in Dom0, the IO isolation problem between HVMs becomes an isolation between two processes. Isolation problem, however, the isolation between processes is weak, and the crash of one process may cause the crash of another process, therefore, the isolation between HVMs cannot be guaranteed; 2) The performance is low, and the device model daemon is in Dom0 Being scheduled as a process, it is obvious that it cannot respond to HVM's request for IO operations in a timely manner, resulting in reduced performance of HVM; 3) Higher privileges, because the device model provides IO device simulation for HVM, so it has higher access to hardware devices, etc. Access rights, if it is attacked by malware, will cause greater harm. It is separated from Dom0 to form a mini device model domain, and one HVM corresponds to one device model domain, thus solving the above problems.

(2)网络虚拟机(NetWorkDomain):位于Dom0中的网络设备为客户虚拟机提供网络服务,将其从Dom0中分离出来的原因主要有,1)网络驱动比较庞大,而且容易受到来自网络上的恶意用户的攻击,若其崩溃或被攻击,可能导致Dom0的崩溃,进而导致整个虚拟机系统的崩溃;2)容易成为网络性能瓶颈,由于在Xen架构中Dom0的臃肿复杂,导致客户虚拟机的网络请求不能及时得到处理,特别是多客户机同时访问请求时,这个问题显得特别明显。(2) Network virtual machine (NetWorkDomain): The network device located in Dom0 provides network services for customer virtual machines. The main reasons for separating it from Dom0 are: 1) The network driver is relatively large and vulnerable to network traffic. Malicious user's attack, if it crashes or is attacked, may lead to the collapse of Dom0, and then lead to the collapse of the entire virtual machine system; Network requests cannot be processed in time, especially when multiple clients access requests at the same time, this problem is particularly obvious.

(3)设备驱动虚拟机(DeviceDriverDomain):该域主要为虚拟系统管理外设,同时为其它用户域提供外设服务。它存在的必要性在于,1)添加新的专用外设时,若将该外设驱动加载入原来Dom0内核中,可能由于该驱动的不稳定或错误导致Dom0内核空间不稳定或直接崩溃;2)增强虚拟机之间的隔离性,通过设备驱动域可以将与设备相关的域和与设备无关的域隔离开,同时可以更加灵活的控制外设访问权限。(3) Device Driver Domain (DeviceDriverDomain): This domain mainly manages peripherals for the virtual system, and provides peripheral services for other user domains at the same time. The necessity of its existence lies in: 1) When adding a new dedicated peripheral, if the peripheral driver is loaded into the original Dom0 kernel, the Dom0 kernel space may be unstable or directly crashed due to the instability or error of the driver; 2 ) to enhance the isolation between virtual machines, the device-related domain and the device-independent domain can be isolated through the device driver domain, and at the same time, the access rights of peripherals can be controlled more flexibly.

(4)监视器信息存储虚拟机(XenStoreServiceDomian):XenStore是Xen虚拟机系统中的一个以键值对的形式存储虚拟机配置、状态等信息的层次域间共享存储系统,其主要有Dom0来维护。由于Xenstore它是整个虚拟机系统中所有服务域和用户域的状态信息的存储中心,而且系统中所有组件或模块的虚拟化都依赖于它,所以它的安全和性能直接影响着整个系统的安全和性能。在Xen架构中,XenStore是以一个进程的形式运行于Dom0中,并以共享内存环的形式与其它虚拟机通信,而且要实现虚拟机的全生命周期的管理要依赖于XenStore的支持,因此其很容易遭受拒绝服务等攻击。(4) Monitor information storage virtual machine (XenStoreServiceDomian): XenStore is a hierarchical inter-domain shared storage system in the Xen virtual machine system that stores information such as virtual machine configuration and status in the form of key-value pairs. It is mainly maintained by Dom0 . Since Xenstore is the storage center of the state information of all service domains and user domains in the entire virtual machine system, and the virtualization of all components or modules in the system depends on it, its security and performance directly affect the security of the entire system and performance. In the Xen architecture, XenStore runs in Dom0 in the form of a process, and communicates with other virtual machines in the form of a shared memory ring, and the management of the full life cycle of the virtual machine depends on the support of XenStore, so its It is vulnerable to attacks such as denial of service.

(5)虚拟机信息存储虚拟机(StorageDomain):存储其它服务域和用户域的映像和数据,并保证它们的完整性和机密性。(5) Virtual machine information storage virtual machine (StorageDomain): store images and data of other service domains and user domains, and ensure their integrity and confidentiality.

(6)系统引导虚拟机(SystemBootDomain):引导整个虚拟机系统,并创建相关服务域。(6) System boot virtual machine (SystemBootDomain): guide the entire virtual machine system and create related service domains.

(7)日志服务虚拟机(LogServiceDomain):记录其它服务域或用户域的行为和日志,同时审计这些信息,为管理员提供安全报告。(7) Log service virtual machine (LogServiceDomain): Record the behavior and logs of other service domains or user domains, and audit the information at the same time to provide security reports for administrators.

(8)迁移服务虚拟机(MigrationServiceDomain):该服务域为迁移用户域提供服务,由于其能够映射其它用户域的内存,所以为了保证系统的安全性,其只有在系统需要迁移用户域时,才让该服务域运行。(8) Migration service virtual machine (MigrationServiceDomain): This service domain provides services for migrating user domains. Because it can map the memory of other user domains, in order to ensure the security of the system, it only needs to migrate user domains when the system needs to migrate. Let the service domain run.

(9)虚拟域构建虚拟机(VirtualDomainBuildDomain):该域主要为引导虚拟域启动提供服务,由于其能映射用户域内存,同时为虚拟域提供初始启动信息,因此其具有较高特权,所以将其分离出Dom0并使用Mini-OS来承载该服务,能有效减少整个虚拟机系统的可信计算基,同时能够更加细粒度的控制其特权操作。(9) Virtual Domain Build Virtual Machine (VirtualDomainBuildDomain): This domain mainly provides services for booting virtual domain startup. Because it can map user domain memory and provide initial startup information for virtual domains, it has high privileges, so it Separating Dom0 and using Mini-OS to host the service can effectively reduce the trusted computing base of the entire virtual machine system, and at the same time enable more fine-grained control of its privileged operations.

(10)外部设备配置管理虚拟机(PCIConfigureManagerDomain):主要负责在虚拟机系统起动时,管理和配置PCI设备,为下一步服务域分离提供PCI配置支持。(10) External device configuration management virtual machine (PCIConfigureManagerDomain): mainly responsible for managing and configuring PCI devices when the virtual machine system starts, and providing PCI configuration support for the next step of service domain separation.

(11)监视器管理工具虚拟机(ToolDomain):主要为用户提供管理用户虚拟域的接口。(11) Monitor management tool virtual machine (ToolDomain): mainly provides an interface for users to manage virtual domains of users.

另外,对本申请中的技术方案进行两点补充说明。In addition, two supplementary explanations are made on the technical solutions in this application.

(1)XenStore中仅仅记录了用户域依赖于ServiceVisor(监控器)、以及监控器依赖于服务域(服务虚拟机)的相关配置信息,且用户域(用户虚拟机)和服务域都只能通过XenStore来获取它们所需的配置信息。因而在本申请提供的虚拟机平台中,ServiceVisor与用户域、服务域之间互相可见,但用户域和服务域不知道对方的存在,即从用户域来看,其无法分辨出其运行环境是Xen虚拟机平台还是SecXen虚拟机平台。保证了SecXen与Xen之间的虚拟机无障碍迁移,并隔离了服务域和用户域之间的攻击流,从而实现了对服务域和用户域的双向屏蔽。(1) XenStore only records the relevant configuration information that the user domain depends on ServiceVisor (monitor) and the monitor depends on the service domain (service virtual machine), and both the user domain (user virtual machine) and the service domain can only pass XenStore to obtain the configuration information they need. Therefore, in the virtual machine platform provided by this application, ServiceVisor, the user domain, and the service domain can see each other, but the user domain and the service domain do not know the existence of each other, that is, from the perspective of the user domain, it cannot tell whether its operating environment is The Xen virtual machine platform is also the SecXen virtual machine platform. It ensures the trouble-free migration of virtual machines between SecXen and Xen, and isolates the attack flow between the service domain and the user domain, thus realizing the two-way shielding of the service domain and the user domain.

(2)监控器主要协调子服务虚拟机与用户虚拟机的关系,以及协调子服务虚拟机与Hypervisor的关系。(2) The monitor mainly coordinates the relationship between the sub-service virtual machine and the user virtual machine, and coordinates the relationship between the sub-service virtual machine and the Hypervisor.

以下对本申请提供的虚拟机平台的安全控制装置及虚拟机平台进行介绍,需要说明的是,有关虚拟机平台的安全控制装置及虚拟机平台的说明可以参照上文提供的虚拟机平台的安全控制方法,以下并不赘述。The following is an introduction to the security control device and the virtual machine platform of the virtual machine platform provided by this application. It should be noted that, for the description of the security control device and the virtual machine platform of the virtual machine platform, reference can be made to the security control of the virtual machine platform provided above. method, which will not be described in detail below.

需要说明的是,虚拟机平台的安全控制装置,即上述监控器。It should be noted that the security control device of the virtual machine platform is the aforementioned monitor.

参照图6,其示出了虚拟机平台的安全控制装置实施例1的结构。如图6所示,该虚拟机平台的安全控制装置可以包括:服务域确定模块601、最小虚拟机划分模块602、最小虚拟机合并模块603、服务请求模块604及连接建立模块605;其中:Referring to FIG. 6 , it shows the structure of Embodiment 1 of the security control device for the virtual machine platform. As shown in FIG. 6, the security control device of the virtual machine platform may include: a service domain determination module 601, a minimum virtual machine division module 602, a minimum virtual machine merging module 603, a service request module 604, and a connection establishment module 605; wherein:

服务域确定模块601,用于确定虚拟机平台中的服务虚拟机;A service domain determining module 601, configured to determine a service virtual machine in a virtual machine platform;

最小虚拟机划分模块602,用于依据最小粒度分离算法,将服务虚拟机划分为多个最小子服务虚拟机;其中,各个最小子服务虚拟机提供的服务不存在交集;The minimum virtual machine division module 602 is configured to divide the service virtual machine into multiple minimum sub-service virtual machines according to the minimum granularity separation algorithm; wherein, the services provided by each minimum sub-service virtual machine do not overlap;

最小虚拟机合并模块603,用于依据预设合并规则,将若干最小子服务虚拟机合并,获得至少两个子服务虚拟机;其中,各个子服务虚拟机独立提供虚拟服务;The smallest virtual machine merging module 603 is configured to merge several smallest sub-service virtual machines according to preset merging rules to obtain at least two sub-service virtual machines; wherein, each sub-service virtual machine independently provides virtual services;

服务请求模块604,用于当接收到虚拟平台中用户虚拟机的服务调用请求时,在各个子服务虚拟机中,确定与服务调用请求对应的目标子服务虚拟机;The service request module 604 is configured to determine the target sub-service virtual machine corresponding to the service invocation request in each sub-service virtual machine when receiving a service invocation request from a user virtual machine in the virtual platform;

连接建立模块605,用于建立与目标子服务虚拟机的第一连接以及与用户虚拟机的第二连接,第一连接及第二连接以供目标子服务虚拟机为用户虚拟机提供虚拟服务。The connection establishment module 605 is configured to establish a first connection with the target sub-service virtual machine and a second connection with the user virtual machine, the first connection and the second connection are used for the target sub-service virtual machine to provide virtual services for the user virtual machine.

由以上可知,虚拟机平台的安全控制装置中的最小虚拟机划分模块602依据最小粒度分离算法将服务虚拟机划分为多个最小子服务虚拟机,最小虚拟机合并模块603将若干最小子服务虚拟机合并获得至少两个子服务虚拟机,且服务请求模块604及连接建立模块605可以根据用户虚拟机的服务调用请求建立与用户虚拟机及服务虚拟机之间的连接,从而实现在划分子虚拟服务机后,利用划分后的子服务虚拟机为用户虚拟机提供虚拟服务的目的。可见,本实施例将该服务虚拟机划分为多个子服务虚拟机,每个子服务虚拟机各自独立提供虚拟服务。从可信计算基的角度讲,分离的子服务虚拟机并不属于虚拟机平台的可信计算基,从而本实施例减小了虚拟机平台的可信计算基,从而提高了虚拟机平台的安全性。It can be seen from the above that the minimum virtual machine division module 602 in the security control device of the virtual machine platform divides the service virtual machine into multiple minimum sub-service virtual machines according to the minimum granularity separation algorithm, and the minimum virtual machine merging module 603 divides several minimum sub-service virtual machines Machines are combined to obtain at least two sub-service virtual machines, and the service request module 604 and connection establishment module 605 can establish a connection with the user virtual machine and the service virtual machine according to the service call request of the user virtual machine, so as to realize the division of sub-virtual services After the virtual machine is installed, the purpose of providing virtual services for the user virtual machine is to use the divided sub-service virtual machine. It can be seen that, in this embodiment, the service virtual machine is divided into multiple sub-service virtual machines, and each sub-service virtual machine independently provides virtual services. From the perspective of the trusted computing base, the separated sub-service virtual machines do not belong to the trusted computing base of the virtual machine platform, so this embodiment reduces the trusted computing base of the virtual machine platform, thereby improving the reliability of the virtual machine platform. safety.

简单来讲,本实施例将集成在同一服务虚拟机上的各项服务进行分离,并分布在不同的子服务虚拟机上,避免服务虚拟机出现问题导致全部服务均受影响,从而提高了虚拟机平台的安全性。To put it simply, this embodiment separates various services integrated on the same service virtual machine and distributes them on different sub-service virtual machines, so as to prevent all services from being affected due to problems in the service virtual machine, thereby improving virtual machine platform security.

具体地,虚拟机平台的安全控制装置还可以包括:子虚拟机关闭模块或者,子虚拟机合并模块,或者两者均包括。Specifically, the security control device of the virtual machine platform may further include: a sub-virtual machine closing module or a sub-virtual machine merging module, or both.

子虚拟机关闭模块,用于若某个子服务虚拟机处于待机状态,关闭某个子服务虚拟机;The sub-virtual machine shutdown module is used to shut down a sub-service virtual machine if a sub-service virtual machine is in a standby state;

子虚拟机合并模块,用于若某个子服务虚拟机处于待机状态,将某个子服务虚拟机与其他子服务虚拟机合并。The sub-virtual machine merging module is configured to merge a sub-service virtual machine with other sub-service virtual machines if a sub-service virtual machine is in a standby state.

与上述虚拟机平台的安全控制方法实施例2相对应,本申请提供了虚拟机平台的安全控制装置实施例2。如图7所示,本实施例在虚拟机平台的安全控制装置实施例1的基础上,该装置还可以包括:超级调用请求模块606及超级调用服务模块607;其中:Corresponding to Embodiment 2 of the above-mentioned security control method for a virtual machine platform, the present application provides a second embodiment of a security control device for a virtual machine platform. As shown in FIG. 7, on the basis of Embodiment 1 of the security control device of the virtual machine platform in this embodiment, the device may further include: a hypercall request module 606 and a hypercall service module 607; wherein:

超级调用请求模块606,用于当监测到超级调用请求时,判断发送超级调用请求的调用虚拟机是否具有对应的权限;若具有,触发超级调用服务模块;The hypercall request module 606 is used to determine whether the calling virtual machine sending the hypercall request has corresponding authority when a hypercall request is detected; if so, trigger the hypercall service module;

超级调用服务模块607,用于为调用虚拟机提供与超级调用请求对应的服务。The hypercall service module 607 is configured to provide the calling virtual machine with a service corresponding to the hypercall request.

具体地,虚拟机平台的安全控制装置中,各个子服务虚拟机分别为:Specifically, in the security control device of the virtual machine platform, each sub-service virtual machine is respectively:

设备模型虚拟机、网络虚拟机、设备驱动虚拟机、监视器信息存储虚拟机、虚拟机信息存储虚拟机、系统引导虚拟机、日志服务虚拟机、迁移服务虚拟机、虚拟域构建虚拟机、外部设备配置管理虚拟机、以及监视器管理工具虚拟机。Device model virtual machine, network virtual machine, device driver virtual machine, monitor information storage virtual machine, virtual machine information storage virtual machine, system boot virtual machine, log service virtual machine, migration service virtual machine, virtual domain construction virtual machine, external The device configuration management virtual machine and the monitor management tool virtual machine.

需要说明的是,本说明书中的各个实施例均采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似的部分互相参见即可。It should be noted that each embodiment in this specification is described in a progressive manner, and each embodiment focuses on the differences from other embodiments. For the same and similar parts in each embodiment, refer to each other, that is, Can.

还需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括上述要素的过程、方法、物品或者设备中还存在另外的相同要素。It should also be noted that in this article, relational terms such as first and second etc. are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply that these entities or operations Any such actual relationship or order exists between. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising a" does not preclude the presence of additional same elements in a process, method, article or apparatus comprising the aforementioned element.

对所公开的实施例的上述说明,使本领域专业技术人员能够实现或使用本申请。对这些实施例的多种修改对本领域的专业技术人员来说将是显而易见的,本文中所定义的一般原理可以在不脱离本申请的精神或范围的情况下,在其它实施例中实现。因此,本申请将不会被限制于本文所示的这些实施例,而是要符合与本文所公开的原理和新颖特点相一致的最宽的范围。The above description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the application. Therefore, the present application will not be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (8)

1.一种虚拟机平台的安全控制方法,其特征在于,包括:1. A security control method for a virtual machine platform, comprising: 确定虚拟机平台中的服务虚拟机;Determine the service virtual machine in the virtual machine platform; 依据最小粒度分离算法,将所述服务虚拟机划分为多个最小子服务虚拟机;其中,各个所述最小子服务虚拟机提供的服务不存在交集且服务粒度最小;According to the minimum granularity separation algorithm, divide the service virtual machine into a plurality of minimum sub-service virtual machines; wherein, the services provided by each of the minimum sub-service virtual machines do not have an intersection and the service granularity is the smallest; 依据预设合并规则,将若干最小子服务虚拟机合并,获得至少两个子服务虚拟机;其中,各个所述子服务虚拟机独立提供虚拟服务;Merging several minimum sub-service virtual machines according to preset merging rules to obtain at least two sub-service virtual machines; wherein each of the sub-service virtual machines independently provides virtual services; 当接收到所述虚拟平台中用户虚拟机的服务调用请求时,在各个所述子服务虚拟机中,确定与所述服务调用请求对应的目标子服务虚拟机;When receiving a service invocation request from a user virtual machine in the virtual platform, in each of the sub-service virtual machines, determine a target sub-service virtual machine corresponding to the service invocation request; 建立与所述目标子服务虚拟机的第一连接以及与所述用户虚拟机的第二连接,所述第一连接及所述第二连接以供所述目标子服务虚拟机为所述用户虚拟机提供虚拟服务,以实现用户虚拟机和子服务虚拟机之间的双向隔离。Establishing a first connection with the target sub-service virtual machine and a second connection with the user virtual machine, the first connection and the second connection are used for the target sub-service virtual machine to virtualize for the user The virtual machine provides virtual services to realize two-way isolation between user virtual machines and sub-service virtual machines. 2.根据权利要求1所述的虚拟机平台的安全控制方法,其特征在于,还包括:2. The security control method of the virtual machine platform according to claim 1, further comprising: 若某个子服务虚拟机处于待机状态,关闭所述某个子服务虚拟机;If a certain sub-service virtual machine is in a standby state, shutting down the certain sub-service virtual machine; 或者,or, 若某个子服务虚拟机处于待机状态,将所述某个子服务虚拟机与其他子服务虚拟机合并。If a certain sub-service virtual machine is in a standby state, the certain sub-service virtual machine is merged with other sub-service virtual machines. 3.根据权利要求1所述的虚拟机平台的安全控制方法,其特征在于,还包括:3. The security control method of the virtual machine platform according to claim 1, further comprising: 当监测到超级调用请求时,判断发送所述超级调用请求的调用虚拟机是否具有对应的权限;When a hypercall request is detected, it is judged whether the calling virtual machine sending the hypercall request has corresponding authority; 若具有,为所述调用虚拟机提供与超级调用请求对应的服务。If so, provide the calling virtual machine with a service corresponding to the hypercall request. 4.根据权利要求1所述的虚拟机平台的安全控制方法,其特征在于,各个所述子服务虚拟机分别为:4. the security control method of virtual machine platform according to claim 1, is characterized in that, each described sub-service virtual machine is respectively: 设备模型虚拟机、网络虚拟机、设备驱动虚拟机、监视器信息存储虚拟机、虚拟机信息存储虚拟机、系统引导虚拟机、日志服务虚拟机、迁移服务虚拟机、虚拟域构建虚拟机、外部设备配置管理虚拟机、以及监视器管理工具虚拟机。Device model virtual machine, network virtual machine, device driver virtual machine, monitor information storage virtual machine, virtual machine information storage virtual machine, system boot virtual machine, log service virtual machine, migration service virtual machine, virtual domain construction virtual machine, external The device configuration management virtual machine and the monitor management tool virtual machine. 5.一种虚拟机平台的安全控制装置,其特征在于,该装置包括:5. A security control device for a virtual machine platform, characterized in that the device comprises: 服务域确定模块,用于确定虚拟机平台中的服务虚拟机;A service domain determination module, configured to determine the service virtual machine in the virtual machine platform; 最小虚拟机划分模块,用于依据最小粒度分离算法,将所述服务虚拟机划分为多个最小子服务虚拟机;其中,各个所述最小子服务虚拟机提供的服务不存在交集且服务粒度最小;The minimum virtual machine division module is configured to divide the service virtual machine into a plurality of minimum sub-service virtual machines according to the minimum granularity separation algorithm; wherein, the services provided by each of the minimum sub-service virtual machines do not have intersection and the service granularity is the smallest ; 最小虚拟机合并模块,用于依据预设合并规则,将若干最小子服务虚拟机合并,获得至少两个子服务虚拟机;其中,各个所述子服务虚拟机独立提供虚拟服务;The smallest virtual machine merging module is used to merge several smallest sub-service virtual machines according to preset merging rules to obtain at least two sub-service virtual machines; wherein, each of the sub-service virtual machines independently provides virtual services; 服务请求模块,用于当接收到所述虚拟平台中用户虚拟机的服务调用请求时,在各个所述子服务虚拟机中,确定与所述服务调用请求对应的目标子服务虚拟机;A service request module, configured to, when receiving a service invocation request from a user virtual machine in the virtual platform, determine a target sub-service virtual machine corresponding to the service invocation request among each of the sub-service virtual machines; 连接建立模块,用于建立与所述目标子服务虚拟机的第一连接以及与所述用户虚拟机的第二连接,所述第一连接及所述第二连接以供所述目标子服务虚拟机为所述用户虚拟机提供虚拟服务,以实现用户虚拟机和子服务虚拟机之间的双向隔离。A connection establishment module, configured to establish a first connection with the target sub-service virtual machine and a second connection with the user virtual machine, the first connection and the second connection are used for the target sub-service virtual machine The machine provides a virtual service for the user virtual machine, so as to realize bidirectional isolation between the user virtual machine and the sub-service virtual machine. 6.根据权利要求5所述的虚拟机平台的安全控制装置,其特征在于,还包括:子虚拟机关闭模块和/或子虚拟机合并模块;6. The security control device for a virtual machine platform according to claim 5, further comprising: a sub-virtual machine closing module and/or a sub-virtual machine merging module; 子虚拟机关闭模块,用于若某个子服务虚拟机处于待机状态,关闭所述某个子服务虚拟机;A sub-virtual machine shutdown module, configured to shut down a certain sub-service virtual machine if the sub-service virtual machine is in a standby state; 子虚拟机合并模块,用于若某个子服务虚拟机处于待机状态,将所述某个子服务虚拟机与其他子服务虚拟机合并。The sub-virtual machine merging module is configured to merge a certain sub-service virtual machine with other sub-service virtual machines if the sub-service virtual machine is in a standby state. 7.根据权利要求5所述的虚拟机平台的安全控制装置,其特征在于,还包括:7. The security control device of the virtual machine platform according to claim 5, further comprising: 超级调用请求模块,用于当监测到超级调用请求时,判断发送所述超级调用请求的调用虚拟机是否具有对应的权限;若具有,触发超级调用服务模块;The hypercall request module is used to determine whether the calling virtual machine that sends the hypercall request has the corresponding authority when a hypercall request is detected; if so, trigger the hypercall service module; 超级调用服务模块,用于为所述调用虚拟机提供与超级调用请求对应的服务。The hypercall service module is configured to provide the calling virtual machine with a service corresponding to the hypercall request. 8.根据权利要求5所述的虚拟机平台的安全控制装置,其特征在于,各个所述子服务虚拟机分别为:8. The security control device of a virtual machine platform according to claim 5, wherein each of the sub-service virtual machines is: 设备模型虚拟机、网络虚拟机、设备驱动虚拟机、监视器信息存储虚拟机、虚拟机信息存储虚拟机、系统引导虚拟机、日志服务虚拟机、迁移服务虚拟机、虚拟域构建虚拟机、外部设备配置管理虚拟机、以及监视器管理工具虚拟机。Device model virtual machine, network virtual machine, device driver virtual machine, monitor information storage virtual machine, virtual machine information storage virtual machine, system boot virtual machine, log service virtual machine, migration service virtual machine, virtual domain construction virtual machine, external The device configuration management virtual machine and the monitor management tool virtual machine.
CN201610025684.XA 2016-01-12 2016-01-12 Virtual machine platform safety control method and device Pending CN105701400A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610025684.XA CN105701400A (en) 2016-01-12 2016-01-12 Virtual machine platform safety control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610025684.XA CN105701400A (en) 2016-01-12 2016-01-12 Virtual machine platform safety control method and device

Publications (1)

Publication Number Publication Date
CN105701400A true CN105701400A (en) 2016-06-22

Family

ID=56226348

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610025684.XA Pending CN105701400A (en) 2016-01-12 2016-01-12 Virtual machine platform safety control method and device

Country Status (1)

Country Link
CN (1) CN105701400A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106254312A (en) * 2016-07-15 2016-12-21 浙江宇视科技有限公司 A kind of method and device being realized server attack protection by virtual machine isomery
CN110868396A (en) * 2019-10-14 2020-03-06 云深互联(北京)科技有限公司 Method and device for dynamically opening TCP port

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101436966A (en) * 2008-12-23 2009-05-20 北京航空航天大学 Network monitoring and analysis system under virtual machine circumstance
CN101599022A (en) * 2009-07-07 2009-12-09 武汉大学 Trusted Computing Base Tailoring Method for Virtual Machine System
CN104598842A (en) * 2015-02-03 2015-05-06 中国电子科技集团公司第三十研究所 Segmentation method for trust domain of virtual machine monitor

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101436966A (en) * 2008-12-23 2009-05-20 北京航空航天大学 Network monitoring and analysis system under virtual machine circumstance
CN101599022A (en) * 2009-07-07 2009-12-09 武汉大学 Trusted Computing Base Tailoring Method for Virtual Machine System
CN104598842A (en) * 2015-02-03 2015-05-06 中国电子科技集团公司第三十研究所 Segmentation method for trust domain of virtual machine monitor

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
杨杰等: "XHydra:面向虚拟机 Xen 的安全增强架构", 《网络出版 HTTP://WWW.CNKI.NET/KCMS/DETAIL/11.5602.TP.20151102.1547.006.HTML》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106254312A (en) * 2016-07-15 2016-12-21 浙江宇视科技有限公司 A kind of method and device being realized server attack protection by virtual machine isomery
CN106254312B (en) * 2016-07-15 2019-12-13 浙江宇视科技有限公司 A method and device for realizing server attack defense through virtual machine heterogeneity
CN110868396A (en) * 2019-10-14 2020-03-06 云深互联(北京)科技有限公司 Method and device for dynamically opening TCP port

Similar Documents

Publication Publication Date Title
Ta-Min et al. Splitting interfaces: Making trust between applications and operating systems configurable
KR102255767B1 (en) Systems and methods for virtual machine auditing
Peinado et al. NGSCB: A trusted open system
EP2940615B1 (en) Method and apparatus for isolating management virtual machine
US10592434B2 (en) Hypervisor-enforced self encrypting memory in computing fabric
US11693952B2 (en) System and method for providing secure execution environments using virtualization technology
Perez et al. Virtualization and hardware-based security
CN103870749B (en) A kind of safety monitoring system and method for realizing dummy machine system
CN106970823B (en) Efficient nested virtualization-based virtual machine security protection method and system
US11163597B2 (en) Persistent guest and software-defined storage in computing fabric
WO2015108679A1 (en) Exploit detection system with threat-aware microvisor
US20230289204A1 (en) Zero Trust Endpoint Device
US20220070225A1 (en) Method for deploying workloads according to a declarative policy to maintain a secure computing infrastructure
JP2022522339A (en) Program interrupts for page import / export
CN112433822A (en) Method for realizing cross-domain network terminal virtual machine based on separation of three rights
US20210133315A1 (en) Unifying hardware trusted execution environment technologies using virtual secure enclave device
CN113544678A (en) Transparent interpretation of guest instructions in a secure virtual machine environment
TWI772747B (en) Computer implement method, computer system and computer program product for injecting interrupts and exceptions into secure virtual machine
Li et al. SGXPool: Improving the performance of enclave creation in the cloud
CN104598842B (en) A kind of monitor of virtual machine trusts domain splitting method
AU2017325648A1 (en) Remote computing system providing malicious file detection and mitigation features for virtual machines
CN101369258B (en) Input and output control system
US11513825B2 (en) System and method for implementing trusted execution environment on PCI device
CN105701400A (en) Virtual machine platform safety control method and device
US11507408B1 (en) Locked virtual machines for high availability workloads

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20160622

RJ01 Rejection of invention patent application after publication