[go: up one dir, main page]

CN111966458A - A security management method for virtual cloud desktop - Google Patents

A security management method for virtual cloud desktop Download PDF

Info

Publication number
CN111966458A
CN111966458A CN202010796665.3A CN202010796665A CN111966458A CN 111966458 A CN111966458 A CN 111966458A CN 202010796665 A CN202010796665 A CN 202010796665A CN 111966458 A CN111966458 A CN 111966458A
Authority
CN
China
Prior art keywords
virtual machine
virtual
security
isolation
security management
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010796665.3A
Other languages
Chinese (zh)
Inventor
张瑞强
黄林
安淼
袁鹰
潘可佳
吴斗
尹远
曾愚
彭小强
杨峻欢
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information & Telecommunication Company Sichuan Electric Power Corp
Original Assignee
Information & Telecommunication Company Sichuan Electric Power Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information & Telecommunication Company Sichuan Electric Power Corp filed Critical Information & Telecommunication Company Sichuan Electric Power Corp
Priority to CN202010796665.3A priority Critical patent/CN111966458A/en
Publication of CN111966458A publication Critical patent/CN111966458A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5027Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45562Creating, deleting, cloning virtual machine instances
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/4557Distribution of virtual machine instances; Migration and load balancing
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

本发明公开了一种虚拟云桌面的安全管理方法,包括以下安全管理方法中的一种或多种;虚拟机管理器安全管理:获取虚拟桌面管理服务器中预设种类的监控和审计日志信息,并根据监控和审计日志信息生成防篡改审计信息;虚拟机安全隔离:分别对虚拟机、存储设备和网络进行安全隔离;虚拟机残余数据保护:分别对虚拟机内存和虚拟机磁盘的残余数据进行清除;虚拟机安全通信管理:对虚拟化平台系统的各子系统之间的数据传输进行加密;虚拟机抗拒绝服务攻击:为每个虚拟机分配一个独立的虚拟交换机,每个虚拟机交换机绑定一个物理网络端口。本发明提高了虚拟云桌面的安全性能。

Figure 202010796665

The invention discloses a security management method for a virtual cloud desktop, including one or more of the following security management methods; virtual machine manager security management: acquiring preset types of monitoring and audit log information in a virtual desktop management server, And generate tamper-proof audit information based on monitoring and audit log information; virtual machine security isolation: separate virtual machines, storage devices, and networks; virtual machine residual data protection: virtual machine memory and virtual machine disk residual data respectively. Clear; virtual machine security communication management: encrypt data transmission between subsystems of the virtualization platform system; virtual machine anti-denial of service attack: assign an independent virtual switch to each virtual machine, and each virtual machine switch is bound to Specify a physical network port. The invention improves the security performance of the virtual cloud desktop.

Figure 202010796665

Description

一种虚拟云桌面的安全管理方法A security management method for virtual cloud desktop

技术领域technical field

本发明涉及一种虚拟云桌面的安全管理方法。The invention relates to a security management method for a virtual cloud desktop.

背景技术Background technique

在计算机应用领域中,桌面PC是最普遍也是最重要的办公设备。在实际运转中,越来越暴露出其安全和管理上的弊端,主要表现为:1)安全边界难以防护;2)数据泄漏难以防范;3)安全漏洞层出不穷;4)总体拥有成本高;5)资源利用效率低。In the field of computer applications, desktop PCs are the most common and important office equipment. In actual operation, the disadvantages of its security and management are increasingly exposed, mainly as follows: 1) It is difficult to protect the security boundary; 2) It is difficult to prevent data leakage; 3) Security loopholes emerge in an endless stream; 4) The total cost of ownership is high; 5 ) resource utilization efficiency is low.

发明内容SUMMARY OF THE INVENTION

本发明的目的在于克服现有技术的不足,提供一种虚拟云桌面的安全管理方法。The purpose of the present invention is to overcome the deficiencies of the prior art and provide a security management method for virtual cloud desktops.

本发明的目的是通过以下技术方案来实现的:一种虚拟云桌面的安全管理方法,包括虚拟机管理器安全管理、虚拟机安全隔离、虚拟机残余数据保护、虚拟机安全通信管理和虚拟机抗拒绝服务攻击中的一种或多种;The object of the present invention is achieved through the following technical solutions: a security management method for virtual cloud desktop, including virtual machine manager security management, virtual machine security isolation, virtual machine residual data protection, virtual machine security communication management and virtual machine Resist one or more of denial of service attacks;

虚拟机管理器安全管理:获取虚拟桌面管理服务器中预设种类的监控和审计日志信息,并根据监控和审计日志信息生成防篡改审计信息;Virtual machine manager security management: Obtain the monitoring and auditing log information of preset types in the virtual desktop management server, and generate tamper-proof auditing information according to the monitoring and auditing log information;

虚拟机安全隔离:分别对虚拟机、存储设备和网络进行安全隔离;Virtual machine security isolation: separate virtual machines, storage devices and networks for security isolation;

虚拟机残余数据保护:分别对虚拟机内存和虚拟机磁盘的残余数据进行清除;Virtual machine residual data protection: respectively clear the residual data of the virtual machine memory and virtual machine disk;

虚拟机安全通信管理:对虚拟化平台系统的各子系统之间的数据传输进行加密;Virtual machine security communication management: Encrypt data transmission between subsystems of the virtualization platform system;

虚拟机抗拒绝服务攻击:为每个虚拟机分配一个独立的虚拟交换机,每个虚拟机交换机绑定一个物理网络端口。Virtual machine resists denial of service attacks: each virtual machine is assigned an independent virtual switch, and each virtual machine switch is bound to a physical network port.

优选的,所述虚拟机管理器安全管理包括:Preferably, the virtual machine manager security management includes:

读取强制访问控制的日志文件后抽取强制访问控制越权信息;Extract the mandatory access control unauthorized information after reading the mandatory access control log file;

读取系统用户登录日志文件形成审计日志;Read system user login log files to form audit logs;

调用虚拟机监视器的接口获取运行监控数据;Call the interface of the virtual machine monitor to obtain the running monitoring data;

调用虚拟机监视器的接口获取其版本和特征值信息,然后生成防篡改审计信息。Call the interface of the virtual machine monitor to obtain its version and characteristic value information, and then generate tamper-proof audit information.

优选的,所述虚拟机安全隔离包括:Preferably, the virtual machine security isolation includes:

虚拟机运行隔离:对于在同一物理主机上创建的多个虚拟机,分别为每个虚拟机分配独立的物理资源;Virtual machine running isolation: For multiple virtual machines created on the same physical host, separate physical resources are allocated to each virtual machine;

虚拟机CPU隔离:虚拟化平台系统使虚拟机操作系统运行在CPU的Ring1上,其虚拟处理器指令的执行和上下文切换由虚拟化平台系统进行统一调度;Virtual machine CPU isolation: The virtualization platform system makes the virtual machine operating system run on the Ring1 of the CPU, and the execution and context switching of its virtual processor instructions are uniformly scheduled by the virtualization platform system;

虚拟机内存隔离;虚拟化平台系统设置为只使用内存独占模式;Virtual machine memory isolation; the virtualization platform system is set to use only memory exclusive mode;

虚拟机网络隔离:对同一物理主机上不同虚拟机间进行网络隔离;Virtual machine network isolation: network isolation between different virtual machines on the same physical host;

虚拟机存储隔离:虚拟机设置为只能访问分配给该虚拟机的存储空间,一个虚拟机磁盘同一时刻只能被一个虚拟机挂载。Virtual machine storage isolation: The virtual machine is set to only access the storage space allocated to the virtual machine, and a virtual machine disk can only be mounted by one virtual machine at a time.

优选的,所述虚拟机残余数据保护包括:Preferably, the protection of the residual data of the virtual machine includes:

内存残余数据清除:在一个虚拟机停止或者迁移后,且其内存空间被释放或再分配给其它虚拟机前,对该虚拟机的内存空间进行复位清除;Memory residual data clearing: After a virtual machine is stopped or migrated, and before its memory space is released or reassigned to other virtual machines, reset and clear the memory space of the virtual machine;

磁盘残余数据清除:在一个虚拟机被删除后,在该虚拟机的磁盘存储空间被释放或再分配给其它虚拟机前,对该虚拟机的磁盘存储空间进行写零清除。Disk residual data clearing: After a virtual machine is deleted, before the disk storage space of the virtual machine is released or reassigned to other virtual machines, the disk storage space of the virtual machine is cleared by writing zero.

优选的,虚拟云桌面的安全管理方法还包括虚拟机安全迁移管理:Preferably, the security management method for the virtual cloud desktop further includes virtual machine security migration management:

宿主服务器注册到虚拟化平台系统时,虚拟化平台系统根据该宿主服务器的信息调用认证体系由根证书生成该宿主服务器的设备签名数字证书,并将设备签名数字证书发送给该宿主服务器;When the host server is registered with the virtualization platform system, the virtualization platform system invokes the authentication system according to the information of the host server to generate the device signature digital certificate of the host server from the root certificate, and sends the device signature digital certificate to the host server;

在虚拟机迁移操作时,产生迁移操作的源服务器发起连接请求,在源服务器与目标服务器间建立加密连接通道;During the virtual machine migration operation, the source server that generated the migration operation initiates a connection request, and establishes an encrypted connection channel between the source server and the target server;

目标服务器在接收到源服务器发来的连接请求后,对源服务器的设备签名数字证书进行校验:若校验通过,则源服务器使用加密连接通道执行虚拟机迁移操作;若校验未通过,则目标服务器拒绝该连接请求,中断虚拟机迁移操作。After receiving the connection request from the source server, the target server verifies the device signature digital certificate of the source server: if the verification passes, the source server uses the encrypted connection channel to perform the virtual machine migration operation; if the verification fails, Then the target server rejects the connection request and interrupts the virtual machine migration operation.

优选的,虚拟云桌面的安全管理方法还包括虚拟机防逃逸监控:利用强制访问控制和多类别安全进行虚拟机防逃逸和虚拟机逃逸监控。Preferably, the security management method for the virtual cloud desktop further includes virtual machine anti-escape monitoring: using mandatory access control and multi-category security to perform virtual machine anti-escape and virtual machine escape monitoring.

本发明的有益效果是:The beneficial effects of the present invention are:

(1)本发明提供了虚拟机管理器安全管理、虚拟机安全隔离、虚拟机残余数据保护、虚拟机安全通信管理和虚拟机抗拒绝服务攻击等多种安全管理方法,提高了虚拟云桌面的安全性能;(1) The present invention provides a variety of security management methods such as virtual machine manager security management, virtual machine security isolation, virtual machine residual data protection, virtual machine security communication management, and virtual machine anti-denial of service attacks, etc., which improves the performance of virtual cloud desktops. safety performance;

(2)本发明中每个虚拟机都能获得相对独立的物理资源,某个虚拟机崩溃后不影响虚拟机管理器及其他虚拟机;(2) In the present invention, each virtual machine can obtain relatively independent physical resources, and the crash of a certain virtual machine does not affect the virtual machine manager and other virtual machines;

(3)本发明中虚拟化平台系统使虚拟机操作系统运行在CPU的Ring1上,其虚拟处理器指令的执行和上下文切换由虚拟化平台系统进行统一调度,从而有效的防止了虚拟机直接执行CPU特权指令,保证了不同虚拟机之间的虚拟处理器指令和处理性能隔离;(3) In the present invention, the virtualization platform system makes the virtual machine operating system run on the Ring1 of the CPU, and the execution and context switching of the virtual processor instructions are uniformly scheduled by the virtualization platform system, thereby effectively preventing the virtual machine from directly executing CPU privileged instructions ensure the isolation of virtual processor instructions and processing performance between different virtual machines;

(4)本发明提供了对虚拟机内存、存储剩余信息保护功能,在新启动的虚拟机中无法检测到有用信息,有效的保障了用户的剩余信息安全;(4) The present invention provides the function of protecting the memory of the virtual machine and storing the remaining information, and the useful information cannot be detected in the newly started virtual machine, which effectively guarantees the safety of the remaining information of the user;

(5)本发明中为每个虚拟机分配一个独立的虚拟交换机,每个虚拟机交换机绑定一个物理网络端口,这样就可以沿用现有物理网络环境中的硬件防火墙等安全防护机制对虚拟机网络数据进行监控,避免抗拒绝服务攻击的发生。(5) In the present invention, an independent virtual switch is allocated to each virtual machine, and each virtual machine switch is bound to a physical network port, so that the security protection mechanisms such as hardware firewalls in the existing physical network environment can be used to protect the virtual machine. Monitor network data to avoid denial of service attacks.

附图说明Description of drawings

图1为虚拟云桌面的安全管理方法的组成示意图;Fig. 1 is the composition schematic diagram of the security management method of virtual cloud desktop;

图2为虚拟机管理器安全管理示意图;Figure 2 is a schematic diagram of virtual machine manager security management;

图3为虚拟机安全隔离逻辑示意图;FIG. 3 is a schematic diagram of a virtual machine security isolation logic;

图4为虚拟机网络隔离示意图;Figure 4 is a schematic diagram of virtual machine network isolation;

图5为内存剩余信息消除过程示意图;5 is a schematic diagram of a process of eliminating residual information in memory;

图6为磁盘剩余信息消除过程示意图;Fig. 6 is a schematic diagram of a process of removing residual information of a disk;

图7为虚拟机抗拒绝服务攻击示意图;FIG. 7 is a schematic diagram of virtual machine resisting denial of service attack;

图8为虚拟机迁移示意图。FIG. 8 is a schematic diagram of virtual machine migration.

具体实施方式Detailed ways

下面将结合实施例,对本发明的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域技术人员在没有付出创造性劳动的前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions of the present invention will be clearly and completely described below with reference to the embodiments. Obviously, the described embodiments are only a part of the embodiments of the present invention, rather than all the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative efforts shall fall within the protection scope of the present invention.

参阅图1-8,本发明提供一种虚拟云桌面的安全管理方法:1-8, the present invention provides a security management method for a virtual cloud desktop:

如图1所示,一种虚拟云桌面的安全管理方法,包括虚拟机管理器安全管理、虚拟机安全隔离、虚拟机残余数据保护、虚拟机安全通信管理和虚拟机抗拒绝服务攻击中的一种或多种。As shown in Figure 1, a security management method for virtual cloud desktop includes one of virtual machine manager security management, virtual machine security isolation, virtual machine residual data protection, virtual machine security communication management and virtual machine anti-denial of service attack. one or more.

所述虚拟机管理器安全管理包括:获取虚拟桌面管理服务器中预设种类的监控和审计日志信息,并根据监控和审计日志信息生成防篡改审计信息。如图2所示,每个宿主服务器需要安装VSIP的Agent程序,Agent程序定时获取多种监控和审计日志信息发送给VSIP主控服务器,主控服务器将数据保存到数据库。The virtual machine manager security management includes: acquiring preset types of monitoring and auditing log information in the virtual desktop management server, and generating tamper-proof auditing information according to the monitoring and auditing log information. As shown in Figure 2, each host server needs to install the VSIP Agent program. The Agent program regularly obtains various monitoring and audit log information and sends them to the VSIP master server, which saves the data to the database.

具体的,所述虚拟机管理器安全管理包括:Specifically, the virtual machine manager security management includes:

读取强制访问控制(MAC)的日志文件后抽取强制访问控制越权信息;Extract the mandatory access control unauthorized information after reading the mandatory access control (MAC) log file;

读取系统用户登录日志文件形成审计日志;Read system user login log files to form audit logs;

调用虚拟机监视器(Hypervisor)的接口获取运行监控数据(运行监控数据包括CPU信息、内存信息等);Call the interface of the virtual machine monitor (Hypervisor) to obtain the running monitoring data (the running monitoring data includes CPU information, memory information, etc.);

调用虚拟机监视器的接口获取其版本和特征值信息,然后生成防篡改审计信息。Call the interface of the virtual machine monitor to obtain its version and characteristic value information, and then generate tamper-proof audit information.

所述虚拟机安全隔离包括:分别对虚拟机、存储设备和网络进行安全隔离,包括虚拟机运行隔离、虚拟机CPU隔离、虚拟机内存隔离、虚拟机网络隔离和虚拟机存储隔离。虚拟机安全隔离逻辑示意图如图3所示。The virtual machine security isolation includes: respectively performing security isolation on the virtual machine, the storage device and the network, including virtual machine running isolation, virtual machine CPU isolation, virtual machine memory isolation, virtual machine network isolation and virtual machine storage isolation. The logical schematic diagram of virtual machine security isolation is shown in Figure 3.

虚拟机运行隔离:对于在同一物理主机上创建的多个虚拟机,分别为每个虚拟机分配独立的物理资源,使得某个虚拟机崩溃后不影响虚拟机管理器及其他虚拟机。Virtual machine running isolation: For multiple virtual machines created on the same physical host, each virtual machine is allocated independent physical resources, so that the crash of a virtual machine does not affect the virtual machine manager and other virtual machines.

虚拟机CPU隔离:虚拟化平台系统使虚拟机操作系统运行在CPU的Ring1上,其虚拟处理器(vCPU)指令的执行和上下文切换由虚拟化平台系统进行统一调度,从而有效的防止了虚拟机直接执行CPU特权指令,保证了不同虚拟机之间的虚拟处理器指令和处理性能隔离。Virtual machine CPU isolation: The virtualization platform system makes the virtual machine operating system run on the Ring1 of the CPU, and the execution and context switching of its virtual processor (vCPU) instructions are uniformly scheduled by the virtualization platform system, thus effectively preventing the virtual machine. Direct execution of CPU privileged instructions ensures the isolation of virtual processor instructions and processing performance between different virtual machines.

在X86架构中,为了更好的支持虚拟化和保护虚拟化环境中指令的运行,CPU提供了指令的4个不同特权级别,术语称为Ring,优先级从高到低依次为Ring0(用于运行操作系统内核)、Ring1(用于操作系统服务)、Ring2(用于操作系统服务)、Ring3(用于应用程序)。In the X86 architecture, in order to better support virtualization and protect the execution of instructions in a virtualized environment, the CPU provides 4 different privilege levels for instructions, termed Ring, and the priority is Ring0 (used for run the OS kernel), Ring1 (for OS services), Ring2 (for OS services), Ring3 (for applications).

虚拟机内存隔离;虚拟化平台系统设置为只使用内存独占模式,实现不同虚拟机之间的内存隔离,当物理主机的内存空间都被分配完后,不能够再新建虚拟机。Virtual machine memory isolation; the virtualization platform system is set to only use the memory exclusive mode to achieve memory isolation between different virtual machines. When the memory space of the physical host is all allocated, no new virtual machine can be created.

虚拟机网络隔离:对同一物理主机上不同虚拟机间进行网络隔离,使得虚拟机不能收到目的地址不是自己的非广播报文,非广播报文包括ICMP、TCP、UDP等协议的非广播报文。虚拟机网络隔离示意图如图4所示。Virtual machine network isolation: network isolation between different virtual machines on the same physical host, so that virtual machines cannot receive non-broadcast packets whose destination address is not their own. Non-broadcast packets include non-broadcast packets of protocols such as ICMP, TCP, and UDP. arts. The schematic diagram of virtual machine network isolation is shown in Figure 4.

虚拟机存储隔离:虚拟机设置为只能访问分配给该虚拟机的存储空间,一个虚拟机磁盘同一时刻只能被一个虚拟机挂载。Virtual machine storage isolation: The virtual machine is set to only access the storage space allocated to the virtual machine, and a virtual machine disk can only be mounted by one virtual machine at a time.

所述虚拟机残余数据保护包括:分别对虚拟机内存和虚拟机磁盘的残余数据进行清除。The protection of the residual data of the virtual machine includes: respectively clearing the residual data of the memory of the virtual machine and the disk of the virtual machine.

内存残余数据清除:在一个虚拟机停止或者迁移后,且其内存空间被释放或再分配给其它虚拟机前,对该虚拟机的内存空间进行复位清除,如将内存清空或写入随机的无关信息。Memory residual data clearing: After a virtual machine is stopped or migrated, and before its memory space is released or reassigned to other virtual machines, reset and clear the memory space of the virtual machine, such as clearing the memory or writing random irrelevant data. information.

现有技术中应用系统在使用完内存中信息后,不会对其使用过的内存进行清理,这些存储着信息的内存在程序退出后,仍然存储在内存中,如果攻击者对内存进行扫描就会得到存储在其中的信息。在云计算环境下内存的动态分配对安全是个极大威胁,许多高等级的攻击极有可能利用剩余信息通过极其复杂的技术来获得其它用户的敏感信息,针对内存剩余信息引起的安全威胁,在虚拟化平台系统中,用户关闭虚拟机或迁移虚拟机后,将对相应虚拟机内存资源进行回收,对释放的内存做写“0”处理,从而保障在新启动的虚拟机中无法检测到有用信息。内存剩余信息消除过程示意图如图5所示。In the prior art, after the application system uses the information in the memory, it will not clean up the used memory. The memory that stores the information is still stored in the memory after the program exits. If an attacker scans the memory, it will be will get the information stored in it. The dynamic allocation of memory in the cloud computing environment is a great threat to security. Many high-level attacks are likely to use the remaining information to obtain sensitive information of other users through extremely complex technologies. In the virtualization platform system, after the user shuts down the virtual machine or migrates the virtual machine, the corresponding virtual machine memory resources will be reclaimed, and the released memory will be written "0", so as to ensure that the newly started virtual machine cannot be detected useful. information. A schematic diagram of the process of eliminating residual information in memory is shown in Figure 5.

磁盘残余数据清除:在一个虚拟机被删除后,在该虚拟机的磁盘存储空间被释放或再分配给其它虚拟机前,对该虚拟机的磁盘存储空间进行写零清除。Disk residual data clearing: After a virtual machine is deleted, before the disk storage space of the virtual machine is released or reassigned to other virtual machines, the disk storage space of the virtual machine is cleared by writing zero.

如图6所示,删除虚拟机时,系统将首先确认虚拟磁盘对应的物理磁盘卷信息,并针对该虚拟机涉及到的每块磁盘先后进行按位随机数据写入与按位全“0”以及按位全“1”数据写入操作,通过随机数据与全“0”和全“1”数据的至少七轮强制操作,完成虚拟机磁盘的“清除”操作,实现对虚拟机磁盘剩余数据的保护。在完成磁盘剩余信息保护性“清除”销毁后,系统才删除虚拟机磁盘,并完成虚拟机对象数据删除。其他用户被分配使用该块存储空间时,将获得一块“清空”的安全磁盘卷,无法通过技术手段获取任何“剩余信息”,有效的保障了用户的剩余信息安全。As shown in Figure 6, when deleting a virtual machine, the system will first confirm the physical disk volume information corresponding to the virtual disk, and perform bit-wise random data writing and bit-wise all "0" for each disk involved in the virtual machine. And the bitwise all "1" data write operation, through at least seven rounds of forced operation of random data and all "0" and all "1" data, the "clear" operation of the virtual machine disk is completed, and the remaining data of the virtual machine disk is realized. protection of. The system deletes the virtual machine disk and completes the deletion of the virtual machine object data after the protective "clear" destruction of the remaining information on the disk is completed. When other users are allocated to use this block of storage space, they will obtain a "empty" secure disk volume, and cannot obtain any "remaining information" through technical means, effectively ensuring the safety of the remaining information of users.

虚拟机安全通信管理:对虚拟化平台系统的各子系统之间的数据传输进行加密。Virtual machine security communication management: Encrypt data transmission between subsystems of the virtualization platform system.

虚拟机抗拒绝服务攻击:为每个虚拟机分配一个独立的虚拟交换机,每个虚拟机交换机绑定一个物理网络端口,使得所有进入虚拟机和从虚拟机中发出的网络数据包都需要经过物理交换机进行数据交换,同一台宿主服务器上的虚拟机之间无需通过虚拟交换机进行内部数据交换,这样就可以沿用现有物理网络环境中的硬件防火墙等安全防护机制对虚拟机网络数据进行监控,避免抗拒绝服务攻击的发生,如图7所示。此外,虚拟化平台系统还可以限制指定虚拟机的上、下行网络流量,对流量异常的虚拟机也可以告警提醒管理员注意是否存在拒绝服务攻击。Virtual machine resists denial-of-service attacks: assign an independent virtual switch to each virtual machine, and each virtual machine switch is bound to a physical network port, so that all network packets entering and outgoing from the virtual machine need to pass through the physical network. The switch performs data exchange, and the virtual machines on the same host server do not need to exchange internal data through the virtual switch. In this way, the security protection mechanisms such as hardware firewalls in the existing physical network environment can be used to monitor the virtual machine network data to avoid The occurrence of anti-denial of service attacks is shown in Figure 7. In addition, the virtualization platform system can also limit the upstream and downstream network traffic of the specified virtual machine, and can also alert the virtual machine with abnormal traffic to remind the administrator to pay attention to whether there is a denial of service attack.

在一些实施例中,虚拟云桌面的安全管理方法还包括虚拟机安全迁移管理。In some embodiments, the security management method for virtual cloud desktop further includes virtual machine security migration management.

虚拟机安全迁移管理包括:Virtual machine security migration management includes:

宿主服务器注册到虚拟化平台系统时,虚拟化平台系统根据该宿主服务器的信息调用认证体系由根证书生成该宿主服务器的设备签名数字证书,并将设备签名数字证书(公私钥)发送给该宿主服务器;例如,虚拟化平台系统由现有PKI/CA认证体系为宿主服务器颁发设备签名数字证书,设备签名数字证书的模板中必须包括的项目有“设备的计算机名和设备的安全级别”;When the host server is registered with the virtualization platform system, the virtualization platform system invokes the authentication system according to the information of the host server, generates the device signature digital certificate of the host server from the root certificate, and sends the device signature digital certificate (public and private key) to the host. Server; for example, the virtualized platform system issues a device-signed digital certificate for the host server by the existing PKI/CA certification system, and the items that must be included in the template of the device-signed digital certificate are "the computer name of the device and the security level of the device";

在虚拟机迁移操作时,产生迁移操作的源服务器发起连接请求,在源服务器与目标服务器间建立加密连接通道;During the virtual machine migration operation, the source server that generated the migration operation initiates a connection request, and establishes an encrypted connection channel between the source server and the target server;

如图8所示,目标服务器在接收到源服务器发来的连接请求后,对源服务器的设备签名数字证书进行校验:若校验通过,则源服务器使用加密连接通道执行虚拟机迁移操作;若校验未通过,则目标服务器拒绝该连接请求,中断虚拟机迁移操作。在整个迁移过程中,虚拟机迁移数据均由加密通道传输。As shown in Figure 8, after receiving the connection request from the source server, the target server verifies the device signature digital certificate of the source server: if the verification passes, the source server uses the encrypted connection channel to perform the virtual machine migration operation; If the verification fails, the target server rejects the connection request and interrupts the virtual machine migration operation. During the entire migration process, virtual machine migration data is transmitted over encrypted channels.

在一些实施例中,虚拟云桌面的安全管理方法还包括虚拟机防逃逸监控:利用强制访问控制(MAC)和多类别安全(MCS)进行虚拟机防逃逸和虚拟机逃逸监控。其中,强制访问控制对传统的访问控制列表(ACL)进行了安全增强,在强制访问控制模式下,会为每一个对象添加一个安全上下文标记,使得进程除了具备传统的访问控制列表权限外,还必须获得强制访问控制策略的授权,才能对系统资源进行访问;多类别安全是对强制访问控制的一个功能增强,多类别安全在强制访问控的安全上下文标记的基础上,扩展了敏感级别标记和一个数据分类标记,用于更细粒度的实现强制访问控策略。In some embodiments, the security management method for a virtual cloud desktop further includes virtual machine anti-escape monitoring: using mandatory access control (MAC) and multi-class security (MCS) to perform virtual machine anti-escape and virtual machine escape monitoring. Among them, mandatory access control enhances the security of the traditional access control list (ACL). In the mandatory access control mode, a security context tag is added to each object, so that in addition to the traditional access control list permissions, the process can also Access to system resources must be authorized by the mandatory access control policy; multi-category security is an enhancement to mandatory access control. Multi-category security extends the sensitivity level tag and A data classification marker for more fine-grained implementation of mandatory access control policies.

虚拟化平台系统在分配虚拟机资源时,分别为虚拟机进程、虚拟机所拥有的内存空间、磁盘镜像、网络设备等资源分配一个随机的强制访问控制和多类别安全标记,在强制访问控制系统的约束下,虚拟机仅能访问自身虚拟化所使用到的内存空间、磁盘镜像、网络设备等资源和外设,无法跳出限制且对其他资源不具有任何权限,同时,其他虚拟机也被强制限制在虚拟机本身中,有效控制了虚拟机的逃逸。When allocating virtual machine resources, the virtualization platform system allocates a random mandatory access control and multi-category security marks to the virtual machine process, the memory space owned by the virtual machine, disk images, network devices and other resources. Under the constraints of virtual machines, virtual machines can only access resources and peripherals such as memory space, disk images, network devices, etc. used for their own virtualization, and cannot escape the restrictions and do not have any permissions to other resources. At the same time, other virtual machines are also forced to Restricted to the virtual machine itself, effectively controlling the escape of the virtual machine.

以上所述仅是本发明的优选实施方式,应当理解本发明并非局限于本文所披露的形式,不应看作是对其他实施例的排除,而可用于各种其他组合、修改和环境,并能够在本文所述构想范围内,通过上述教导或相关领域的技术或知识进行改动。而本领域人员所进行的改动和变化不脱离本发明的精神和范围,则都应在本发明所附权利要求的保护范围内。The foregoing are only preferred embodiments of the present invention, and it should be understood that the present invention is not limited to the forms disclosed herein, and should not be construed as an exclusion of other embodiments, but may be used in various other combinations, modifications, and environments, and Modifications can be made within the scope of the concepts described herein, from the above teachings or from skill or knowledge in the relevant field. However, modifications and changes made by those skilled in the art do not depart from the spirit and scope of the present invention, and should all fall within the protection scope of the appended claims of the present invention.

Claims (6)

1.一种虚拟云桌面的安全管理方法,其特征在于,包括虚拟机管理器安全管理、虚拟机安全隔离、虚拟机残余数据保护、虚拟机安全通信管理和虚拟机抗拒绝服务攻击中的一种或多种;1. a security management method of virtual cloud desktop, is characterized in that, comprises one in virtual machine manager safety management, virtual machine safety isolation, virtual machine residual data protection, virtual machine safety communication management and virtual machine anti-denial of service attack. one or more; 虚拟机管理器安全管理:获取虚拟桌面管理服务器中预设种类的监控和审计日志信息,并根据监控和审计日志信息生成防篡改审计信息;Virtual machine manager security management: Obtain the monitoring and auditing log information of preset types in the virtual desktop management server, and generate tamper-proof auditing information according to the monitoring and auditing log information; 虚拟机安全隔离:分别对虚拟机、存储设备和网络进行安全隔离;Virtual machine security isolation: separate virtual machines, storage devices and networks for security isolation; 虚拟机残余数据保护:分别对虚拟机内存和虚拟机磁盘的残余数据进行清除;Virtual machine residual data protection: respectively clear the residual data of the virtual machine memory and virtual machine disk; 虚拟机安全通信管理:对虚拟化平台系统的各子系统之间的数据传输进行加密;Virtual machine security communication management: Encrypt data transmission between subsystems of the virtualization platform system; 虚拟机抗拒绝服务攻击:为每个虚拟机分配一个独立的虚拟交换机,每个虚拟机交换机绑定一个物理网络端口。Virtual machine resists denial of service attacks: each virtual machine is assigned an independent virtual switch, and each virtual machine switch is bound to a physical network port. 2.根据权利要求1所述的一种虚拟云桌面的安全管理方法,其特征在于,所述虚拟机管理器安全管理包括:2. The security management method of a virtual cloud desktop according to claim 1, wherein the virtual machine manager security management comprises: 读取强制访问控制的日志文件后抽取强制访问控制越权信息;Extract the mandatory access control unauthorized information after reading the mandatory access control log file; 读取系统用户登录日志文件形成审计日志;Read system user login log files to form audit logs; 调用虚拟机监视器的接口获取运行监控数据;Call the interface of the virtual machine monitor to obtain the running monitoring data; 调用虚拟机监视器的接口获取其版本和特征值信息,然后生成防篡改审计信息。Call the interface of the virtual machine monitor to obtain its version and characteristic value information, and then generate tamper-proof audit information. 3.根据权利要求1所述的一种虚拟云桌面的安全管理方法,其特征在于,所述虚拟机安全隔离包括:3. The security management method of a virtual cloud desktop according to claim 1, wherein the virtual machine security isolation comprises: 虚拟机运行隔离:对于在同一物理主机上创建的多个虚拟机,分别为每个虚拟机分配独立的物理资源;Virtual machine running isolation: For multiple virtual machines created on the same physical host, separate physical resources are allocated to each virtual machine; 虚拟机CPU隔离:虚拟化平台系统使虚拟机操作系统运行在CPU的Ring1上,其虚拟处理器指令的执行和上下文切换由虚拟化平台系统进行统一调度;Virtual machine CPU isolation: The virtualization platform system makes the virtual machine operating system run on the Ring1 of the CPU, and the execution and context switching of its virtual processor instructions are uniformly scheduled by the virtualization platform system; 虚拟机内存隔离;虚拟化平台系统设置为只使用内存独占模式;Virtual machine memory isolation; the virtualization platform system is set to use only memory exclusive mode; 虚拟机网络隔离:对同一物理主机上不同虚拟机间进行网络隔离;Virtual machine network isolation: network isolation between different virtual machines on the same physical host; 虚拟机存储隔离:虚拟机设置为只能访问分配给该虚拟机的存储空间,一个虚拟机磁盘同一时刻只能被一个虚拟机挂载。Virtual machine storage isolation: The virtual machine is set to only access the storage space allocated to the virtual machine, and a virtual machine disk can only be mounted by one virtual machine at a time. 4.根据权利要求1所述的一种虚拟云桌面的安全管理方法,其特征在于,所述虚拟机残余数据保护包括:4. The security management method of a virtual cloud desktop according to claim 1, wherein the protection of the residual data of the virtual machine comprises: 内存残余数据清除:在一个虚拟机停止或者迁移后,且其内存空间被释放或再分配给其它虚拟机前,对该虚拟机的内存空间进行复位清除;Memory residual data clearing: After a virtual machine is stopped or migrated, and before its memory space is released or reassigned to other virtual machines, reset and clear the memory space of the virtual machine; 磁盘残余数据清除:在一个虚拟机被删除后,在该虚拟机的磁盘存储空间被释放或再分配给其它虚拟机前,对该虚拟机的磁盘存储空间进行写零清除。Disk residual data clearing: After a virtual machine is deleted, before the disk storage space of the virtual machine is released or reassigned to other virtual machines, the disk storage space of the virtual machine is cleared by writing zero. 5.根据权利要求1所述的一种虚拟云桌面的安全管理方法,其特征在于,虚拟云桌面的安全管理方法还包括虚拟机安全迁移管理:5. The security management method of a virtual cloud desktop according to claim 1, wherein the security management method of the virtual cloud desktop further comprises virtual machine security migration management: 宿主服务器注册到虚拟化平台系统时,虚拟化平台系统根据该宿主服务器的信息调用认证体系由根证书生成该宿主服务器的设备签名数字证书,并将设备签名数字证书发送给该宿主服务器;When the host server is registered with the virtualization platform system, the virtualization platform system invokes the authentication system according to the information of the host server to generate the device signature digital certificate of the host server from the root certificate, and sends the device signature digital certificate to the host server; 在虚拟机迁移操作时,产生迁移操作的源服务器发起连接请求,在源服务器与目标服务器间建立加密连接通道;During the virtual machine migration operation, the source server that generated the migration operation initiates a connection request, and establishes an encrypted connection channel between the source server and the target server; 目标服务器在接收到源服务器发来的连接请求后,对源服务器的设备签名数字证书进行校验:若校验通过,则源服务器使用加密连接通道执行虚拟机迁移操作;若校验未通过,则目标服务器拒绝该连接请求,中断虚拟机迁移操作。After receiving the connection request from the source server, the target server verifies the device signature digital certificate of the source server: if the verification passes, the source server uses the encrypted connection channel to perform the virtual machine migration operation; if the verification fails, Then the target server rejects the connection request and interrupts the virtual machine migration operation. 6.根据权利要求1所述的一种虚拟云桌面的安全管理方法,其特征在于,虚拟云桌面的安全管理方法还包括虚拟机防逃逸监控:利用强制访问控制和多类别安全进行虚拟机防逃逸和虚拟机逃逸监控。6. the security management method of a kind of virtual cloud desktop according to claim 1, it is characterized in that, the security management method of virtual cloud desktop also comprises virtual machine anti-escape monitoring: utilize mandatory access control and multi-category security to carry out virtual machine anti-escape Escape and VM escape monitoring.
CN202010796665.3A 2020-08-10 2020-08-10 A security management method for virtual cloud desktop Pending CN111966458A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010796665.3A CN111966458A (en) 2020-08-10 2020-08-10 A security management method for virtual cloud desktop

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010796665.3A CN111966458A (en) 2020-08-10 2020-08-10 A security management method for virtual cloud desktop

Publications (1)

Publication Number Publication Date
CN111966458A true CN111966458A (en) 2020-11-20

Family

ID=73364210

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010796665.3A Pending CN111966458A (en) 2020-08-10 2020-08-10 A security management method for virtual cloud desktop

Country Status (1)

Country Link
CN (1) CN111966458A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117708826A (en) * 2023-11-15 2024-03-15 深圳市聚迅科技有限公司 Cloud desktop digital operation and maintenance management system
CN117909023A (en) * 2023-12-19 2024-04-19 曙光云计算集团股份有限公司 Cloud platform deployment method, device, computer equipment and storage medium

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102726007A (en) * 2009-04-01 2012-10-10 Nicira网络公司 Method and apparatus for implementing and managing virtual switches
CN103281306A (en) * 2013-05-03 2013-09-04 四川省电力公司信息通信公司 Virtualized infrastructure platform for cloud data centers
CN105184164A (en) * 2015-09-08 2015-12-23 成都博元科技有限公司 Data processing method
CN105224867A (en) * 2015-10-27 2016-01-06 成都卫士通信息产业股份有限公司 A kind of based on the Host Security reinforcement means under virtualized environment
CN105429987A (en) * 2015-11-25 2016-03-23 西安科技大学 A Security System of Computer Network
CN105487916A (en) * 2015-11-24 2016-04-13 上海君是信息科技有限公司 Security reinforcement method for virtual machine in desktop cloud environment
CN106610863A (en) * 2015-10-21 2017-05-03 华为技术有限公司 Virtual machine trusted migration method and apparatus
CN107169347A (en) * 2017-05-08 2017-09-15 中国科学院信息工程研究所 A kind of enhancing ARM platform virtual machines are examined oneself safe method and device
CN108388793A (en) * 2018-01-09 2018-08-10 南瑞集团有限公司 A kind of virtual machine escape means of defence based on Initiative Defense
CN108809935A (en) * 2018-04-20 2018-11-13 国网江西省电力有限公司信息通信分公司 A kind of cloud environment or the safety access control method under virtual environment and device
CN109472136A (en) * 2018-10-26 2019-03-15 山东钢铁集团日照有限公司 A security access method for virtualized cloud desktop based on deep protection
CN109818908A (en) * 2017-11-21 2019-05-28 国网江西省电力有限公司信息通信分公司 A kind of method of controlling security under cloud and virtual environment
CN110138855A (en) * 2019-05-13 2019-08-16 武汉数字化设计与制造创新中心有限公司 Development resources cloud platform and resource share method
CN111190694A (en) * 2019-12-27 2020-05-22 山东乾云启创信息科技股份有限公司 Virtualization security reinforcement method and device based on Roc platform
CN111399988A (en) * 2020-04-08 2020-07-10 公安部第三研究所 Memory security detection system and method of cloud platform

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102726007A (en) * 2009-04-01 2012-10-10 Nicira网络公司 Method and apparatus for implementing and managing virtual switches
CN103281306A (en) * 2013-05-03 2013-09-04 四川省电力公司信息通信公司 Virtualized infrastructure platform for cloud data centers
CN105184164A (en) * 2015-09-08 2015-12-23 成都博元科技有限公司 Data processing method
CN106610863A (en) * 2015-10-21 2017-05-03 华为技术有限公司 Virtual machine trusted migration method and apparatus
CN105224867A (en) * 2015-10-27 2016-01-06 成都卫士通信息产业股份有限公司 A kind of based on the Host Security reinforcement means under virtualized environment
CN105487916A (en) * 2015-11-24 2016-04-13 上海君是信息科技有限公司 Security reinforcement method for virtual machine in desktop cloud environment
CN105429987A (en) * 2015-11-25 2016-03-23 西安科技大学 A Security System of Computer Network
CN107169347A (en) * 2017-05-08 2017-09-15 中国科学院信息工程研究所 A kind of enhancing ARM platform virtual machines are examined oneself safe method and device
CN109818908A (en) * 2017-11-21 2019-05-28 国网江西省电力有限公司信息通信分公司 A kind of method of controlling security under cloud and virtual environment
CN108388793A (en) * 2018-01-09 2018-08-10 南瑞集团有限公司 A kind of virtual machine escape means of defence based on Initiative Defense
CN108809935A (en) * 2018-04-20 2018-11-13 国网江西省电力有限公司信息通信分公司 A kind of cloud environment or the safety access control method under virtual environment and device
CN109472136A (en) * 2018-10-26 2019-03-15 山东钢铁集团日照有限公司 A security access method for virtualized cloud desktop based on deep protection
CN110138855A (en) * 2019-05-13 2019-08-16 武汉数字化设计与制造创新中心有限公司 Development resources cloud platform and resource share method
CN111190694A (en) * 2019-12-27 2020-05-22 山东乾云启创信息科技股份有限公司 Virtualization security reinforcement method and device based on Roc platform
CN111399988A (en) * 2020-04-08 2020-07-10 公安部第三研究所 Memory security detection system and method of cloud platform

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
周小芬;阳春福;沈宏杰;吴琪;: "硬件资源池身份识别关键技术", 电力信息与通信技术, no. 01, 15 January 2017 (2017-01-15), pages 56 - 59 *
张剑等: "《信息安全技术》", vol. 2, 31 May 2015, 电子科技大学出版社, pages: 407 *
邹娟平: "《基于物联网技术的现代物流管理研究》", vol. 1, 31 October 2019, 中国海洋大学出版社, pages: 39 *
黄风华等: "云计算技术与应用", vol. 1, 31 March 2020, 东北林业大学出版社, pages: 54 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117708826A (en) * 2023-11-15 2024-03-15 深圳市聚迅科技有限公司 Cloud desktop digital operation and maintenance management system
CN117909023A (en) * 2023-12-19 2024-04-19 曙光云计算集团股份有限公司 Cloud platform deployment method, device, computer equipment and storage medium

Similar Documents

Publication Publication Date Title
Oberheide et al. Empirical exploitation of live virtual machine migration
RU2714607C2 (en) Double self-test of memory for protection of multiple network endpoints
Pearce et al. Virtualization: Issues, security threats, and solutions
US9424430B2 (en) Method and system for defending security application in a user's computer
US10474813B1 (en) Code injection technique for remediation at an endpoint of a network
JP5736090B2 (en) Method, system and computer program for memory protection of virtual guest
US8910238B2 (en) Hypervisor-based enterprise endpoint protection
US8220029B2 (en) Method and system for enforcing trusted computing policies in a hypervisor security module architecture
US8782351B2 (en) Protecting memory of a virtual guest
Li et al. Mycloud: supporting user-configured privacy protection in cloud computing
US20170250963A1 (en) Secure Migration of Virtual Machines from Source to Target and Transfer of VM Descriptor and Keys Between Physical Servers
EP3287932B1 (en) Data protection method and device
Almutairy et al. A taxonomy of virtualization security issues in cloud computing environments
Brooks et al. Security vulnerability analysis in virtualized computing environments
Varadharajan et al. Counteracting security attacks in virtual machines in the cloud using property based attestation
US20230289204A1 (en) Zero Trust Endpoint Device
US20230110049A1 (en) Limiting the security impact of compromised endpoint computing devices in a distributed malware detection system
Denz et al. A survey on securing the virtual cloud
Price The paradox of security in virtual environments
Chandramouli et al. Security assurance requirements for linux application container deployments
CN106778257A (en) A kind of anti-release apparatus of virtual machine
Sun et al. SPLM: security protection of live virtual machine migration in cloud computing
Kurmus et al. A comparison of secure multi-tenancy architectures for filesystem storage clouds
CN111966458A (en) A security management method for virtual cloud desktop
Upadhyay et al. Secure live migration of VM's in Cloud Computing: A survey

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20201120