CN104484606A - Verification method for memory information confidentiality of virtualization platform - Google Patents
Verification method for memory information confidentiality of virtualization platform Download PDFInfo
- Publication number
- CN104484606A CN104484606A CN201410743465.6A CN201410743465A CN104484606A CN 104484606 A CN104484606 A CN 104484606A CN 201410743465 A CN201410743465 A CN 201410743465A CN 104484606 A CN104484606 A CN 104484606A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- memory
- value
- virtual
- internal memory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6281—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database at program execution time, where the protection is within the operating system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2143—Clearing memory, e.g. to prevent the data from being stolen
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of cloud computing, in particular to a verification method for memory information confidentiality of a virtualization platform. The verification method includes installing the virtualization platform on a host, and creating a virtual machine A with enough memory; logging in the virtual machine A, giving the same value to all available memory in the virtual machine A, checking residual memory, and reading values in the memory; deleting the virtual machine A, and creating a virtual machine with memory as large as the memory of the virtual machine A on the same host; logging in the virtual machine B, and reading and printing values in the memory; comparing the values printed in the virtual machine A with the values printed in the virtual machine B, determining that information are not removed completely and the memory information has defects in confidentiality if the values printed in the virtual machine B include continuous values as same as the values printed in the virtual machine A, and otherwise, determining that the memory information is perfect. The verification method can be used for verification of the memory information confidentiality of the virtualization platform.
Description
Technical field
The present invention relates to field of cloud computer technology, especially a kind of verification method of virtual platform memory information confidentiality.
Background technology
In cloud platform, because resource is all share to use and be carry out the distribution of resource and release as required, resource is distributed to a certain user and use today, and tomorrow may distribute to another one user.This characteristic embodies particularly evident in memory management, and the virtual machine a that certain block internal memory distributed to user A yesterday uses, and to today, user A no longer needs virtual machine a, and virtual machine a is deleted.Then user B creates virtual machine b today on same host.
In above-mentioned situation, user A can produce a kind of misgivings to safety: after virtual machine a is deleted, a part of remaining information may be remained, the virtual machine b at this time created on same host, whether may be assigned to the internal memory with virtual machine a same area, virtual platform whether have take corresponding means to guarantee the internal memory of virtual machine is released or reallocates is removed completely to before other virtual machines, thus ensure the privacy of the information of user A.
Summary of the invention
The technical matters that the present invention solves is the verification method providing a kind of virtual platform memory information confidentiality, for the data security checking of Intel Virtualization Technology and the type selecting of virtual platform provide support.
The technical scheme that the present invention solves the problems of the technologies described above is:
Specifically comprise the steps:
Step 1: install virtual platform on a host, the internal memory creating a virtual machine A, virtual machine A is enough large, as far as possible complete for possible Memory Allocation all on host;
Step 2: log in virtual machine A, all composes into an identical value the free memory in virtual machine A;
Step 3: the free memory checking virtual machine, reads the value in internal memory and prints checking and guarantee to write successfully;
Step 4: delete virtual machine A, same host creates the virtual machine B that internal memory and virtual machine A are equally large;
Step 5: log in virtual machine B, reads the value in internal memory and prints;
Step 6: the value of the internal memory printed in the value of the internal memory printed in contrast virtual machine B and virtual machine A, if it is identical with the value of giving in step 2 that the value of step 5 occurs continuous print, so prove that this virtual platform is when carrying out internal memory to discharge or redistribute, information is not removed completely, this virtual platform is existing defects in memory information confidentiality, otherwise, prove that the mechanism of this virtual platform in memory information confidentiality is perfect.
The virutal machine memory of described establishment refers to enough greatly and adopts exclusive mode to distribute virutal machine memory, but not the pattern that the virutal machine memory sizes such as Balloon pattern are variable, after virtual machine is created, operating system aspect display memory has used state, can not be taken by other processes;
Describedly complete for possible Memory Allocation all on host referring to be killed host running the process had nothing to do with virtual machine, and after creating virtual machine, operating system remains free memory and is down to the rank being less than 100,000,000 as far as possible.
Describedly free memory in virtual machine all composed into an identical value refer to application storage allocation, and internal memory is write as a value easily identified, as 0xFFFFFFFF represent whole be 1 value, or 0xAAAAAAAA is expressed as the value of 1010.
Described establishment internal memory and virtual machine A equally large virtual machine B refer to that establishment internal memory takes the virtual machine of host free memory, make the region of virtual machine B and virtual machine A storage allocation completely overlapping or close to completely overlapping.
The value printed in described virtual machine B occurs consecutive identical value and refers to the internal memory having occurred assignment in virtual machine A in virtual machine B, and the remaining information in these regions is not completely removed.
The beneficial effect of the present invention program is as follows:
1, method of the present invention can prove whether a virtual platform is credible in memory information registration property, and whether utilize large internal memory virutal machine memory to redistribute the feature that there is overlapping region, can view the internal memory redistributed is eliminated completely;
2, method of the present invention is a kind of general and method of neutrality, without the need to relying on the instrument of any particular virtual platform, only reads and writes from the internal memory angle of bottom, is neutral and believable.
Accompanying drawing explanation
Below in conjunction with accompanying drawing, the present invention is further described:
Accompanying drawing 1 is process flow diagram of the present invention;
Embodiment
See that shown in accompanying drawing 1, embodiments of the present invention have multiple, to carry out memory read-write for C beforehand research under CentOS virtual machine, wherein a kind of implementation method is described here, as shown in Figure 1, specific implementation process is as follows for process flow diagram:
1, the free memory that a virtual machine A takes host is created
2, log in virtual machine A, carry out following operation
Virutal machine memory assignment program is as follows: this program of # the internal memory of 12G all assignment be 0xFFFFFFFF
Be programmed to executable program and perform
Internal memory service condition can be seen
Close virtual machine A.
3, a virtual machine B is created equally large with virtual machine A internal memory
4, log in virtual machine B, carry out following operation
The following # of virutal machine memory written-out program outputs to standard output internal memory
5, the result of twice is compared
It is all 0 that virtual machine B reads, and virtual machine A write is all 0xFFFFFFFF, and the memory information namely in verifying virtual machines A had all been eliminated before redistributing, and the mechanism of this virtual platform in memory information confidentiality is perfect.
Claims (5)
1. a verification method for virtual platform memory information confidentiality, is characterized in that: specifically comprise the steps:
Step 1: install virtual platform on a host, the internal memory creating a virtual machine A, virtual machine A is enough large, as far as possible complete for possible Memory Allocation all on host;
Step 2: log in virtual machine A, all composes into an identical value the free memory in virtual machine A;
Step 3: the free memory checking virtual machine, reads the value in internal memory and prints checking and guarantee to write successfully;
Step 4: delete virtual machine A, same host creates the virtual machine B that internal memory and virtual machine A are equally large;
Step 5: log in virtual machine B, reads the value in internal memory and prints;
Step 6: the value of the internal memory printed in the value of the internal memory printed in contrast virtual machine B and virtual machine A, if it is identical with the value of giving in step 2 that the value of step 5 occurs continuous print, so prove that this virtual platform is when carrying out internal memory to discharge or redistribute, information is not removed completely, this virtual platform is existing defects in memory information confidentiality, otherwise, prove that the mechanism of this virtual platform in memory information confidentiality is perfect.
2. the verification method of virtual platform memory information confidentiality according to claim 1, it is characterized in that: the virutal machine memory of described establishment refers to enough greatly and adopts exclusive mode to distribute virutal machine memory, but not the pattern that the virutal machine memory sizes such as Balloon pattern are variable, after virtual machine is created, operating system aspect display memory has used state, can not be taken by other processes;
Describedly complete for possible Memory Allocation all on host referring to be killed host running the process had nothing to do with virtual machine, and after creating virtual machine, operating system remains free memory and is down to the rank being less than 100,000,000 as far as possible.
3. the verification method of virtual platform memory information confidentiality according to claim 1, it is characterized in that: describedly free memory in virtual machine is all composed into an identical value refer to application storage allocation, and internal memory is write as a value easily identified, as 0xFFFFFFFF represent whole be 1 value, or 0xAAAAAAAA is expressed as the value of 1010.
4. the verification method of virtual platform memory information confidentiality according to claim 2, it is characterized in that: describedly free memory in virtual machine is all composed into an identical value refer to application storage allocation, and internal memory is write as a value easily identified, as 0xFFFFFFFF represent whole be 1 value, or 0xAAAAAAAA is expressed as the value of 1010.
5. the verification method of the virtual platform memory information confidentiality according to any one of Claims 1-4, it is characterized in that: described establishment internal memory and virtual machine A equally large virtual machine B refer to that establishment internal memory takes the virtual machine of host free memory, make the region of virtual machine B and virtual machine A storage allocation completely overlapping or close to completely overlapping.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410743465.6A CN104484606A (en) | 2014-12-05 | 2014-12-05 | Verification method for memory information confidentiality of virtualization platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410743465.6A CN104484606A (en) | 2014-12-05 | 2014-12-05 | Verification method for memory information confidentiality of virtualization platform |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104484606A true CN104484606A (en) | 2015-04-01 |
Family
ID=52759147
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410743465.6A Pending CN104484606A (en) | 2014-12-05 | 2014-12-05 | Verification method for memory information confidentiality of virtualization platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104484606A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106919854A (en) * | 2017-03-08 | 2017-07-04 | 公安部第三研究所 | The detection method that a kind of virtual machine remaining information is removed |
| CN111399988A (en) * | 2020-04-08 | 2020-07-10 | 公安部第三研究所 | Memory security detection system and method of cloud platform |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1538300A (en) * | 2003-09-23 | 2004-10-20 | 中兴通讯股份有限公司 | Method of detecting and location of leakage of internal storage of real-time system localization |
| CN1896957A (en) * | 2005-07-14 | 2007-01-17 | 中兴通讯股份有限公司 | Method for leaking memory of positioning virtual operation system |
| US20070027942A1 (en) * | 2005-07-27 | 2007-02-01 | Trotter Martin J | Memory leak detection |
| CN101814049A (en) * | 2010-03-23 | 2010-08-25 | 北京大学 | Memory leak detection method |
| CN104182320A (en) * | 2013-05-23 | 2014-12-03 | 联想(北京)有限公司 | Method and device for monitoring leakage of memory |
-
2014
- 2014-12-05 CN CN201410743465.6A patent/CN104484606A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1538300A (en) * | 2003-09-23 | 2004-10-20 | 中兴通讯股份有限公司 | Method of detecting and location of leakage of internal storage of real-time system localization |
| CN1896957A (en) * | 2005-07-14 | 2007-01-17 | 中兴通讯股份有限公司 | Method for leaking memory of positioning virtual operation system |
| US20070027942A1 (en) * | 2005-07-27 | 2007-02-01 | Trotter Martin J | Memory leak detection |
| CN101814049A (en) * | 2010-03-23 | 2010-08-25 | 北京大学 | Memory leak detection method |
| CN104182320A (en) * | 2013-05-23 | 2014-12-03 | 联想(北京)有限公司 | Method and device for monitoring leakage of memory |
Non-Patent Citations (1)
| Title |
|---|
| 韩奕等: ""虚拟化内存泄漏的风险探知及研究"", 《保密科学技术》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106919854A (en) * | 2017-03-08 | 2017-07-04 | 公安部第三研究所 | The detection method that a kind of virtual machine remaining information is removed |
| CN106919854B (en) * | 2017-03-08 | 2021-04-30 | 公安部第三研究所 | Detection method for clearing residual information of virtual machine |
| CN111399988A (en) * | 2020-04-08 | 2020-07-10 | 公安部第三研究所 | Memory security detection system and method of cloud platform |
| CN111399988B (en) * | 2020-04-08 | 2024-02-09 | 公安部第三研究所 | Memory security detection system and method for cloud platform |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10599427B2 (en) | Software updating | |
| KR102257320B1 (en) | Monitoring of memory page transitions between hypervisors and virtual machines | |
| US9965270B2 (en) | Updating computer firmware | |
| US9053042B2 (en) | Method, system, and device for modifying a secure enclave configuration without changing the enclave measurement | |
| CN104503708B (en) | The method and device of data hash storage | |
| DE112017006699T5 (en) | METHOD AND DEVICE FOR AREA-BASED TEST POINTS IN A MEMORY DEVICE | |
| US10635642B1 (en) | Multi-cloud bi-directional storage replication system and techniques | |
| US11016805B2 (en) | Programmatically applying labels to nodes in cluster orchestration platforms | |
| US10241813B2 (en) | Method and apparatus for patching | |
| US10924277B2 (en) | Certifying authenticity of stored code and code updates | |
| CN103761159B (en) | Method and system for processing incremental snapshot | |
| KR102185150B1 (en) | Generalized write operations verification method | |
| EP3051408B1 (en) | Data operating method and device | |
| US8997249B1 (en) | Software activation and revalidation | |
| CN105550060B (en) | A kind of backup method and device of increment upgrading | |
| US20130212593A1 (en) | Controlled Growth in Virtual Disks | |
| US10318166B1 (en) | Preserving locality of storage accesses by virtual machine copies in hyper-converged infrastructure appliances | |
| CN108804913B (en) | Application program running method and device | |
| CN103279712A (en) | Method for enhancing system safety, checking device and safety system | |
| CN107533602B (en) | Computing device and method thereof, and computing system | |
| US8549223B1 (en) | Systems and methods for reclaiming storage space on striped volumes | |
| CN102096782B (en) | Internet banking safety authentication method based on removable medium of virtual machine | |
| EP2998903B1 (en) | System and method for robust full-drive encryption | |
| EP3262519A1 (en) | Configuration of a memory controller for copy-on-write | |
| CN104484606A (en) | Verification method for memory information confidentiality of virtualization platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150401 |