Nothing Special   »   [go: up one dir, main page]

CN104484606A - Verification method for memory information confidentiality of virtualization platform - Google Patents

Verification method for memory information confidentiality of virtualization platform Download PDF

Info

Publication number
CN104484606A
CN104484606A CN201410743465.6A CN201410743465A CN104484606A CN 104484606 A CN104484606 A CN 104484606A CN 201410743465 A CN201410743465 A CN 201410743465A CN 104484606 A CN104484606 A CN 104484606A
Authority
CN
China
Prior art keywords
memory
virtual machine
value
virtualization platform
confidentiality
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201410743465.6A
Other languages
Chinese (zh)
Inventor
莫展鹏
杨松
季统凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
G Cloud Technology Co Ltd
Original Assignee
G Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by G Cloud Technology Co Ltd filed Critical G Cloud Technology Co Ltd
Priority to CN201410743465.6A priority Critical patent/CN104484606A/en
Publication of CN104484606A publication Critical patent/CN104484606A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6281Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database at program execution time, where the protection is within the operating system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2143Clearing memory, e.g. to prevent the data from being stolen

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the technical field of cloud computing, in particular to a method for verifying the confidentiality of memory information of a virtualization platform. Firstly, a virtualization platform is installed on a host machine, and a virtual machine A with a large enough memory is established; then logging in, assigning all the available memories in the virtual machine A to be a same value, checking the residual memories, and reading out the values in the memories; deleting the virtual machine A, and creating a virtual machine B with the same memory size on the same host machine; and logging in the virtual machine B, reading the value in the memory and printing. Finally, comparing the two values before and after, if the printed values in the virtual machine B have continuous same values, proving that the information is not completely cleared, which has a defect in the confidentiality of the memory information, otherwise, proving to be perfect. The invention provides a method for verifying the confidentiality of memory information of a virtualization platform; the method can be used for verifying the confidentiality of the memory information of the seed virtualization platform.

Description

一种虚拟化平台内存信息保密性的验证方法A method for verifying the confidentiality of memory information in a virtualization platform

技术领域technical field

本发明涉及云计算技术领域,尤其是一种虚拟化平台内存信息保密性的验证方法。The invention relates to the technical field of cloud computing, in particular to a method for verifying the confidentiality of memory information on a virtualization platform.

背景技术Background technique

在云平台中,由于资源都是共享使用并且是按需进行资源的分配和释放的,资源今天分配给某一用户使用,明天可能分配给另外一个用户。这种特性在内存管理上体现得尤为明显,某块内存昨天分配给用户A的虚拟机a使用,到了今天,用户A不再需要虚拟机a,把虚拟机a进行删除。然后用户B今天在同一台宿主机上创建了虚拟机b。In the cloud platform, since resources are shared and allocated and released on demand, resources allocated to a user today may be allocated to another user tomorrow. This feature is particularly evident in memory management. A certain block of memory was allocated to virtual machine a of user A yesterday. Today, user A no longer needs virtual machine a and deletes virtual machine a. Then user B created virtual machine b on the same host today.

上述情况下,用户A会产生一种对安全的顾虑:在虚拟机a被删除后,可能会残留一部分剩余的信息,这时候在同一台宿主机上创建的虚拟机b,是否可能会被分配到与虚拟机a相同区域的内存,虚拟化平台是否有采取相应的手段确保虚拟机的内存被释放或再分配给其他虚拟机前得到完全清除,从而保证用户A的信息的私密性。In the above situation, user A will have a security concern: after the virtual machine a is deleted, some remaining information may remain. At this time, whether the virtual machine b created on the same host machine may be allocated To the memory in the same area as virtual machine a, whether the virtualization platform has taken corresponding measures to ensure that the memory of the virtual machine is completely cleared before being released or redistributed to other virtual machines, so as to ensure the privacy of user A's information.

发明内容Contents of the invention

本发明解决的技术问题在于提供一种虚拟化平台内存信息保密性的验证方法,为虚拟化技术的数据安全性验证及虚拟化平台的选型提供支持。The technical problem solved by the present invention is to provide a method for verifying the confidentiality of memory information of a virtualization platform, which provides support for data security verification of virtualization technology and selection of a virtualization platform.

本发明解决上述技术问题的技术方案是:The technical scheme that the present invention solves the problems of the technologies described above is:

具体包括如下步骤:Specifically include the following steps:

步骤1:在一台宿主机上安装虚拟化平台,创建一台虚拟机A,虚拟机A的内存要足够大,尽量把宿主机上所有的可能内存分配完;Step 1: Install a virtualization platform on a host machine, create a virtual machine A, the memory of virtual machine A should be large enough, try to allocate all the possible memory on the host machine;

步骤2:登录虚拟机A,把虚拟机A中的可用内存全部赋成一个相同的值;Step 2: Log in to virtual machine A, and assign all the available memory in virtual machine A to the same value;

步骤3:查看虚拟机的剩余内存,读出内存中的值并打印验证确保写入成功;Step 3: Check the remaining memory of the virtual machine, read out the value in the memory and print and verify to ensure that the writing is successful;

步骤4:删除虚拟机A,在同一台宿主机上创建内存与虚拟机A一样大的虚拟机B;Step 4: Delete virtual machine A, and create virtual machine B with the same memory size as virtual machine A on the same host;

步骤5:登录虚拟机B,读出内存中的值并打印;Step 5: Log in to virtual machine B, read out the value in the memory and print it;

步骤6:对比虚拟机B中打印的内存的值与虚拟机A中打印的内存的值,如果步骤5的值有出现连续的与步骤2中赋予的值相同的,那么证明此虚拟化平台在把内存进行释放或重新分配时,信息没有进行完全清除,此虚拟化平台在内存信息保密性方面存在缺陷,否则,证明此虚拟化平台在内存信息保密性方面的机制是完善的。Step 6: Compare the memory value printed in virtual machine B with the memory value printed in virtual machine A. If the value in step 5 is consistent with the value assigned in step 2, it proves that the virtualization platform is in When the memory is released or redistributed, the information is not completely cleared. This virtualization platform has defects in the confidentiality of memory information. Otherwise, it proves that the mechanism of the virtualization platform in terms of memory information confidentiality is perfect.

所述的创建的虚拟机内存足够大指的是采用独占的方式分配虚拟机内存,而非Balloon模式等虚拟机内存大小可变的模式,虚拟机被创建以后,操作系统层面显示内存是已用状态,不能被其他进程占用;The memory of the created virtual machine is large enough, which means that the memory of the virtual machine is allocated in an exclusive way, rather than the Balloon mode and other modes where the memory size of the virtual machine is variable. After the virtual machine is created, the operating system level shows that the memory is used. State, cannot be occupied by other processes;

所述尽量把宿主机上所有的可能内存分配完是指把宿主机上与虚拟机运行无关的进程杀死,并且创建虚拟机以后,操作系统剩余可用内存降至小于百兆的级别。Allocating all the possible memory on the host as much as possible refers to killing the processes on the host that have nothing to do with the operation of the virtual machine, and after creating the virtual machine, the remaining available memory of the operating system is reduced to a level less than 100 megabytes.

所述把虚拟机中的可用内存全部赋成一个相同的值是指申请分配内存,并把内存写成一个容易识别的值,如0xFFFFFFFF表示的全部为1的值,或者0xAAAAAAAA表示为1010的值。Assigning all the available memory in the virtual machine to the same value refers to applying for memory allocation and writing the memory as an easily identifiable value, such as 0xFFFFFFFF representing all 1 values, or 0xAAAAAAAA representing 1010 values.

所述创建内存与虚拟机A一样大的虚拟机B是指创建一台内存占满宿主机可用内存的虚拟机,使得虚拟机B和虚拟机A分配内存的区域完全重叠或接近完全重叠。The creation of virtual machine B with the same memory as virtual machine A refers to creating a virtual machine whose memory occupies the available memory of the host machine, so that the areas allocated by virtual machine B and virtual machine A completely overlap or nearly completely overlap.

所述的虚拟机B中打印的值有出现连续相同的值指的是虚拟机B中出现了在虚拟机A中赋值的内存,这些区域的剩余信息没有被完全清除。The value printed in the virtual machine B has the same value consecutively, which means that the memory assigned in the virtual machine A appears in the virtual machine B, and the remaining information in these areas has not been completely cleared.

本发明方案的有益效果如下:The beneficial effects of the scheme of the present invention are as follows:

1、本发明的方法完全能证明一个虚拟化平台在内存信息报名性方面是否可信,利用大内存虚拟机内存重新分配存在重叠区域的特点,可以查看到重新分配的内存是否有被清除;1. The method of the present invention can fully prove whether a virtualization platform is credible in terms of memory information registration, and can check whether the redistributed memory has been cleared by utilizing the characteristics of overlapping areas in the memory redistribution of large memory virtual machines;

2、本发明的方法是一种通用而中立的方法,无需依赖任何特定虚拟化平台的工具,只从底层的内存角度进行读写,是中立且可信的。2. The method of the present invention is a universal and neutral method, without relying on any specific virtualization platform tools, and only reads and writes from the perspective of the underlying memory, which is neutral and credible.

附图说明Description of drawings

下面结合附图对本发明进一步说明:Below in conjunction with accompanying drawing, the present invention is further described:

附图1是本发明的流程图;Accompanying drawing 1 is flow chart of the present invention;

具体实施方式Detailed ways

见附图1所示,本发明的实施方式有多种,这里以CentOS虚拟机下以C预研进行内存读写为例说明其中一种实现方法,流程图如图1所示,具体实施过程如下:As shown in accompanying drawing 1, there are multiple implementation modes of the present invention, here is to illustrate one of the implementation methods by using C pre-research to read and write memory as an example under the CentOS virtual machine, the flow chart is shown in Figure 1, and the specific implementation process as follows:

1、创建一台虚拟机A占满宿主机的可用内存1. Create a virtual machine A to occupy the available memory of the host machine

2、登录虚拟机A,进行以下操作2. Log in to virtual machine A and perform the following operations

虚拟机内存赋值程序如下:#这个程序把12G的内存都赋值为0xFFFFFFFFThe virtual machine memory assignment program is as follows: #This program assigns 12G of memory to 0xFFFFFFFF

编程成可执行程序并执行Program into an executable program and execute

可以看到内存使用情况Can see memory usage

关闭虚拟机A。Shut down virtual machine A.

3、创建一台虚拟机B与虚拟机A内存一样大3. Create a virtual machine B with the same memory size as virtual machine A

4、登录虚拟机B,进行以下操作4. Log in to virtual machine B and perform the following operations

虚拟机内存输出程序如下#把内存输出到标准输出The virtual machine memory output program is as follows# Output memory to standard output

5、比较两次的结果5. Compare the results of the two

虚拟机B读出都是0,而虚拟机A写入都是0xFFFFFFFF,即已验证虚拟机A中的内存信息在重新分配以前都已被清除,此虚拟化平台在内存信息保密性方面的机制是完善的。Virtual machine B reads all 0, while virtual machine A writes all 0xFFFFFFFF, that is, it has been verified that the memory information in virtual machine A has been cleared before reallocation. The mechanism of this virtualization platform in terms of memory information confidentiality is perfect.

Claims (5)

1.一种虚拟化平台内存信息保密性的验证方法,其特征在于:具体包括如下步骤:1. a method for verifying the confidentiality of memory information in a virtualization platform, characterized in that: specifically comprise the steps: 步骤1:在一台宿主机上安装虚拟化平台,创建一台虚拟机A,虚拟机A的内存要足够大,尽量把宿主机上所有的可能内存分配完;Step 1: Install a virtualization platform on a host machine, create a virtual machine A, the memory of virtual machine A should be large enough, try to allocate all the possible memory on the host machine; 步骤2:登录虚拟机A,把虚拟机A中的可用内存全部赋成一个相同的值;Step 2: Log in to virtual machine A, and assign all the available memory in virtual machine A to the same value; 步骤3:查看虚拟机的剩余内存,读出内存中的值并打印验证确保写入成功;Step 3: Check the remaining memory of the virtual machine, read out the value in the memory and print and verify to ensure that the writing is successful; 步骤4:删除虚拟机A,在同一台宿主机上创建内存与虚拟机A一样大的虚拟机B;Step 4: Delete virtual machine A, and create virtual machine B with the same memory size as virtual machine A on the same host; 步骤5:登录虚拟机B,读出内存中的值并打印;Step 5: Log in to virtual machine B, read out the value in the memory and print it; 步骤6:对比虚拟机B中打印的内存的值与虚拟机A中打印的内存的值,如果步骤5的值有出现连续的与步骤2中赋予的值相同的,那么证明此虚拟化平台在把内存进行释放或重新分配时,信息没有进行完全清除,此虚拟化平台在内存信息保密性方面存在缺陷,否则,证明此虚拟化平台在内存信息保密性方面的机制是完善的。Step 6: Compare the memory value printed in virtual machine B with the memory value printed in virtual machine A. If the value in step 5 is consistent with the value assigned in step 2, it proves that the virtualization platform is in When the memory is released or redistributed, the information is not completely cleared. This virtualization platform has defects in the confidentiality of memory information. Otherwise, it proves that the mechanism of the virtualization platform in terms of memory information confidentiality is perfect. 2.根据权利要求1所述的虚拟化平台内存信息保密性的验证方法,其特征在于:所述的创建的虚拟机内存足够大指的是采用独占的方式分配虚拟机内存,而非Balloon模式等虚拟机内存大小可变的模式,虚拟机被创建以后,操作系统层面显示内存是已用状态,不能被其他进程占用;2. The method for verifying the confidentiality of memory information of a virtualization platform according to claim 1, characterized in that: said created virtual machine memory is sufficiently large refers to adopting an exclusive mode to allocate virtual machine memory instead of Balloon mode In the mode where the memory size of the virtual machine is variable, after the virtual machine is created, the operating system level shows that the memory is used and cannot be occupied by other processes; 所述尽量把宿主机上所有的可能内存分配完是指把宿主机上与虚拟机运行无关的进程杀死,并且创建虚拟机以后,操作系统剩余可用内存降至小于百兆的级别。Allocating all the possible memory on the host as much as possible refers to killing the processes on the host that have nothing to do with the operation of the virtual machine, and after creating the virtual machine, the remaining available memory of the operating system is reduced to a level less than 100 megabytes. 3.根据权利要求1所述的虚拟化平台内存信息保密性的验证方法,其特征在于:所述把虚拟机中的可用内存全部赋成一个相同的值是指申请分配内存,并把内存写成一个容易识别的值,如0xFFFFFFFF表示的全部为1的值,或者0xAAAAAAAA表示为1010的值。3. the method for verifying the confidentiality of virtualization platform memory information according to claim 1, characterized in that: all the available memory in the virtual machine is assigned to a same value and refers to applying for memory allocation, and the memory is written as An easily identifiable value, such as 0xFFFFFFFF for a value of all 1s, or 0xAAAAAAAA for a value of 1010. 4.根据权利要求2所述的虚拟化平台内存信息保密性的验证方法,其特征在于:所述把虚拟机中的可用内存全部赋成一个相同的值是指申请分配内存,并把内存写成一个容易识别的值,如0xFFFFFFFF表示的全部为1的值,或者0xAAAAAAAA表示为1010的值。4. the method for verifying the confidentiality of virtualization platform memory information according to claim 2, characterized in that: all the available memory in the virtual machine is assigned a same value and refers to applying for memory allocation, and the memory is written as An easily identifiable value, such as 0xFFFFFFFF for a value of all 1s, or 0xAAAAAAAA for a value of 1010. 5.根据权利要求1至4任一项所述的虚拟化平台内存信息保密性的验证方法,其特征在于:所述创建内存与虚拟机A一样大的虚拟机B是指创建一台内存占满宿主机可用内存的虚拟机,使得虚拟机B和虚拟机A分配内存的区域完全重叠或接近完全重叠。5. The method for verifying the confidentiality of memory information of a virtualization platform according to any one of claims 1 to 4, characterized in that: creating a virtual machine B with memory as large as virtual machine A refers to creating a memory occupying A virtual machine that is full of the available memory of the host machine makes the areas of memory allocated by virtual machine B and virtual machine A completely overlap or nearly completely overlap.
CN201410743465.6A 2014-12-05 2014-12-05 Verification method for memory information confidentiality of virtualization platform Pending CN104484606A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410743465.6A CN104484606A (en) 2014-12-05 2014-12-05 Verification method for memory information confidentiality of virtualization platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410743465.6A CN104484606A (en) 2014-12-05 2014-12-05 Verification method for memory information confidentiality of virtualization platform

Publications (1)

Publication Number Publication Date
CN104484606A true CN104484606A (en) 2015-04-01

Family

ID=52759147

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410743465.6A Pending CN104484606A (en) 2014-12-05 2014-12-05 Verification method for memory information confidentiality of virtualization platform

Country Status (1)

Country Link
CN (1) CN104484606A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106919854A (en) * 2017-03-08 2017-07-04 公安部第三研究所 The detection method that a kind of virtual machine remaining information is removed
CN111399988A (en) * 2020-04-08 2020-07-10 公安部第三研究所 Memory security detection system and method of cloud platform

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1538300A (en) * 2003-09-23 2004-10-20 中兴通讯股份有限公司 Method of detecting and location of leakage of internal storage of real-time system localization
CN1896957A (en) * 2005-07-14 2007-01-17 中兴通讯股份有限公司 Method for leaking memory of positioning virtual operation system
US20070027942A1 (en) * 2005-07-27 2007-02-01 Trotter Martin J Memory leak detection
CN101814049A (en) * 2010-03-23 2010-08-25 北京大学 Memory leak detection method
CN104182320A (en) * 2013-05-23 2014-12-03 联想(北京)有限公司 Method and device for monitoring leakage of memory

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1538300A (en) * 2003-09-23 2004-10-20 中兴通讯股份有限公司 Method of detecting and location of leakage of internal storage of real-time system localization
CN1896957A (en) * 2005-07-14 2007-01-17 中兴通讯股份有限公司 Method for leaking memory of positioning virtual operation system
US20070027942A1 (en) * 2005-07-27 2007-02-01 Trotter Martin J Memory leak detection
CN101814049A (en) * 2010-03-23 2010-08-25 北京大学 Memory leak detection method
CN104182320A (en) * 2013-05-23 2014-12-03 联想(北京)有限公司 Method and device for monitoring leakage of memory

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
韩奕等: ""虚拟化内存泄漏的风险探知及研究"", 《保密科学技术》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106919854A (en) * 2017-03-08 2017-07-04 公安部第三研究所 The detection method that a kind of virtual machine remaining information is removed
CN106919854B (en) * 2017-03-08 2021-04-30 公安部第三研究所 Detection method for clearing residual information of virtual machine
CN111399988A (en) * 2020-04-08 2020-07-10 公安部第三研究所 Memory security detection system and method of cloud platform
CN111399988B (en) * 2020-04-08 2024-02-09 公安部第三研究所 Memory security detection system and method for cloud platform

Similar Documents

Publication Publication Date Title
US11544000B2 (en) Managed switching between one or more hosts and solid state drives (SSDs) based on the NVMe protocol to provide host storage services
US20180173620A1 (en) Data erasure method for solid state drive, and apparatus
US9933968B2 (en) Method, system, and device for modifying a secure enclave configuration without changing the enclave measurement
JP6329318B2 (en) Information processing device
US10430238B1 (en) Programmatically applying labels to nodes in cluster orchestration platforms
US20120246443A1 (en) Independent management of data and parity logical block addresses
US20160092261A1 (en) Method and system for physical computer system virtualization
JP2014513338A5 (en) Method, computer readable storage medium and system for optimal compression of a virtual disk
JP2006277723A5 (en)
US20120144071A1 (en) Configuration Space Virtualization
US10203899B2 (en) Method for writing data into flash memory apparatus, flash memory apparatus, and storage system
KR20130044657A (en) File system and method for controlling the same
KR102185150B1 (en) Generalized write operations verification method
CN105718377B (en) The method and device of data in magnetic disk is copied in virtualization applications
US20140189031A1 (en) Computing device and method of creating virtual machines in hosts
MX2021010589A (en) Host virtual address space for secure interface control storage.
US20160283162A1 (en) Storage system, storage management method, and storage medium
CN104484606A (en) Verification method for memory information confidentiality of virtualization platform
CN105988724B (en) The method and storage equipment of more copy write storage devices
CN107391028B (en) Virtual volume authority control method and device
TWI530785B (en) Computer system and control method for non-volatile memory
US8028142B2 (en) Controller of storage device, storage device, and control method of storage device
US9811260B2 (en) System and method for ballooning with assigned devices
WO2017133493A1 (en) Virtual machine memory address assigning method and device
JP2016504695A (en) Method, computer system, and computer program for securely erasing nonvolatile semiconductor mass memory

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20150401

RJ01 Rejection of invention patent application after publication