技术领域technical field
本发明涉及计算机技术领域, 具体地说是一种基于虚拟平台的安全可信运行保护方法。The present invention relates to the field of computer technology, in particular to a safe and trusted operation protection method based on a virtual platform.
背景技术Background technique
本发明提出了基于虚拟平台的安全可信运行保证模型,结合目前云计算虚拟技术广泛的应用,同时带来了虚拟技术相关的安全挑战的现状,结合可信计算在信息安全中保障系统和硬件安全的技术日渐成熟。本文就是通过在虚拟化平台中引入可信计算技术,结合动态度量、管理域、虚拟机监控器、客户域运行完整性等保护方式,来构建一个安全可信的虚拟平台。信任链可信传递作为可信计算的一种模型,能够保护承接虚拟平台上下链条的绝对可信性,以此保证虚拟平台的安全可信运行。The present invention proposes a safe and trusted operation guarantee model based on a virtual platform, combined with the current wide application of cloud computing virtual technology, and at the same time brings the status quo of security challenges related to virtual technology, combined with trusted computing to ensure system and hardware in information security Security technology is maturing day by day. This article is to build a safe and reliable virtual platform by introducing trusted computing technology into the virtualization platform, combined with protection methods such as dynamic measurement, management domain, virtual machine monitor, and customer domain operation integrity. As a model of trusted computing, trust chain trust transfer can protect the absolute credibility of the up and down chains of the virtual platform, so as to ensure the safe and reliable operation of the virtual platform.
发明内容Contents of the invention
本发明的目的是提供一种基于虚拟平台的安全可信运行保护方法。The purpose of the present invention is to provide a safe and trusted operation protection method based on a virtual platform.
本发明的目的是按以下方式实现的,围绕虚拟平台存在的安全问题,通过LLVM的虚拟机监控器静态分析模块、TPM和IPMI的平台完整性远程验证模块、管理域虚拟机完整性度量模块、用户虚拟机完整性度量模块和基于软件行为的数据流一致性分析模块组成实现虚拟平台的安全可信运行保证,每个模块特点如下: The purpose of the present invention is to be realized in the following manner, around the security problem that virtual platform exists, through the virtual machine monitor static analysis module of LLVM, the platform integrity remote verification module of TPM and IPMI, management domain virtual machine integrity measurement module, The user virtual machine integrity measurement module and the software behavior-based data flow consistency analysis module are composed to realize the safe and reliable operation guarantee of the virtual platform. The characteristics of each module are as follows:
基于LLVM的虚拟机监控器静态分析模块,根据LLVM提供的的编译优化、链接优化、在线编译优化、代码生成功能对虚拟机监控器进行重编译,深入分析其控制流的逻辑不变性,在此基础上度量控制流的完整性;LLVM-based virtual machine monitor static analysis module recompiles the virtual machine monitor according to the compilation optimization, link optimization, online compilation optimization, and code generation functions provided by LLVM, and deeply analyzes the logical invariance of its control flow. Here Measuring the integrity of the control flow based on
基于TPM和IPMI的平台完整性远程验证模块,IPMI良好的自治特性,其并不依赖于服务器的处理器、BIOS或操作系统进行工作,因此,结合TPM提供的可信计算服务设计一种使用硬件的方法构造最小可信基TCB,然后通过度量代理分别和IPMI以及TPM交互,最终使用隐藏的隔离模型实现了对虚拟机监控器的度量;The platform integrity remote verification module based on TPM and IPMI, IPMI has good autonomous characteristics, and it does not depend on the processor, BIOS or operating system of the server to work. Therefore, in combination with the trusted computing service provided by TPM, a hardware The method constructs the minimum trusted base TCB, and then interacts with IPMI and TPM through the measurement agent, and finally realizes the measurement of the virtual machine monitor by using the hidden isolation model;
管理域虚拟机完整性度量模块,该模块位于虚拟机监控器内部,主要功能是对管理域的关键数据结构进行拆分,主要分析域创建、IDD、仿真设备模型三个部分关键数据结构的代码段、系统调用表以及IDT,设计思想是捕获系统调用、中断、异常事件,当这些事件发生时,对系统的最新状态实施动态度量;Management domain virtual machine integrity measurement module, which is located inside the virtual machine monitor. Its main function is to split the key data structure of the management domain, and mainly analyze the codes of the three key data structures of domain creation, IDD, and simulation device model Segment, system call table and IDT, the design idea is to capture system calls, interrupts, abnormal events, and when these events occur, implement dynamic measurement of the latest state of the system;
用户虚拟机完整性度量模块,该模块实现两个功能:一是透明的对用户操作系统Guest OS的类型进行实时监测功能;二是对Guest OS的寄存器、堆、栈、当前进程的页基地址event的变量参数、运行进程的指令指针和栈指针进行监控,对于第一个功能,通过与IDT相关联硬件状态信息,包括IDTR登记,MSR-sysenter-cs,MSR-sysenter-eip和软件数据结构信息包括系统调用表、进程链表使用迭代算法结合白名单实现,第二个功能实现方式是设置一个非法地址,导致保护失效陷入虚拟机监控器,然后由虚拟机监控器再进行度量,需要注意的是应采用调试寄存器保存该非法地址,以便虚拟机监控器检查后能够设置Context的正确返回地址;User virtual machine integrity measurement module, which implements two functions: one is to transparently monitor the type of Guest OS in real time; the other is to monitor the registers, heap, stack, and page base address of the current process of Guest OS The variable parameters of the event, the instruction pointer and the stack pointer of the running process are monitored. For the first function, the hardware status information associated with IDT, including IDTR registration, MSR-sysenter-cs, MSR-sysenter-eip and software data structure The information includes the system call table and the process linked list using an iterative algorithm combined with a white list. The second function implementation method is to set an illegal address, causing the protection to fail and fall into the virtual machine monitor, and then the virtual machine monitor will measure again. Note that The debug register should be used to save the illegal address, so that the virtual machine monitor can set the correct return address of the Context after checking;
基于软件行为的数据流一致性分析模块,该模块由分析代理、管理代理、监控代理三个部分组成,分析代理对虚拟机监控器、管理域、客户域的软件行为轨迹进行评测,提取出预期行为特征,形成预期行为特征库;监控代理对虚拟机监控器、管理域、客户域的软件行为运行实例进行实时监控,然后提取出实际行为特征;管理代理根据分析代理提供的预期行为特征与监控代理提供的实际行为特征,使用软件行为分析自动机进行一个动态可信评测分析,最后得到虚拟机监控器、管理域、客户域的软件的可信评测结果;Data flow consistency analysis module based on software behavior, which consists of three parts: analysis agent, management agent, and monitoring agent. The analysis agent evaluates the software behavior trajectory of the virtual machine monitor, management domain, and customer domain, and extracts the expected Behavioral characteristics, forming a database of expected behavior characteristics; the monitoring agent monitors the virtual machine monitor, management domain, and customer domain software behavior running instances in real time, and then extracts the actual behavior characteristics; the management agent analyzes the expected behavior characteristics provided by the analysis agent and monitors The actual behavior characteristics provided by the agent, using the software behavior analysis automaton to conduct a dynamic credible evaluation analysis, and finally get the trustworthy evaluation results of the virtual machine monitor, management domain, and customer domain software;
客户虚拟机网络隔离模块,对客户虚拟机的网络隔离是在该客户虚拟机所在的宿主机上实现的,由于对不可信客户虚拟机的网络隔离是在客户虚拟机平台完整性实时检测基础上完成的,所以对不可信客户虚拟机的网络隔离的实现效果表现为:当检测到客户虚拟机的平台完整性被破坏之后,立即隔离该虚拟机,而不是像对宿主机的网络隔离一样,在宿主机的平台完整性被验证处于可信状态之后才允许宿主机接入网络;The client virtual machine network isolation module, the network isolation of the client virtual machine is realized on the host machine where the client virtual machine is located, because the network isolation of the untrusted client virtual machine is based on the real-time detection of the integrity of the client virtual machine platform Completed, so the implementation effect of the network isolation of the untrusted guest virtual machine is as follows: when the platform integrity of the guest virtual machine is detected to be violated, the virtual machine is immediately isolated, not like the network isolation of the host machine, The host is allowed to access the network after the platform integrity of the host is verified to be in a trusted state;
定位平台完整性遭到破坏的客户虚拟机不能够依赖于客户虚拟机的IP地址和MAC地址去完成,假如攻击者获取了该客户虚拟机的root权限或者该客户虚拟机是一台恶意的客户虚拟机,那么该客户虚拟机的IP地址和MAC地址都有可能被修改,如果依然利用以太网桥防火墙去隔离平台完整性遭到破坏的客户虚拟机,那么这种隔离模型是很容易被绕过,所以,只能选择其他有效信息来定位客户虚拟机,并且该信息必须是客户虚拟机的拥有者所不能修改的。Locating a guest virtual machine whose platform integrity has been compromised cannot be done relying on the guest virtual machine’s IP address and MAC address. If the attacker obtains the root privilege of the guest virtual machine or the guest virtual machine is a malicious guest virtual machine, the IP address and MAC address of the customer virtual machine may be modified. If the Ethernet bridge firewall is still used to isolate the customer virtual machine whose platform integrity is compromised, then this isolation model is easily bypassed. However, therefore, only other valid information can be selected to locate the guest virtual machine, and the information must not be modified by the owner of the guest virtual machine.
本发明的目的有益效果是:本发明提出了基于虚拟平台的安全可信运行保证模型,结合目前云计算虚拟技术广泛的应用,同时带来了虚拟技术相关的安全挑战的现状,结合可信计算在信息安全中保障系统和硬件安全的技术日渐成熟。本文就是通过在虚拟化平台中引入可信计算技术,结合动态度量、管理域、虚拟机监控器、客户域运行完整性等保护方式,来构建一个安全可信的虚拟平台。信任链可信传递作为可信计算的一种模型,能够保护承接虚拟平台上下链条的绝对可信性,以此保证虚拟平台的安全可信运行。The purpose and beneficial effects of the present invention are: the present invention proposes a safe and trusted operation guarantee model based on a virtual platform, combined with the current wide application of cloud computing virtual technology, and at the same time brings the status quo of security challenges related to virtual technology The technology for ensuring system and hardware security in information security is becoming more and more mature. This article is to build a safe and reliable virtual platform by introducing trusted computing technology into the virtualization platform, combined with protection methods such as dynamic measurement, management domain, virtual machine monitor, and customer domain operation integrity. As a model of trusted computing, trust chain trust transfer can protect the absolute credibility of the up and down chains of the virtual platform, so as to ensure the safe and reliable operation of the virtual platform.
the
附图说明Description of drawings
图1是虚拟平台运行时完整性保证模型框架图。Figure 1 is a frame diagram of the integrity assurance model of the virtual platform runtime.
具体实施方式Detailed ways
参照说明书附图对本发明的一种基于虚拟平台的安全可信运行保护方法作以下详细地说明。A virtual platform-based safe and trusted operation protection method of the present invention will be described in detail below with reference to the accompanying drawings.
实施例:Example:
基于虚拟平台的安全可信运行保证模型主要包含虚拟域运行时的可信性,即管理域运行时的完整性、虚拟机监控器(hypervisor)的运行时完整性、客户域运行时的完整性。见附图1给出了总体框架。所述的完整性主要指管理域、虚拟机监控器、客户域运行时其主要的数据结构、系统调用等不会被恶意程序篡改或者被攻击者获取最高权限。保证三者的完整性的最重要的原则是对运行时的管理域、虚拟机监控器、客户域进行实时的完整性验证。所述实时性是指在虚拟环境中执行程序的某个关键点实施检测方案。The safe and trusted operation assurance model based on the virtual platform mainly includes the credibility of the virtual domain runtime, that is, the runtime integrity of the management domain, the runtime integrity of the virtual machine monitor (hypervisor), and the runtime integrity of the customer domain. . See Figure 1 for the overall framework. The integrity mainly means that the main data structures and system calls of the management domain, the virtual machine monitor, and the client domain will not be tampered with by malicious programs or obtained by an attacker with the highest authority. The most important principle to ensure the integrity of the three is to perform real-time integrity verification on the management domain, virtual machine monitor, and client domain during runtime. The real-time performance refers to implementing a detection scheme at a certain key point of executing a program in a virtual environment.
通过LLVM的虚拟机监控器静态分析、TPM和IPMI的平台完整性远程验证、管理域虚拟机完整性度量、用户虚拟机完整性度量和基于软件行为的数据流一致性分析模块组成实现虚拟平台的安全可信运行保证,每个模块特点如下: Through the static analysis of the virtual machine monitor of LLVM, the remote verification of the platform integrity of TPM and IPMI, the integrity measurement of the management domain virtual machine, the integrity measurement of the user virtual machine and the data flow consistency analysis module based on software behavior, the virtual platform is realized Safe and reliable operation guarantee, the characteristics of each module are as follows:
基于LLVM的虚拟机监控器静态分析模块,根据LLVM提供的的编译优化、链接优化、在线编译优化、代码生成等功能对虚拟机监控器(hypervisor)进行重编译,深入分析其控制流的逻辑不变性,在此基础上度量控制流的完整性。LLVM-based virtual machine monitor static analysis module recompiles the virtual machine monitor (hypervisor) according to the compilation optimization, link optimization, online compilation optimization, code generation and other functions provided by LLVM, and deeply analyzes the logic of its control flow. Denaturation, on which to measure the integrity of the control flow.
基于TPM和IPMI的平台完整性远程验证模块,IPMI良好的自治特性,其并不依赖于服务器的处理器、BIOS或操作系统进行工作。因此,结合TPM提供的可信计算服务设计出一种度量hypervisor的方法。其实现方法是使用硬件的方法构造最小可信基(TCB),然后通过度量代理分别和IPMI以及TPM交互,最终使用隐藏的隔离模型实现了对hypervisor的度量。The platform integrity remote verification module based on TPM and IPMI, IPMI has good autonomous characteristics, and it does not depend on the processor, BIOS or operating system of the server to work. Therefore, a method for measuring hypervisor is designed in combination with the trusted computing service provided by TPM. The implementation method is to use the hardware method to construct the smallest trusted base (TCB), then interact with IPMI and TPM through the measurement agent, and finally use the hidden isolation model to realize the measurement of the hypervisor.
管理域虚拟机完整性度量模块,该模块位于hypervisor内部,主要功能是对管理域的关键数据结构进行拆分,主要分析域创建、IDD、仿真设备模型三个部分关键数据结构的代码段、系统调用表以及IDT。设计思想是捕获系统调用、中断、异常等事件,当这些事件发生时,对系统的最新状态实施动态度量。Management domain virtual machine integrity measurement module, which is located inside the hypervisor, its main function is to split the key data structure of the management domain, and mainly analyze the code segments and system of the three key data structures of domain creation, IDD, and simulation device model Call table and IDT. The design idea is to capture events such as system calls, interrupts, exceptions, etc., and implement dynamic measurement of the latest state of the system when these events occur.
用户虚拟机完整性度量模块,该模块实现两个功能:一是透明的对用户操作系统(Guest OS)的类型进行实时监测功能;二是对Guest OS的寄存器、堆、栈、当前进程的页基地址、event的变量参数、运行进程的指令指针和栈指针进行监控。对于第一个功能,通过与IDT相关联硬件状态信息(主要是IDTR register,MSR-sysenter-cs,MSR-sysenter-eip)和软件数据结构信息(主要是系统调用表、进程链表)使用迭代算法结合白名单实现。第二个功能实现方式是设置一个非法地址,导致protection fault陷入Hypervisor,然后由Hypervisor再进行度量。需要注意的是应采用调试寄存器保存该非法地址,以便Hypervisor检查后能够设置Context的正确返回地址。User virtual machine integrity measurement module, which implements two functions: one is to transparently monitor the type of the user operating system (Guest OS) in real time; the other is to monitor the registers, heap, stack, and pages of the current process of the Guest OS The base address, the variable parameters of the event, the instruction pointer and the stack pointer of the running process are monitored. For the first function, an iterative algorithm is used through hardware state information associated with IDT (mainly IDTR register, MSR-sysenter-cs, MSR-sysenter-eip) and software data structure information (mainly system call table, process linked list) Combined with whitelist implementation. The second function implementation method is to set an illegal address, causing the protection fault to fall into the Hypervisor, and then the Hypervisor will measure it. It should be noted that the debug register should be used to save the illegal address, so that the Hypervisor can set the correct return address of the Context after checking.
基于软件行为的数据流一致性分析模块,该模块由分析代理、管理代理、监控代理三个部分组成。分析代理对hypervisor、管理域、客户域的软件行为轨迹进行评测,提取出预期行为特征,形成预期行为特征库;监控代理对hypervisor、管理域、客户域的软件行为运行实例进行实时监控,然后提取出实际行为特征;管理代理根据分析代理提供的预期行为特征与监控代理提供的实际行为特征,使用软件行为分析自动机进行一个动态可信评测分析,最后得到hypervisor、管理域、客户域的软件的可信评测结果。A data flow consistency analysis module based on software behavior, which consists of three parts: analysis agent, management agent, and monitoring agent. The analysis agent evaluates the software behavior trajectory of the hypervisor, management domain, and customer domain, extracts expected behavior characteristics, and forms an expected behavior characteristic library; the monitoring agent monitors the software behavior running instances of the hypervisor, management domain, and customer domain in real time, and then extracts According to the expected behavior characteristics provided by the analysis agent and the actual behavior characteristics provided by the monitoring agent, the management agent uses the software behavior analysis automaton to conduct a dynamic credible evaluation analysis, and finally obtains the hypervisor, management domain, and customer domain software. Credible evaluation results.
客户(用户)虚拟机网络隔离模块,对客户虚拟机的网络隔离是在该客户虚拟机所在的宿主机上实现的。由于对不可信客户虚拟机的网络隔离是在客户虚拟机平台完整性实时检测基础上完成的,所以对不可信客户虚拟机的网络隔离的实现效果表现为:当检测到客户虚拟机的平台完整性被破坏之后,立即隔离该虚拟机,而不是像对宿主机的网络隔离一样,在宿主机的平台完整性被验证处于可信状态之后才允许宿主机接入网络。The client (user) virtual machine network isolation module, the network isolation of the client virtual machine is realized on the host computer where the client virtual machine is located. Since the network isolation of untrusted guest virtual machines is completed on the basis of real-time detection of the integrity of the guest virtual machine platform, the effect of network isolation on untrusted guest virtual machines is as follows: when the integrity of the platform of the guest virtual machine is detected After the integrity of the virtual machine is violated, the virtual machine is immediately isolated, instead of allowing the host to access the network after the platform integrity of the host is verified to be in a trusted state like the network isolation of the host.
定位平台完整性遭到破坏的客户虚拟机不能够依赖于客户虚拟机的IP地址和MAC地址去完成。假如攻击者获取了该客户虚拟机的root权限或者该客户虚拟机是一台恶意的客户虚拟机,那么该客户虚拟机的IP地址和MAC地址都是可以被修改的。如果依然利用Ebtables去隔离平台完整性遭到破坏的客户虚拟机,那么这种隔离模型是很容易被绕过的。所以,只能选择其他有效信息来定位客户虚拟机,并且该信息必须是客户虚拟机的拥有者所不能修改的。Locating a guest virtual machine whose platform integrity has been compromised cannot be done relying on the guest virtual machine's IP address and MAC address. If an attacker obtains the root authority of the guest virtual machine or the guest virtual machine is a malicious guest virtual machine, then the IP address and the MAC address of the guest virtual machine can be modified. If Ebtables is still used to isolate guest VMs whose platform integrity has been compromised, then this isolation model can be easily bypassed. Therefore, other effective information can only be selected to locate the guest virtual machine, and the information must not be modified by the owner of the guest virtual machine.
除说明书所述的技术特征外,均为本专业技术人员的已知技术。Except for the technical features described in the instructions, all are known technologies by those skilled in the art.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410371685.0ACN104134038B (en) | 2014-07-31 | 2014-07-31 | A kind of secure and trusted running protection method based on virtual platform |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410371685.0ACN104134038B (en) | 2014-07-31 | 2014-07-31 | A kind of secure and trusted running protection method based on virtual platform |
| Publication Number | Publication Date |
|---|---|
| CN104134038Atrue CN104134038A (en) | 2014-11-05 |
| CN104134038B CN104134038B (en) | 2016-11-23 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410371685.0AActiveCN104134038B (en) | 2014-07-31 | 2014-07-31 | A kind of secure and trusted running protection method based on virtual platform |
| Country | Link |
|---|---|
| CN (1) | CN104134038B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105095768A (en)* | 2015-08-20 | 2015-11-25 | 浪潮电子信息产业股份有限公司 | Virtualization-based trusted server trust chain construction method |
| CN105376237A (en)* | 2015-11-24 | 2016-03-02 | 华为技术有限公司 | Information control method, device and system |
| CN106909509A (en)* | 2017-03-01 | 2017-06-30 | 四川大学 | A kind of virtual machine process code without acting on behalf of paging type gauging system and method |
| CN107147649A (en)* | 2017-05-11 | 2017-09-08 | 成都四象联创科技有限公司 | Data-optimized dispatching method based on cloud storage |
| CN107493271A (en)* | 2017-07-28 | 2017-12-19 | 大唐高鸿信安(浙江)信息科技有限公司 | Credible and secure network system |
| CN107633089A (en)* | 2017-09-29 | 2018-01-26 | 郑州云海信息技术有限公司 | A kind of newest credible dynamic acquisition methods based on credible management platform |
| CN108132828A (en)* | 2017-12-25 | 2018-06-08 | 浪潮(北京)电子信息产业有限公司 | Imaginary Mechanism construction method, device and the equipment realized based on libvirt |
| WO2018141279A1 (en)* | 2017-02-06 | 2018-08-09 | Huawei Technologies Co., Ltd. | Processor trace-based enforcement of control flow integrity of computer system |
| CN108781210A (en)* | 2015-12-11 | 2018-11-09 | 格马尔托股份有限公司 | Mobile device with credible performing environment |
| CN106789076B (en)* | 2016-12-28 | 2020-01-14 | Tcl集团股份有限公司 | Interaction method and device for server and intelligent equipment |
| US20200250302A1 (en)* | 2017-10-13 | 2020-08-06 | Huawei Technologies Co.,Ltd. | Security control method and computer system |
| CN113824683A (en)* | 2021-08-13 | 2021-12-21 | 中国光大银行股份有限公司 | Trusted domain establishing method and device and data system |
| WO2023061397A1 (en)* | 2021-10-12 | 2023-04-20 | 中兴通讯股份有限公司 | Trusted measurement method and apparatus, computer device, and readable medium |
| CN119337361A (en)* | 2024-12-18 | 2025-01-21 | 山东乾云启创信息科技股份有限公司 | Program blocking method and system in dual-system trusted measurement structure in cloud environment |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106970823B (en)* | 2017-02-24 | 2021-02-12 | 上海交通大学 | Efficient nested virtualization-based virtual machine security protection method and system |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101246537B (en)* | 2008-03-28 | 2010-06-02 | 上海中标软件有限公司 | Method for implementing reliable computation based on reliable multi-task operating system |
| CN101866408B (en)* | 2010-06-30 | 2011-11-30 | 华中科技大学 | Transparent trust chain constructing system based on virtual machine architecture |
| CN103368973B (en)* | 2013-07-25 | 2016-02-17 | 浪潮(北京)电子信息产业有限公司 | A kind of cloud operating system security system |
| Title |
|---|
| VASUDEVAN A等: "Requirements for an integrity-protected hypervisor on the x86 hardware virtualized architecture[C]//International Conference on Trust and Trustworthy Computing", 《SPRINGER BERLIN HEIDELBERG》* |
| 秦中元等: "虚拟机系统安全综述", 《计算机应用研究》* |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105095768A (en)* | 2015-08-20 | 2015-11-25 | 浪潮电子信息产业股份有限公司 | Virtualization-based trusted server trust chain construction method |
| CN105095768B (en)* | 2015-08-20 | 2018-03-02 | 浪潮电子信息产业股份有限公司 | Virtualization-based trusted server trust chain construction method |
| CN105376237A (en)* | 2015-11-24 | 2016-03-02 | 华为技术有限公司 | Information control method, device and system |
| CN108781210A (en)* | 2015-12-11 | 2018-11-09 | 格马尔托股份有限公司 | Mobile device with credible performing environment |
| CN106789076B (en)* | 2016-12-28 | 2020-01-14 | Tcl集团股份有限公司 | Interaction method and device for server and intelligent equipment |
| US10896253B2 (en) | 2017-02-06 | 2021-01-19 | Huawei Technologies Co., Ltd. | Processor trace-based enforcement of control flow integrity of a computer system |
| WO2018141279A1 (en)* | 2017-02-06 | 2018-08-09 | Huawei Technologies Co., Ltd. | Processor trace-based enforcement of control flow integrity of computer system |
| CN106909509B (en)* | 2017-03-01 | 2019-06-25 | 四川大学 | A kind of virtual machine process code without acting on behalf of paging type gauging system and method |
| CN106909509A (en)* | 2017-03-01 | 2017-06-30 | 四川大学 | A kind of virtual machine process code without acting on behalf of paging type gauging system and method |
| CN107147649A (en)* | 2017-05-11 | 2017-09-08 | 成都四象联创科技有限公司 | Data-optimized dispatching method based on cloud storage |
| CN107493271A (en)* | 2017-07-28 | 2017-12-19 | 大唐高鸿信安(浙江)信息科技有限公司 | Credible and secure network system |
| CN107633089A (en)* | 2017-09-29 | 2018-01-26 | 郑州云海信息技术有限公司 | A kind of newest credible dynamic acquisition methods based on credible management platform |
| US20200250302A1 (en)* | 2017-10-13 | 2020-08-06 | Huawei Technologies Co.,Ltd. | Security control method and computer system |
| US11687645B2 (en)* | 2017-10-13 | 2023-06-27 | Huawei Technologies Co., Ltd. | Security control method and computer system |
| CN108132828A (en)* | 2017-12-25 | 2018-06-08 | 浪潮(北京)电子信息产业有限公司 | Imaginary Mechanism construction method, device and the equipment realized based on libvirt |
| CN113824683A (en)* | 2021-08-13 | 2021-12-21 | 中国光大银行股份有限公司 | Trusted domain establishing method and device and data system |
| WO2023061397A1 (en)* | 2021-10-12 | 2023-04-20 | 中兴通讯股份有限公司 | Trusted measurement method and apparatus, computer device, and readable medium |
| CN119337361A (en)* | 2024-12-18 | 2025-01-21 | 山东乾云启创信息科技股份有限公司 | Program blocking method and system in dual-system trusted measurement structure in cloud environment |
| Publication number | Publication date |
|---|---|
| CN104134038B (en) | 2016-11-23 |
| Publication | Publication Date | Title |
|---|---|---|
| CN104134038B (en) | A kind of secure and trusted running protection method based on virtual platform | |
| Kunkel et al. | Tensorscone: A secure tensorflow framework using intel sgx | |
| Rathnayaka et al. | An efficient approach for advanced malware analysis using memory forensic technique | |
| Duflot et al. | What if you can’t trust your network card? | |
| WO2019056761A1 (en) | Tpm-based industrial control trusted embedded platform activation method | |
| EP2864876B1 (en) | Systems and methods involving features of hardware virtualization such as separation kernel hypervisors, hypervisors, hypervisor guest context, hypervisor context, rootkit detection/prevention, and/or other features | |
| US9917855B1 (en) | Mixed analysys-based virtual machine sandbox | |
| CN104008329B (en) | Software privacy leak behavior detection method and system based on virtualization technology | |
| Wang et al. | Malicious firmware detection with hardware performance counters | |
| Benninger et al. | Maitland: Lighter-weight vm introspection to support cyber-security in the cloud | |
| Reeves et al. | Intrusion detection for resource-constrained embedded control systems in the power grid | |
| WO2017052947A1 (en) | Hardware-assisted software verification and secure execution | |
| Shi et al. | Handling anti-virtual machine techniques in malicious software | |
| JP2008547070A (en) | Method and system for repairing applications | |
| Kannavara et al. | Challenges and opportunities with concolic testing | |
| Schiffman et al. | Verifying system integrity by proxy | |
| CN109597675A (en) | Virtual machine Malware behavioral value method and system | |
| Chevalier et al. | Co-processor-based behavior monitoring: Application to the detection of attacks against the system management mode | |
| Lee et al. | Kernel-level rootkits features to train learning models against namespace attacks on containers | |
| Zhu et al. | Jintide: Utilizing low-cost reconfigurable external monitors to substantially enhance hardware security of large-scale CPU clusters | |
| Dave | Trusted Building Blocks for Resilient Embedded Systems Design | |
| Hua et al. | Detecting malware and rootkit via memory forensics | |
| Papazis et al. | Detecting indicators of deception in emulated monitoring systems | |
| CN106295354B (en) | A Android system heap overflow vulnerability verification method and device | |
| Reeves et al. | Lightweight intrusion detection for resource-constrained embedded control systems |
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | Effective date of registration:20180816 Address after:250101 S06 tower, 1036, Chao Lu Road, hi tech Zone, Ji'nan, Shandong. Patentee after:SHANDONG LANGCHAO YUNTOU INFORMATION TECHNOLOGY Co.,Ltd. Address before:No. 1036, Shun Ya Road, Ji'nan high tech Zone, Shandong Province Patentee before:INSPUR ELECTRONIC INFORMATION INDUSTRY Co.,Ltd. | |
| TR01 | Transfer of patent right | ||
| CP03 | Change of name, title or address | Address after:250100 No. 1036 Tidal Road, Jinan High-tech Zone, Shandong Province, S01 Building, Tidal Science Park Patentee after:Inspur cloud Information Technology Co.,Ltd. Address before:250101 S06 tower, 1036, Chao Lu Road, hi tech Zone, Ji'nan, Shandong. Patentee before:SHANDONG LANGCHAO YUNTOU INFORMATION TECHNOLOGY Co.,Ltd. | |
| CP03 | Change of name, title or address | ||
| TR01 | Transfer of patent right | Effective date of registration:20221013 Address after:No. 5-398, Yunhan Avenue, Shuitu Hi tech Industrial Park, Beibei District, Chongqing 400722 Patentee after:Chongqing Inspur Government Cloud Management and Operation Co.,Ltd. Address before:250100 No. 1036 Tidal Road, Jinan High-tech Zone, Shandong Province, S01 Building, Tidal Science Park Patentee before:Inspur cloud Information Technology Co.,Ltd. | |
| TR01 | Transfer of patent right |