Chaining layered integrity checks
[special characters omitted]“ДоверяъI, но Проверяъ I” [special characters omitted]“Trust, but Verify”1 In a system, the integrity of lower layers is typically treated as axiomatic by higher layers. Under the presumption that the hardware comprising the system (the lowest layer) is valid, the integrity of a layer can be guaranteed if and only if: (1) the integrity of the lower layers is checked, and (2) transitions to higher layers occur only after integrity checks on them are complete. The resulting integrity “chain” inductively guarantees system integrity. If the integrity chain is not preserved between one or more layers in a system design, the integrity of the system as a whole cannot be guaranteed. In developing the Chaining Layered Integrity Check (CLIC) model, my examination of existing computer systems showed that their architecture overwhelmingly failed to provide integrity guarantees. The architectures I studied either failed to start in a verifiable state or failed to check the integrity of higher levels before a control transition. To address this problem, I have designed a composition model that provides integrity guarantees entitled “Chaining Layered Integrity Checks (CLIC)”. CLIC provides, for the first time, a realistic composition model which system designers can use to aid in the design and implementation of real systems that require strong integrity guarantees. To demonstrate the value of CLIC, I designed and implemented a secure and reliable “bootstrap” of a computer system entitled AEGIS. AEGIS is the first complete implementation of a secure bootstrap. As a result of my research, high integrity systems can now be designed and implemented using a well defined and minimal set of trust assumptions using CLIC. This permits integrity guarantees to propagate from the lowest layers of a computer system architecture to the highest layers providing for the first time strong integrity guarantees for a diverse set of applications such as Internet commerce, security systems, and “Active Networks.” 1Old Russian Saying used by many over the years.
Arbaugh, William Albert, "Chaining layered integrity checks" (1999). Dissertations available from ProQuest. AAI9928181.