Automated Recovery in a Secure Bootstrap Process

Integrity is rarely a valid presupposition in much systems architecture, yet it is necessary to make any security guarantees. To address this problem, we have designed a secure bootstrap process, AEGIS, which presumes a minimal amount of integrity, and which we have prototyped on the Intel x86 architecture. The basic principle is sequencing the bootstrap process as a chain of progressively higher levels of abstraction, and requiring each layer to check a digital signature of the next layer before control is passed to it. A major design decision is the consequence of a failed integrity check. A simplistic strategy is to simply halt the bootstrap process. However, as we show in this paper, the AEGIS bootstrap process can be augmented with automated recovery procedures which preserve the security properties of AEGIS under the additional assumption of the availability of a trusted repository. We describe a variety of means by which such a repository can be implemented, and focus our attention on a network accessible repository. The recovery process is easily generalized to applications other than AEGIS, such as standardized desktop management and secure automated recovery of network elements such as routers or "Active Network" elements.