Automated Recovery in a Secure Bootstrap Process

Thumbnail Image
Penn collection
Technical Reports (CIS)
Degree type
Grant number
Copyright date
Related resources
Arbaugh, William A
Keromytis, Angelos D
Farber, David J

Integrity is rarely a valid presupposition in much systems architecture, yet it is necessary to make any security guarantees. To address this problem, we have designed a secure bootstrap process, AEGIS, which presumes a minimal amount of integrity, and which we have prototyped on the Intel x86 architecture. The basic principle is sequencing the bootstrap process as a chain of progressively higher levels of abstraction, and requiring each layer to check a digital signature of the next layer before control is passed to it. A major design decision is the consequence of a failed integrity check. A simplistic strategy is to simply halt the bootstrap process. However, as we show in this paper, the AEGIS bootstrap process can be augmented with automated recovery procedures which preserve the security properties of AEGIS under the additional assumption of the availability of a trusted repository. We describe a variety of means by which such a repository can be implemented, and focus our attention on a network accessible repository. The recovery process is easily generalized to applications other than AEGIS, such as standardized desktop management and secure automated recovery of network elements such as routers or "Active Network" elements.

Date Range for Data Collection (Start Date)
Date Range for Data Collection (End Date)
Digital Object Identifier
Series name and number
Publication date
Volume number
Issue number
Publisher DOI
Journal Issue
University of Pennsylvania Department of Computer and Information Science Technical Report No. MS-CIS-97-13.
Recommended citation