Secure and reliable bootstrap architecture

William A. Arbaugh, David Farber, Jonathan M. Smith

Research output: Contribution to journalConference article

303 Citations (Scopus)

Abstract

In a computer system, the integrity of lower layers is typically treated as axiomatic by higher layers. Under the presumption that the hardware comprising the machine (the lowest layer) is valid, integrity of a layer can be guaranteed if and only if: (1) the integrity of the lower layers is checked, and (2) transitions to higher layers occur only after integrity checks on them are complete. The resulting integrity `chain' inductively guarantees system integrity. When these conditions are not met, as they typically are not in the bootstrapping (initialization) of a computer system, no integrity guarantees can be made. Yet, these guarantees are increasingly important to diverse applications such as Internet commerce, security systems, and `active networks.' In this paper, we describe the AEGIS architecture for initializing a computer system. It validates integrity at each layer transition in the bootstrap process. AEGIS also includes a recovery process for integrity check failures, and we show how this results in robust systems.

Original languageEnglish
Pages (from-to)65-71
Number of pages7
JournalProceedings of the IEEE Computer Society Symposium on Research in Security and Privacy
Publication statusPublished - 1997 Jan 1
Externally publishedYes
EventProceedings of the 1997 IEEE Symposium on Security and Privacy - Oakland, CA, USA
Duration: 1997 May 41997 May 7

Fingerprint

Computer systems
Active networks
Security systems
Internet
Hardware
Recovery

ASJC Scopus subject areas

  • Software

Cite this

Secure and reliable bootstrap architecture. / Arbaugh, William A.; Farber, David; Smith, Jonathan M.

In: Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, 01.01.1997, p. 65-71.

Research output: Contribution to journalConference article

@article{bb1d131a1a7f49df94c9768db44be542,
title = "Secure and reliable bootstrap architecture",
abstract = "In a computer system, the integrity of lower layers is typically treated as axiomatic by higher layers. Under the presumption that the hardware comprising the machine (the lowest layer) is valid, integrity of a layer can be guaranteed if and only if: (1) the integrity of the lower layers is checked, and (2) transitions to higher layers occur only after integrity checks on them are complete. The resulting integrity `chain' inductively guarantees system integrity. When these conditions are not met, as they typically are not in the bootstrapping (initialization) of a computer system, no integrity guarantees can be made. Yet, these guarantees are increasingly important to diverse applications such as Internet commerce, security systems, and `active networks.' In this paper, we describe the AEGIS architecture for initializing a computer system. It validates integrity at each layer transition in the bootstrap process. AEGIS also includes a recovery process for integrity check failures, and we show how this results in robust systems.",
author = "Arbaugh, {William A.} and David Farber and Smith, {Jonathan M.}",
year = "1997",
month = "1",
day = "1",
language = "English",
pages = "65--71",
journal = "Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy",
issn = "1063-7109",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - JOUR

T1 - Secure and reliable bootstrap architecture

AU - Arbaugh, William A.

AU - Farber, David

AU - Smith, Jonathan M.

PY - 1997/1/1

Y1 - 1997/1/1

N2 - In a computer system, the integrity of lower layers is typically treated as axiomatic by higher layers. Under the presumption that the hardware comprising the machine (the lowest layer) is valid, integrity of a layer can be guaranteed if and only if: (1) the integrity of the lower layers is checked, and (2) transitions to higher layers occur only after integrity checks on them are complete. The resulting integrity `chain' inductively guarantees system integrity. When these conditions are not met, as they typically are not in the bootstrapping (initialization) of a computer system, no integrity guarantees can be made. Yet, these guarantees are increasingly important to diverse applications such as Internet commerce, security systems, and `active networks.' In this paper, we describe the AEGIS architecture for initializing a computer system. It validates integrity at each layer transition in the bootstrap process. AEGIS also includes a recovery process for integrity check failures, and we show how this results in robust systems.

AB - In a computer system, the integrity of lower layers is typically treated as axiomatic by higher layers. Under the presumption that the hardware comprising the machine (the lowest layer) is valid, integrity of a layer can be guaranteed if and only if: (1) the integrity of the lower layers is checked, and (2) transitions to higher layers occur only after integrity checks on them are complete. The resulting integrity `chain' inductively guarantees system integrity. When these conditions are not met, as they typically are not in the bootstrapping (initialization) of a computer system, no integrity guarantees can be made. Yet, these guarantees are increasingly important to diverse applications such as Internet commerce, security systems, and `active networks.' In this paper, we describe the AEGIS architecture for initializing a computer system. It validates integrity at each layer transition in the bootstrap process. AEGIS also includes a recovery process for integrity check failures, and we show how this results in robust systems.

UR - http://www.scopus.com/inward/record.url?scp=0030672130&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0030672130&partnerID=8YFLogxK

M3 - Conference article

AN - SCOPUS:0030672130

SP - 65

EP - 71

JO - Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy

JF - Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy

SN - 1063-7109

ER -