W. A. Arbaugh, A. D. Keromytis, D. J. Farber, and J. M. Smith. Automated recovery in a secure bootstrap process. In Symposium on Network ands Distributed System Security (SNDSS), pages 155-- 167, 1998.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....libraries. Packet encryption and authentication, for both data packets and active capsules. A key establishment protocol (KEP) which allows nodes or users to establish secret keys and exchange certificates. This protocol is used for: Secure bootstrap component recovery in AEGIS [6] Session key establishment and principal authentication and authorization. The principals can authenticate each other and exchange authorization credentials. We make use of KeyNote [7] credentials to specify the resource usage and access control policies ALIEN enforces. Secure neighbor ....

W. A. Arbaugh et al., "Automated Recovery in a Secure Bootstrap Process," Proc. Network and Dist. Sys. Security Symp., Internet Society, Mar. 1998, pp. 155--67.

....a combination of static and dynamic checks is required in the case of active networks to ensure security. SANE is a layered architecture. The lower layers of the architecture ensure that the system starts in an expected state. This is done by using a secure bootstrap architecture called AEGIS [23]. This is a static check and after that, dynamic checks on a per user or per packet basis can be made. The higher layers of the architecture are responsible for these checks. The system maintains security in several ways from this point onwards. First, it performs remote authentication, when ....

William A. Arbaugh et al., Automated Recovery in a Secure Bootstrap Process, Network and Distributed System Security Symposium, Internet Society, March 1998.

....SwitchWare active network architecture [7] The group has also proposed a Secure Active Network Environment (SANE) Architecture [8] which defines a secure boot procedure, and both static and dynamic security checks required by nodes within the Active Network. The secure bootstrap process, AEGIS [9], specifies a procedure for verifying the components of an IBM PC during the boot process, and a method for recovering corrupted components. AEGIS models the boot process as a set of boot levels. It defines a guaranteed secure boot process in two parts. The first part guarantees that no code is ....

W. A. Arbaugh, A. D. Keromytis, D. J. Farber, and J. M. Smith, "Automated Recovery in a Secure Bootstrap Process," in Internet Society Symposium on Network and Distributed System Security, (San Diago, CA), March 1998.

No context found.

W. A. Arbaugh, A. D. Keromytis, D. J. Farber, and J. M. Smith, "Automated recovery in a secure bootstrap process," in Proc. Network Distributed System Security Symp., Mar. 1998, pp. 155--167.

....with the ALIEN aarchitecture[Ale98] ALIEN is built on top of the Caml runtime, and provides a network bytecode loader, a set of libraries, and other facilities necessary for active networking. The following sections describe the three components of SANE. These include the AEGIS[AFS97, AKFS98] bootstrap system described earlier in Chapter 6, the ALIEN[Ale98] architecture, and SANE[AAH 98, AAKS98] itself. 7.1.6 SANE Services SANE builds on AEGIS and ALIEN in order to provide security services for an active network. We believe that these services are minimally required for the ....

....key establishment can be easily amortized after transmitting even a small amount of data. ffl A key establishment protocol (KEP) which allows two principals in the network to establish secret keys and exchange certificates. The protocol is also used in bootstrap failurerecovery in AEGIS[AKFS98] and is based on the Station to Station [DvOW92] protocol, using Diffie Hellman [DH76] key exchange and DSA [oS94] or other) public key signatures. This protocol is used in three different roles: 1. Secure boostrap component recovery in AEGIS, as we discussed in Section5.3.2. 70 2. Secure ....

W. A. Arbaugh, A. D. Keromytis, D. J. Farber, and J. M. Smith. Automated Recovery in a Secure Bootstrap Process. In Proceedings of Network and Distributed System Security Symposium, pages 155--167. Internet Society, March 1998. 109

....The components of SANE are illustrated in Figure 2. SANE provides security from the moment power is applied to the active node. This is accomplished using the AEGIS Secure Bootstrap Architecture which is able to detect alterations in the rmware and within the operating system. See [AFS97] AKFS98] for further detail on AEGIS. Linux Process V.M. Loadable Modules Module Checking Caml Runtime Loader Memory Protection Boundary Secure Bootstrap and Recovery, via AEGIS Integrity Dependencies Remote Authentication of Modules Trusted POST POST2 and Exp. ROM OS (e.g. Linux) Fig. ....

William A. Arbaugh, Angelos D. Keromytis, David J. Farber, and Jonathan M. Smith. Automated Recovery in a Secure Bootstrap Process. In Symposium on Network and Distributed System Security. Internet Society, March 1998.

....[1] 3] The components of SANE are illustrated in Fig. 2. SANE provides security from the moment power is applied to the active node. This is accomplished using the AEGIS Secure Bootstrap Architecture which is able to detect alterations in the firmware and within the operating system. See [12] [13] for further detail on AEGIS. Clients of SANE have access to several cryptographic primitives. These are DES [14] for symmetric key encryption, SHA1 [15] for keyed hashes, and DSA [16] for public key signatures. Other equivalent primitives could be provided. All the algorithms have been ....

W. A. Arbaugh et al., "Automated recovery in a secure bootstrap process," in Symposium on Network and Distributed System Security, Internet Society, Mar. 1998.

.... of Hardware, Firmware and OS Service Request Remote Recovery Switchlet Active Router Figure 3: SANE s Relation to SwitchWare The secure bootstrap system (named AEGIS) assumes that the first 32 KB of the system BIOS is unmodified, that there is a protected key source, and if automated recovery [AKFS98] is desired, that a trusted source exists from which damaged components can be recovered. Under these assumptions, the secure bootstrap process performs, for each system level (e.g. BIOS initialization, Flash ROMS, Boot Block, OS etc. a cryptographic verification on the level s code before ....

W. A. Arbaugh, A. D. Keromytis, D. J. Farber, and J. M. Smith. Automated recovery in a secure bootstrap process. In Internet Society 1998 Symposium on Network and Distributed System Security, pages 155--167, March 1998.

....Environment (SANE [AAKS98] The SANE infrastructure provides security guarantees to the network elements and overlaid services. Additional security services can be built on top of SANE, using the existing primitives. These primitives include secure bootstrapping using the AEGIS architecture [AKFS98] key exchange; authentication and identification of network entities; packet confidentiality; integrity and resource and access control; and namespace protection. Section 2 describes the SQoSH architecture and principles. Section 5 presents the current status of the implementation with some ....

....accomplished by having each party send the other both an authentication certificate and an authorization certificate and using Diffie Hellman key exchange to establish the shared secret. The protocol is carried out with a total of three messages transmitted. For more details on the protocol, see [AKFS98] A node that has detected an integrity failure can establish this secure channel with a repository. It can then request a new version of the failed component. The repository will send the new component protected by the shared key to prevent tampering from an attacker. The component can ....

William A. Arbaugh, Angelos D. Keromytis, David J. Farber, and Jonathan M. Smith. Automated Recovery in a Secure Bootstrap Process. In Network and Distributed System Security Symposium. Internet Society, March 1998.

....Mgmt. AEGIS Secure Bootstrap of Hardware, Firmware and OS Service Request Remote Recovery Switchlet Active Router Figure 3: SANE s Relation to SwitchWare The system assumes that the first 32 KB of the system BIOS is unmodified, that there is a protected key source, and if automated recovery [AKFS98] is desired, that a trusted source exists from which damaged components can be recovered. Under these assumptions, the secure bootstrap process performs, for each system level (e.g. BIOS initialization, Flash ROMS, Boot Block, OS etc. a digital signature verification on the level s code before ....

W. A. Arbaugh, A. D. Keromytis, D. J. Farber, and J. M. Smith. Automated recovery in a secure bootstrap process. In Internet Society 1998 Symposium on Network and Distributed System Security, March 1998. to appear.

....with the ALIEN architecture [Ale98] ALIEN is built on top of the Caml runtime, and provides a network bytecode loader, a set of libraries, and other facilities necessary for active networking. The following sections describe the three components of SANE. These include the AEGIS [AFS97, AKFS98] bootstrap system, the ALIEN [Ale98] architecture, and SANE [AAH 98, AAKS98a] itself. 3.1 AEGIS Bootstrap AEGIS [AFS97] modifies the standard IBM PC process so that all executable code, except for a very small section of trustworthy code, is verified prior to execution by using a digital ....

....integrity of already trusted components. The nature of this trust is outside the scope of this paper. Other work on the subject of secure bootstrapping includes [TY91, Yee94, Cla94, LAB92, HKK93] A more extensive review of AEGIS and its differences with the above systems can be found in [AFS97, AKFS98] AEGIS Layered Boot and Recovery Process. AEGIS divides the boot process into several levels to simplify and organize the BIOS modifications, as shown in Figure 3. Each increasing level adds functionality to the system, providing correspondingly higher levels of abstraction. The lowest level is ....

[Article contains additional citation context not shown here]

W. A. Arbaugh, A. D. Keromytis, D. J. Farber, and J. M. Smith. Automated Recovery in a Secure Bootstrap Process. In Proceedings of Network and Distributed System Security Symposium, pages 155--167. Internet Society, March 1998.

....Network Environment (SANE) The SANE infrastructure provides security guarantees to the network elements and overlaid services. Additional security services can be built on top of SANE, using the existing primitives. These primitives include secure bootstrapping using the AEGIS architecture [AKFS98] key exchange; authentication and identification of network entities; packet confidentiality and integrity; resource and access control; and name space protection. SANE s approach to providing high performance is based on the observation that security based restrictions on programming ....

....while in storage or transit. We further define dynamic integrity as a property that an object has not been altered while in use. For instance, self modifying code violates the dynamic integrity property. AEGIS provides static integrity guarantees by using a combination of two techniques [AFS97] AKFS98] The first technique reduces the size of the firmware assumed as having the static integrity property down to the small section that tests the proper operation of memory and the motherboard. The second technique uses induction, digital signatures and modifications to the control transitions from ....

[Article contains additional citation context not shown here]

William A. Arbaugh, Angelos D. Keromytis, David J. Farber, and Jonathan M. Smith. Automated Recovery in a Secure Bootstrap Process. In To appear in Network and Distributed System Security Symposium. Internet Society, March 1998.

....[4] to experiment with node extensibility. We have also developed a security services infrastructure, called SANE [3] which has been nearly fully implemented in the context of Alien, and partially implemented in the context of PLANet. Among the services offered by SANE are secure bootstrapping [5, 6], cryptographic primitives (digital signatures [29] hashes [30] secret key encryption [28] key establishment and principal 1 authentication [14] a safe distributed naming scheme, and policy controlled resource and access control through language restrictions and use of KeyNote [9] and ....

William A. Arbaugh, Angelos D. Keromytis, David J. Farbe r, and Jonathan M. Smith. Automated Recovery in a Secure Bootstrap Process. In To appear in Network and Distributed System Security Symposium, pages 155--167. Internet Society, March 1998.

....considered trustworthy by the system administrator. AEGIS verifies the integrity of already trusted components. The nature of this trust is outside the scope of this paper. A more extensive review of AEGIS and a comparison with other secure bootstrap efforts can be found in [Arbaugh et al. 1997; Arbaugh et al. 1998]. 3.2 Cryptographic Primitives SANE provides access to various cryptographic primitives. These can be used by other applications as is or as building blocks for more complex protocols. These primitives are also used by SANE s more advanced services. The primitives initially provided are: ....

....revocation through expiration are desirable, but they can be simulated in any of they proposed public key infrastructures. In our environment, we use an attribute based certificate format similar to the original SPKI[Ellison et al. 1997] proposal. For more details on the certificate format, see [Arbaugh et al. 1998]. 3.4 Key Establishment Protocol (KEP) A key element of SANE is the key establishment protocol. The protocol itself is a strengthened variation of the Station to Station [Diffie et al. 1992] protocol, which uses Diffie Hellman [Diffie and Hellman 1976] key exchange and public key signature ....

[Article contains additional citation context not shown here]

Arbaugh, W. A., Keromytis, A. D., Farber, D. J., and Smith, J. M. 1998. Automated Recovery in a Secure Bootstrap Process. In To appear in Network and Distributed System Security Symposium (March 1998). Internet Society.

....network, thus reducing the in packet space costs. 7 Related Work Research in the area of security for active networks is in its fledgling stages. The SANE [3] architecture is part of the SwitchWare Project [2] at the University of Pennsylvania. SANE provides the ability to securely bootstrap [4] the remainder of the SANE system, and authentication and naming services for code that is loaded. The main difference between this work and SANE lies in that we can depend on a provably safe language (PLAN) for those packets that do not require special privileges. Furthermore, programming ....

W. A. Arbaugh, A. D. Keromytis, D. J. Farber, and J. M. Smith. Automated Recovery in a Secure Bootstrap Process. In Proceedings of Network and Distributed System Security Symposium, pages 155--167. Internet Society, March 1998.

....of the next level. AEGIS, on the other hand, uses public key cryptography and cryptographic hashes to protect the transition from each lower level to the next higher one, and its recovery process through a trusted repository ensures the integrity of the next level in the event of failures [33]. The trusted repository can either be an expansion ROM board that contains verified copies of the required software, or it can be another Active node. If the repository is a ROM board, then simple memory copies can repair or shadow failures. In the case of a network host, the detection of an ....

....is accomplished by having each party send the other both an authentication certificate and an authorization certificate and using DiffieHellman key exchange to establish the shared secret. The protocol is carried out with a total of three messages transmitted. For more details on the protocol, see [33]. A node that has detected an integrity failure can establish this secure channel with a repository. It can then request a new version of the failed component. The repository will send the new Element Expansion ROMs Network Host BIOS Section 1 BIOS Section 2 Boot Block Operating System Initiate ....

William A. Arbaugh, Angelos D. Keromytis, David J. Farber, and Jonathan M. Smith, "Automated Recovery in a Secure Bootstrap Process," in To appear in Network and Distributed System Security Symposium. Internet Society, March 1998, pp. 155--167.

....[4] to experiment with node extensibility. We have also developed a security services infrastructure, called SANE [3] which has been nearly fully implemented in the context of Alien, and partially implemented in the context of PLANet. Among the services offered by SANE are secure bootstrapping [5, 6], cryptographic primitives (digital signatures [29] hashes [30] secret key encryption [28] key establishment and principal 1 authentication [14] a safe distributed naming scheme, and policy controlled resource and access control through language restrictions and use of KeyNote [9] and ....

William A. Arbaugh, Angelos D. Keromytis, David J. Farbe r, and Jonathan M. Smith. Automated Recovery in a Secure Bootstrap Process. In To appear in Network and Distributed System Security Symposium, pages 155--167. Internet Society, March 1998.

No context found.

W. A. Arbaugh, A. D. Keromytis, D. J. Farber, and J. M. Smith. Automated recovery in a secure bootstrap process. In Symposium on Network ands Distributed System Security (SNDSS), pages 155-- 167, 1998.

No context found.

W. A. Arbaugh, A. D. Keromytis, D. J. Farber, and J. M. Smith. Automated recovery in a secure bootstrap process. In Proceedings of Symposium on Network and Distributed Systems Security (NDSS), pages 155--167, Mar. 1998.

No context found.

W. A. Arbaugh, A. D. Keromytis, D. J. Farber, and J. M. Smith. Automated recovery in a secure bootstrap process. In Symposium on Network ands Distributed System Security (SNDSS), pages 155-- 167, 1998.

No context found.

W. A. Arbaugh, A. D. Keromytis, D. J. Farber, and J. M. Smith. Automated recovery in a secure bootstrap process. In Symposium on Network ands Distributed System Security (SNDSS), pages 155-- 167, 1998.

No context found.

William A. Arbaugh, Angelos D. Keromytis, David J. Farber, and Jonathan M. Smith. Automated recovery in a secure bootstrap process. In Proceedings of the Symposium on Network and Distributed Systems Security (NDSS '98), pages 155--167, March 1998.

No context found.

William A. Arbaugh, Angelos D. Keromytis, David J. Farber, and Jonathan M. Smith. Automated recovery in a secure bootstrap process. In Proceedings of the Symposium on Network and Distributed Systems Security (NDSS '98), pages 155--167, San Diego, California, March 1998. Internet Society. 10

No context found.

W. A. Arbaugh, A. D. Keromytis, D. J. Farber, and J. M. Smith. Automated recovery in a secure bootstrap process. In Proceedings of the Symposium on Network and Distributed Systems Security (NDSS '98), pages 155--167, San Diego, California, Mar. 1998. Internet Society.

No context found.

W.A. Arbaugh, A.D. Keromytis, D.J. Farber, and J.M. Smith. Automated recovery in a secure bootstrap process. In Proceedings of the 1998.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC