A Secure and Reliable Bootstrap Architecture by Arbaugh, William A et al.
University of Pennsylvania 
ScholarlyCommons 
Technical Reports (CIS) Department of Computer & Information Science 
12-2-1996 
A Secure and Reliable Bootstrap Architecture 
William A. Arbaugh 
University of Pennsylvania 
David J. Farber 
University of Pennsylvania 
Jonathan M. Smith 
University of Pennsylvania, jms@cis.upenn.edu 
Follow this and additional works at: https://repository.upenn.edu/cis_reports 
Recommended Citation 
William A. Arbaugh, David J. Farber, and Jonathan M. Smith, "A Secure and Reliable Bootstrap 
Architecture", . December 1996. 
University of Pennsylvania Department of Computer and Information Science Technical Report No. MS-CIS-96-35. 
This paper is posted at ScholarlyCommons. https://repository.upenn.edu/cis_reports/231 
For more information, please contact repository@pobox.upenn.edu. 
A Secure and Reliable Bootstrap Architecture 
Abstract 
In a computer system, the integrity of lower layers is treated as axiomatic by higher layers. Under the 
presumption that the hardware comprising the machine (the lowest layer) is valid, integrity of a layer can 
be guaranteed if and only if: (1) the integrity of the lower layers is checked, and (2) transitions to higher 
layers occur only after integrity checks on them are complete. The resulting integrity "chain" inductively 
guarantees system integrity. When these conditions are not met, as they typically are not in the 
bootstrapping (initialization) of a computer system, no integrity guarantees can be made. Yet, these 
guarantees are increasingly important to diverse applications such as Internet commerce, intrusion 
detection systems, and "active networks." In this paper, we describe the AEGIS architecture for initializing 
a computer system. It validates integrity at each layer transition in the bootstrap process. AEGIS also 
includes a recovery process for integrity check failures, and we show how this results in robust systems. 
We discuss our prototype implementation for the IBM personal computer (PC) architecture, and show that 
the cost of such system protection is surprisingly small. 
Comments 
University of Pennsylvania Department of Computer and Information Science Technical Report No. MS-
CIS-96-35. 
This technical report is available at ScholarlyCommons: https://repository.upenn.edu/cis_reports/231 
A Secure and Reliable Bootstrap Architecture 
William A. Arbaugh 
David J .  Farber 
Jonathan M. Smith 
University of Pennsylvania 
School of Engineering and Applied Science 
Computer and Information Science Department 
Philadelphia, PA 19104-6389 
'Submitted to the 1997 IEEE Security and Privacy Conference 
'Also with the U.S. Department of Defense 
A Secure and Reliable Bootstrap Architecture+ 
William A. Arbaught 
David J .  Farber 
Jonathan M. Smith 
University of Pennsylvania 
December 2, 1996 
Abstract 
In a computer system, the integrity of lower layers is 
treated as axiomatic by higher layers. Under the pre- 
sumption that the hardware comprising the machine 
(the lowest layer) is valid, integrity of a layer can 
be guaranteed if and only if: (1) the integrity of the 
lower layers is checked, and (2) transitions to higher 
layers occur only after integrity checks on them are 
complete. The resulting integrity "chain" inductively 
guarantees system integrity. 
When these conditions are not met, as they typi- 
cally are not in the bootstrapping (initialization) of 
a computer system, no integrity guarantees can be 
made. Yet, these guarantees are increasingly impor- 
tant to  diverse applications such as Internet com- 
- - 
merce, intrusion detection systems, and "active net- 
works." In this paper, we describe the AEGIS ar- 
chitecture for initializing a computer system. It val- 
idates integrity at each layer transition in the boot- 
strap process. AEGIS also includes a recovery process 
for integrity check failures, and we show how this re- 
sults in robust systems. We discuss our prototype 
implementation for the IBM personal computer (PC) 
architecture, and show that the cost of such system 
protection is surprisingly small. 
1 Introduction 
Systems are organized as layers to  limit complexity. 
A common layering principle is the use of levels of 
abstraction to mark layer boundaries. A computer 
system is organized in a series of levels of abstraction, 
each of which defines a "virtual machine" upon which 
'Copyright 0 1 9 9 6 ,  William A. Arbaugh. Permission is 
granted to redistribute this document in electronic or paper 
form, provided that  this copyright notice is retained. 
tsubmitted to the  1997 IEEE Security and Privacy 
Conference. 
tAlso with the U.S. Department of Defense 
higher levels of abstraction are constructed. Each of 
the virtual machines presupposes that it is operating 
in an environment where the abstractions of under- 
lying layers can be treated as axiomatic. When these 
suppositions are true, the system is said to possess 
integrity. Without integrity, no system can be made 
secure. 
Thus, any system is only as secure as the founda- 
tion upon which it is built. For example, a number of 
attempts were made in the 1960s and 1970s to pro- 
duce secure computing systems, using a secure oper- 
ating system environment as a basis [20]. An essential 
presumption of the security arguments for these de- 
signs was that system layers underpinning the oper- 
ating system, whether hardware, firmware, or both, 
are trusted. We find it surprising, given the great 
attention paid to  operating system security [13] [8] 
that so little attention has been paid to  the under- 
pinnings required for secure operation, e.g., a secure 
bootstrapping phase for these operating systems. 
Without such a secure bootstrap the operating sys- 
tem kernel cannot be trusted since it is invoked by an 
untrusted process. Designers of trusted systems of- 
ten avoid this problem by including the boot compo- 
nents in the trusted computing base (TCB) [6]. That 
is, the bootstrap steps are explicitly trusted. We be- 
lieve that this provides a false sense of security to  the 
users of the operating system, and more important, 
is unnecessary. 
1.1 AEGIS 
We have designed AEGIS, a secure bootstrap process. 
AEGIS increases the security of the boot process by 
ensuring the integrity of bootstrap code. It does this 
by constructing a chain of integrity checks, beginning 
at power-on and continuing until the final transfer of 
control from the bootstrap components to  the op- 
erating system itself. The integrity checks compare 
a computed cryptographic hash value with a stored 
digital signature associated with each component. 
The AEGIS architecture includes a recovery mech- 
anism for repairing integrity failures which protects 
against some classes of denial of service attacks. From 
the start ,  AEGIS has been targeted for commercial 
operating systems on commodity hardware, making 
it a practical "real-world" system. 
In AEGIS, the boot process is guaranteed to end 
up in a secure state, even in the event of integrity 
failures outside of a minimal section of trusted code. 
We define a guaranteed secure boot process in two 
parts. The first is that no code is executed unless it 
is either explicitly trusted or its integrity is verified 
prior to its use. The second is that when an integrity 
failure is detected a process can recover a suitable 
verified replacement module. 
1.2 Responses to integrity failure 
When a system detects an integrity failure, one of 
three possible courses of action can be taken. 
The first is to continue normally, but issue a warn- 
ing. Unfortunately, this may result in the execution 
or use of either a corrupt or malicious component. 
The second is to not use or execute the component. 
This approach is typically called fail secure, and cre- 
ates a potential denial of service attack. 
The final approach is to  recover and correct the 
inconsistency from a trusted source before the use or 
execution of the component. 
The first two approaches are unacceptable when 
the systems are important network elements such as 
switches, intrusion detection monitors, or associated 
with electronic commerce, since they either make the 
component unavailable for service, or its results un- 
trustworthy. 
1.3 Outline of the paper 
In Section 2, we make the assumptions of the AEGIS 
design explicit. Section 3 is the core of the paper, 
giving an overview of the AEGIS design, and then 
plunging into details of the IBM PC boot process and 
its modifications to  support AEGIS. A model and log- 
ical dependencies for integrity chaining are given in 
Section 4, and a calculation of the complete boot- 
strap performance is given; performance is surpris- 
ingly good. Section 5 discusses related work and crit- 
ically examines some alternative approaches to those 
taken in AEGIS. We discuss the system status and 
our next steps in Section 6,  and conclude the paper 
with Section 7. 
2 Assumptions 
The first assumption upon which the AEGIS model 
is based is that the motherboard, processor, and a 
portion of the system ROM (BIOS) are not compro- 
mised, i.e., the adversary is unable or unwilling to  
replace the motherboard or BIOS. We also depend 
on the integrity of an expansion card which contains 
copies of the essential components of the boot pro- 
cess for recovery purposes, cryptographic certificates, 
and optionally a small operating system for recover- 
ing components from a trusted network host. 
The second assumption is the existence of a cryp- 
tographic certificate authority infrastructure in order 
to bind an identity with a public key. However, there 
is no restriction on its form, e.g., single trusted au- 
thority, hierarchical, web of trust [22] [3]. 
The final assumption is that some trusted source 
exists for recovery purposes. This source may be a 
host on a network that is reachable through a secure 
communications protocol, or it may be the trusted 
ROM card located on the protected host. 
3 AEGIS Architecture 
3.1 Overview 
To have a practical impact, AEGIS must be able 
to work with commodity hardware with minimal 
changes (ideally none) to  the existing architecture. 
The IBM PC architecture was selected as our pro- 
totype platform because of its large user community 
and the availability of the source code for several op- 
erating systems. We also use the FreeBSD operating 
system, but the AEGIS architecture is not limited to 
any specific operating system. Porting to a new op- 
erating system only requires a few minor changes to  
the boot block code so that the kernel can be verified 
prior to passing control to  it. Since the verification 
code is contained in the BIOS, the changes do not 
substantially increase the size of the boot block. 
AEGIS modifies the boot process shown in fig- 
ure 2 so that all executable code, except for a very 
small section of trusted code, is verified prior to  ex- 
ecution by using a digital signature. This is ac- 
complished through the addition of an inexpensive 
PROM board, and modifications to the BIOS. The 
BIOS and the PROM board contain the verification 
code, and public key certificates. The PROM board 
also contains code that allows the secure recovery of 
any integrity failures found during the initial boot- 
strap. In essence, the trusted software serves as the 
root of an authentication chain that extends to the 
operating system and potentially beyond to applica- 
3' AEGIS ARCHITECTURE 
Operating System r  I OS kernel I 
Trusted Network 
Recovery Host a
I 
Trusted Software 
I Boot Block 1 
I System BIOS ( 
I 
, , ,  , , ,  , , .  I Level 3 , ,  , .  
Expansion ROMs Expansion ROMs 
I 
I 
. ,  , ,  . ,  Level 1 Figure 1: AEGIS boot overview 
~nitidte POST 
- 
I I 
tion software [IS] [9] [15]. A high level depiction of the 
bootstrap process is shown in figure 1. In the AEGIS 
boot process, either the operating system kernel is 
started, or a recovery process is entered in order to 
repair any integrity failure detected. Once the repair 
is completed, the system is restarted to ensure that 
the system boots. This entire process occurs without 
user intervention. 
- 
Level 2 
h 
In addition to  ensuring that the system boots in 
a secure manner, AEGIS can also be used to main- 
tain the hardware and software configuration of a ma- 
chine. Since AEGIS maintains a copy of the signa- 
ture for each expansion card, any additional expan- 
sion cards will fail the integrity test. Similarly, a new 
operating system cannot be started since the boot 
block would change, and the new boot block would 
fail the integrity test. 
d 
3.2 AEGIS Boot Process 
Every computer with the IBM P C  architecture fol- 
lows approximately the same boot process. We have 
divided this process into four levels of abstraction (see 
figure 2),  which correspond to phases of the bootstrap 
operation. The first phase is the Power on Self Test 
or POST [17]. POST is invoked in one of four ways: 
1. Applying power to the computer automatically 
invokes POST causing the processor to jump to 
the entry point indicated by the processor reset 
vector. 
2. Hardware reset also causes the processor to jump 
to the entry point indicated by the processor re- 
set vector. 
Figure 2: IBM PC boot process 
3. Warm boot (ctrl-alt-del under DOS) invokes 
POST without testing or initializing the upper 
64K of system memory. 
4. Software programs, if permitted by the operating 
system, can jump to the processor reset vector. 
In each of the cases above, a sequence of tests are 
conducted. All of these tests, except for the initial 
processor self test, are under the control of the system 
BIOS. 
The final step of the POST process calls the BIOS 
operating system bootstrap interrupt (Int 19h). The 
bootstrap code first finds a bootable disk by search- 
ing the disk search order defined in the CMOS. Once 
it  finds a bootable disk, it loads the primary boot 
block into memory and passes control to it. The code 
contained in the boot block proceeds to load the op- 
erating system, or a secondary boot block depending 
on the operating system [lo] [7]. 
Once the BIOS has performed all of its power on 
tests, it begins searching for expansion card ROMs 
which are identified in memory by a specific signa- 
ture. Once a valid ROM signature is found by the 
BIOS, control is immediately passed to  it. When the 
ROM completes its execution, control is returned to 
the BIOS. 
Ideally, the boot process would proceed in a series 
of levels with each level passing control to  the next 
until the operating system kernel is running. Un- 
fortunately, the IBM architecture uses a "star like" 
model which is shown in figure 2. 
3. AEGIS ARCHITECTURE 
3.2.1 A Mult i leve l  Boo t  Process  
We have divided the boot process into several levels 
to simplify and organize the AEGIS BIOS modifi- 
cations, as shown in figure 3. Each increasing level 
adds functionality to  the system, providing corre- 
spondingly higher levels of abstraction. The lowest 
level is Level 0. Level 0 contains the small section of 
trusted software, digital signatures, public key certifi- 
cates, and recovery code. The integrity of this level 
is assumed to be valid. We do, however, perform an 
initial checksum test in order to identify PROM fail- 
ures. The first level contains the remainder of the 
usual BIOS code. The second level contains all of the 
expansion cards and their associated ROMs, if any. 
The third level contains the operating system boot 
block(s). These are resident on the bootable device 
and are responsible for loading the operating system 
kernel. The fourth level contains the operating sys- 
tem, and the fifth and final level contains user level 
programs and any network hosts. 
The transition between levels in a traditional boot 
process is accomplished with a jump or a call instruc- 
tion without any attempt at verifying the integrity of 
the next level. AEGIS, on the other hand, uses public 
key cryptography and cryptographic hashes to pro- 
tect the transition from each lower level to the next 
higher one, and its recovery process ensures the in- 
tegrity of the next level in the event of failures. 
3.2.2 AEGIS B I O S  Modif icat ions 
AEGIS modifies the boot process shown in figure 2 
by dividing the BIOS into two logical sections. The 
first section contains the bare essentials needed for 
integrity verification and recovery. Coupled with the 
AEGIS ROM, it comprises the "trusted software". 
The second section contains the remainder of the 
BIOS. 
The first section executes and performs the stan- 
dard checksum calculation over its address space in 
order to  protect against ROM failures. Following 
successful completion of the checksum, the crypto- 
graphic hash of the second section is computed and 
verified against a stored signature. If the signature 
is valid, control is passed to the second section, i.e., 
Level 1. 
The second section proceeds normally with one 
change. Prior to  executing an expansion ROM, a 
cryptographic hash is computed and verified against 
a stored digital signature for the expansion code. If 
the signature is valid, then control is passed to the 
expansion ROM. Once the verification of each ex- 
pansion ROM is complete (Level 2),  the BIOS passes 
control to  the operating system bootstrap code. The 
: I Bxpsn\zon ROMI 
I I 
I I 
I I 
I I ' I ' I ' I ' I ' I ' I 
I I 
I I 
I I . . . . . . , , 
AEGIS ROM 
4 UlOS Sccllon 1 
I '.--' . . . . . . 
Intlzrts POST 
Figure 3: AEGIS boot control flow 
bootstrap code was previously verified as part of the 
BIOS, and thus no further verification is required. 
The bootstrap code finds the bootable device and 
verifies the boot block. 
Assuming that the boot block is verified success- 
fully, control is passed to it (Level 3).  If a secondary 
boot block is required, then it is verified by the pri- 
mary block before passing control to  it. Finally, the 
kernel is verified by the last boot block in the chain 
before passing control to it (Level 4). 
Any integrity failures identified in the above pro- 
cess are recovered either through storage on the ex- 
pansion ROM card, or through a network host. If 
the component that fails its integrity check is a por- 
tion of the BIOS, then it  must be recovered from the 
ROM card. The recovery process is a simple mem- 
ory copy from the address space of the ROM card to 
the memory address of the failed component, in effect 
shadowing the failed component. 
A failure beyond the BIOS causes the system to 
boot into a recovery kernel contained on the ROM 
card. The recovery kernel contacts a "trusted host 
through a secure protocol, e.g., IPv6 [I], to recover a 
verified copy of the failed component. The failed com- 
ponent is then replaced and the system is restarted. 
The resultant AEGIS boot process is shown in fig- 
ure 3. Note that when the boot process enters the 
recovery procedure it becomes isomorphic to a secure 
network boot. 
5' RELATED WORII' 
4 Integrity Chaining and Sys- 
tem Performance 
In AEGIS, system integrity is preserved through the 
chain of integrity checks in the boostrap process. The 
ideal authentication chain produced by each level ver- 
ifying the next can be represented by the recurrence 
I. = True ,  
+ I  = {I L for o < i 5 4. 
(1) 
Ii is a boolean value representing the integrity of 
level i ,  and is the boolean and operation. I4 is the 
verification function associated with the ith level. 
takes as its only argument the level to  verify, and it 
returns a boolean value as a result. The verification 
function performs a cryptographic hash of the level, 
and compares the result to the value obtained from a 
stored signature for the level. As stated earlier, the 
IBM PC does not lend itself to such a boot process. 
Instead, we alter the recurrence to: 
IQ = True, 
Ii A K(Li+l) for i = 0,3,4,  
Ii+l = li A Cy=l I~ (L{+ , )  for i = 1, (2) 
I l ( L + ) )  for i = 2. 
Here, n represents the number of expansion boards 
in the system, and our level of assurance is preserved. 
4.1 Performance impact on bootstrap 
completion time 
Using the recurrence relation shown in equation 2, 
we can compute the estimated increase in boot time 
(TA), without integrity failures, between AEGIS and 
a standard IBM PC using the following equation: 
where t(op) returns the execution time of op. In es- 
timating the time of the verification function, K ,  we 
use the BSAFE benchmarks [19] for an Intel 90Mhz 
Pentium computer, shown in table 1. The cost of 
verification includes time required for computing a 
MD5 message digest, and the time required to  verify 
the digest against a stored signature. Any signatures 
embedded in the public key certificate are ignored at 
the moment. 
Table 1: BSAFE 3.0 Benchmarks 
The BIOS is typically one megabit (128 Kilobytes), 
and the expansion ROMs are usually 16 kilobytes 
with some, such as video cards, as large as 64 kilo- 
bytes. For analysis purposes, we will assume that 
one 64 kilobyte card and two 16 kilobyte cards are 
present. The size of the boot blocks for FreeBSD 2.2 
(August 1996 Snapshot) are 512 bytes for the primary 
boot block, 6912 bytes for the secondary boot block, 
and 1,352 kilobytes for the size of the GENERIC ker- 
nel. Using the performance of MD5 from table 1, the 
time required to verify each layer using a 1024 bit 
modulus are: 
Summing these times gives TA = 0.1665seconds 
which is insignificant compared to the length of time 
currently needed to bootstrap an IBM PC. 
5 Related work 
The first presentation of a secure boot process was 
done by Yee [21]. In Yee's model, a cryptographic 
coprocessor is the first to gain control of the system. 
Unfortunately, this is not possible without a complete 
architectural revision of most computer systems- 
even if the coprocessor is tightly coupled. Yee ex- 
pands his discussion of a secure boot in his thesis [23], 
but he continues to state that the secure coprocessor 
should control the boot process verifying each com- 
ponent prior to its use. Yee states that boot ROM 
modifications may be required, but since a prototype 
secure boot process was never implemented more im- 
plementations questions are raised than answered by 
his discussion. 
Clark [5] presents a secure boot process for DOS 
that stores all of the operating system bootstrap code 
on a PCMCIA card. He does not address the veri- 
fication of any firmware (system BIOS or expansion 
cards). Clark's model, however, does permit mutual 
cryptographic authentication between the user and 
the host which is an important capability. However, 
7 CONCLUSIONS 6 
the use of a PCI\IICIA card containing all of the sys- 
tem boot files creates several configuration manage- 
ment problems, e.g., a system upgrade requires the 
reprogramming of all the cards in circulation. 
Lampson [12] describes a secure boot model as an 
example for his authentication calculus. I11 Lamp- 
son's model, the entire boot ROM is trusted, and 
lie does not address the verification of expansion 
cards/ROMs. The Birlix [ll] Security Architecture 
proposes a model designed by Michael Gross that is 
similar to  Lampson's. The Birlix model also suffers 
from the same problems. In both cases, the boot 
ROM is responsible for generating a public and pri- 
vate key pair for use in host based authentication 
once the operating system is running. In AEGIS we 
leave any security related functions, beyond the boot 
process, to  the operating system without loss of se- 
curity. To do otherwise limits security choices for the 
operating system. 
None of the approaches address a recovery process 
in the event of an integrity failure. 
5.1 Discussion and alternative ap- 
proaches 
A possible criticism of this work is that booting from 
a floppy disk provides the same level of protection. 
There are several reasons why this is not so. The 
first is that providing physical security for the floppy 
disk is extremely difficult. Users can take the disks 
wherever they like, and do whatever they like to 
them. One can envision a user building their own 
boot floppy that gives them system level privileges. 
The user is now free to read and write anywhere on 
the local disk circumventing any security systems put 
in place by the "real" boot floppy or the on disk op- 
erating system. This problem is described by Mi- 
crosoft [16] as a method of circumventing the Win- 
dows N T  file system (NTFS). The major shortcom- 
ing, however, in using a boot disk is that none of the 
firmware is verified prior to  use. Thus, a user can add 
or replace expansion boards into the system without 
any security controls, potentially introducing unau- 
thorized expansion cards. 
6 Status and Future Work 
The AEGIS prototype is nearing completion, and 
we are confident that a complete description of its 
performance and implementation will be provided at 
the conference. Difficulty in obtaining BIOS source 
code has been a roadblock to modifying it to support 
AEGIS as described in the body of the paper. We 
have reached an agreement with a BIOS vendor to 
provide the source code after some legal details are 
finalized. 
The current recovery kernel prototype uses IPv6 as 
a means of recovering replacement files. FVe intend 
to switch to  the Internet Engineering Task Force's 
(IETF) Internet Security Association and Key Man- 
agement Protocol (ISAKMP) [14] to allow user choice 
of a secure protocol. Additionally, the method with 
which the recovery kernel contacts a host is currently 
via a fixed address. We hope to develop or use a 
protocol in which the recovery host's address can be 
determined when needed. 
The process by which components are vetted, 
signed, and the resultant signature and public key 
certificate installed needs to  be addressed carefully. 
We plan to address this once a full prototype is com- 
pleted, and will report on the results. As a minimum, 
we expect to use flaw detection techniques such as 
those from Bishop [2], Kannan [4], and others to as- 
sist in a technical vetting before the actual signing of 
the component. 
We are also investigating the use of a cryptographic 
sideboard as a high end solution to  improve perfor- 
mance and increase security. 
7 Conclusions 
Current operating systems cannot provide security 
assurances since they are started via an untrusted 
process. With the explosive growth in Internet com- 
merce, the need for security assurances from com- 
puter systems has grown considerably. AEGIS is a 
guaranteed secure boot process that ensures that the 
computer system is started via a trusted process, and 
ensures that the system starts in spite of integrity 
failures. 
References 
[I] ATKINSON, R. J.,  MCDONALD, D. L., PHAN, 
B. G., METZ, C .  W., AND CHIN, K .  C .  Im- 
plementation of ipv6 in 4.4 bsd. In Proceedings 
of the 1996 USENIX Technical Conference (Jan- 
uary 1996), USENIX, pp. 113-125. 
[2] BISHOP, M., AND DILGER, M. Checking for 
race conditions in file accesses. Computing Sys- 
tems 9, 2 (Spring 1996), 131-152. 
[3] BLAZE, M., FEIGENBAUM, J. ,  AND LACY, J .  
Decentralized Trust Management. In IEEE Con- 
ference on Security and Privacy (May 1996), 
IEEE. 
[4] BLUM, M.,  A N D  KANNAN, S .  Designing pro- [16] MICROSOFT. Overview of fat,  hpfs, and ntfs file 
grams that check their work. JACM 42, 1 (Jan- systems. Knowledge Base Article Q100108, Mi- 
uary 1995), 269-291. crosoft, October 1996. 
[5] CLARK, P. C .  BITS: A Smartcard Protected PHOENIX TECHNOLOGIES, L.  System BIOS for 
Operating System. PhD thesis, George Wash- IBM PCs, Compatiables, and EISA Computers, 
ington University, 1994. 2nd ed. Addison FVesley, 1991. 
[6] DOD. Trusted computer system evaluation cri- [18] POZZO, R/I. &I., A N D  GRAY, T. E .  A model 
teria. Tech. Rep. DOD 5200.28-STD, Depart- for the containment of computer viruses. In 
ment of Defense, December 1985. 1989 IEEE Symposium on Security and Privacy 
(1989), IEEE, pp. 312-318. 
[7] ELISCHER, J .  386 boot. [19] RSA DATA SECURITY, I. Bsafe 3.0 benchmarks. 
/sys/i386/boot/biosboot/README.386, July RSA Data Security Engineering Report, 1996. 
1996. 2.1.5 FreeBSD. http://www.rsa.com/rsa/developers/bench.htm. 
[8] ENGLER, D.  R. ,  KAASHOEK, M.  F., AND J R . ,  
J . W. 0. The operating system kernel as a se- 
cure programmable machine. In Proceedings of 
the Sixth SIGOPS European Workshop (Septem- 
ber 1994), pp. 62-67. 
[9] G. DAVIDA, Y. D.,  AND MATT, B.  Defending 
systems against viruses through cryptographic 
authentication. In 1989 IEEE Symposium on Se- 
curity and Privacy (1989), IEEE, pp. 312-318. 
[ lo]  GRIMES, R.  At386 pro- 
tected mode bootstrap loader. 
/sys/i386/boot/biosboot/README.MACH, 
October 1993. 2.1.5 FreeBSD. 
[ll] HARTIG, H., KOWALSKI, O., AND 
KUHNHAUSER, W. The Birlix security ar- 
chitecture. Journal of Computer Security 2, 1 
(1993), 5-21. 
[12] LAMPSON, B. ,  ABADI, M., AND BURROWS, M.  
Authentication in distributed systems: Theory 
and practice. ACM Transactions on Computer 
Systems vlO (November 1992), 265-310. 
[13] M. BRANSTAD, H. TAJALLI, F. M.,  AND 
DALVA, D. Access mediation in a message- 
passing kernel. In IEEE Conference on Security 
and Privacy (1989)) pp. 66-71. 
[14] MAUGHAN, D., SCHERTLER, M.,  SCHNEIDER, 
M., AND TURNER, J .  Internet security associ- 
ation and key management protocol (isakmp). 
Internet-draft, IPSEC Working Group, June 
1996. 
[20] SCHROEDER, M. Engineering a security kernel 
for multics. In Fifth Symposium on Operating 
Systems Principles (November 1975), pp. 125- 
132. 
[21] TYGAR, J . ,  A N D  YEE, B. Dyad: A system 
for using physically secure coprocessors. Techni- 
cal Report CMU-CS-91-140R, Carnegie Mellon 
University, May 1991. 
[22] VERISIGN, I. Verisign certification practice 
statement. Tech. Rep. Version 1.1, Verisign, Inc., 
Mountain View, CA., August 1996. 
[23] YEE, B.  Using Secure Coprocessors. PhD thesis, 
Carnegie IvIellon University, 1994. 
[15] MICROSOFT. Authenticode techonology. Mi- 
crosoft's Developer Network Library, October 
1996. 
