{"title":"走向启动里程表","authors":"R. C. Vernon, C.E. Irvine, T. Levin","doi":"10.1109/IAW.2006.1652072","DOIUrl":null,"url":null,"abstract":"In trustworthy systems, object reuse requirements extend to all forms of memory on the platform and can include volatile elements such as RAM, cache, I/O device registers, and certain controllers. To ensure that residual information is not accessible from one session to another, these regions must be either protected or purged. In situations where the operating system cannot be trusted to meet object reuse requirements, an alternative is needed. In this paper, we address the object reuse problem in volatile memory. A \"hard\" reboot includes a power cycle, which ensures that sensitive information in volatile memory is purged, whereas a software initiated reboot does not. How can we prove that a hard reboot has occurred? To our knowledge, it is not possible for a remote entity using currently available technology, to sense whether a hard reboot has occurred on an PC client, e.g. between communication sessions. We propose a hardware-assisted design that uses a secure coprocessor to sense the reboot type of the host platform and that maintains a boot odometer that tracks the sum of hard reboots that have occurred on the host. In addition, secure coprocessor services allow trustworthy attestation to a remote entity, cognizant of a previous boot odometer value, that volatile memory has been purged","PeriodicalId":326306,"journal":{"name":"2006 IEEE Information Assurance Workshop","volume":"3 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2006-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":"{\"title\":\"Toward a Boot Odometer\",\"authors\":\"R. C. Vernon, C.E. Irvine, T. Levin\",\"doi\":\"10.1109/IAW.2006.1652072\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In trustworthy systems, object reuse requirements extend to all forms of memory on the platform and can include volatile elements such as RAM, cache, I/O device registers, and certain controllers. To ensure that residual information is not accessible from one session to another, these regions must be either protected or purged. In situations where the operating system cannot be trusted to meet object reuse requirements, an alternative is needed. In this paper, we address the object reuse problem in volatile memory. A \\\"hard\\\" reboot includes a power cycle, which ensures that sensitive information in volatile memory is purged, whereas a software initiated reboot does not. How can we prove that a hard reboot has occurred? To our knowledge, it is not possible for a remote entity using currently available technology, to sense whether a hard reboot has occurred on an PC client, e.g. between communication sessions. We propose a hardware-assisted design that uses a secure coprocessor to sense the reboot type of the host platform and that maintains a boot odometer that tracks the sum of hard reboots that have occurred on the host. In addition, secure coprocessor services allow trustworthy attestation to a remote entity, cognizant of a previous boot odometer value, that volatile memory has been purged\",\"PeriodicalId\":326306,\"journal\":{\"name\":\"2006 IEEE Information Assurance Workshop\",\"volume\":\"3 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2006-06-21\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"4\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2006 IEEE Information Assurance Workshop\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/IAW.2006.1652072\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2006 IEEE Information Assurance Workshop","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IAW.2006.1652072","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
In trustworthy systems, object reuse requirements extend to all forms of memory on the platform and can include volatile elements such as RAM, cache, I/O device registers, and certain controllers. To ensure that residual information is not accessible from one session to another, these regions must be either protected or purged. In situations where the operating system cannot be trusted to meet object reuse requirements, an alternative is needed. In this paper, we address the object reuse problem in volatile memory. A "hard" reboot includes a power cycle, which ensures that sensitive information in volatile memory is purged, whereas a software initiated reboot does not. How can we prove that a hard reboot has occurred? To our knowledge, it is not possible for a remote entity using currently available technology, to sense whether a hard reboot has occurred on an PC client, e.g. between communication sessions. We propose a hardware-assisted design that uses a secure coprocessor to sense the reboot type of the host platform and that maintains a boot odometer that tracks the sum of hard reboots that have occurred on the host. In addition, secure coprocessor services allow trustworthy attestation to a remote entity, cognizant of a previous boot odometer value, that volatile memory has been purged
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
