Remote Booting in a Hostile World

Computer n the spring of 1989, students at the University of Cambridge successfully penetrated the Computer Laboratory system. The attack on I computers used as public area terminals was intricate and involved physically dismantling and replacing components with new firmware that recorded user passwords for later replay.’ The laboratory responded by modifymg the anti-theft devices to ensure that future hardware tampering would be evident to a careful user. Today’s networked computer systems are even more vulnerable to attack: Terminal software, like that used by the X Window System, is frequently passed across a network, and a trojan horse can easily be inserted while it is in transit. Many other software products, including operating systems, load parts of themselves from a server across a network. Although users may be confident that their workstation is physically secure, some part of the network to which they are attached almost certainly is not secure. Most proposals that recommend cryptographic means to protect remotely loaded software also eliminate the advantages of remote loading-for example, ease of reconfiguration, upgrade distribution, and maintenance. For this reason, they have largely been abandoned before finding their way into commercial products. This article shows that, contrary to intuition, it is no more difficult to protect a workstation that loads its software across an insecure network than to protect a stand-alone workstation. Flexibility is not sacrificed with our solution, nor are users required to trust the integrity of anypart of the system that they cannot physically see or control.