In trustworthy systems, object reuse requirements extend to all forms of memory on the platform and can include volatile elements such as RAM, cache, I/O device registers, and certain controllers. To ensure that residual information is not accessible from one session to another, these regions must be either protected or purged. In situations where the operating system cannot be trusted to meet object reuse requirements, an alternative is needed. In this paper, we address the object reuse

more »

... in volatile memory. A "hard" reboot includes a power cycle, which ensures that sensitive information in volatile memory is purged, whereas a software initiated reboot does not. How can we prove that a hard reboot has occurred? To our knowledge, it is not possible for a remote entity using currently available technology, to sense whether a hard reboot has occurred on an PC client, e.g. between communication sessions. We propose a hardware-assisted design that uses a secure coprocessor to sense the reboot type of the host platform and that maintains a Boot Odometer that tracks the sum of hard reboots that have occurred on the host. In addition, secure coprocessor services allow trustworthy attestation to a remote entity, cognizant of a previous Boot Odometer Value, that volatile memory has been purged.