Secure and classified environments have exacting system configuration requirements, well beyond conventional desktop management.

Key Bridge developed a "fresh boot" configuration control system, allowing for systems to establish a known good state after restarting.

Assured Device Configuration

The Government requires its systems to be in a known good state to ensure reliable operations while private institutions like corporations, universities and libraries must protect their systems from inadvertent or purposeful modification and misuse.

There are two dimensions to consider when maintaining a computer’s configuration: software and hardware.

Union FS Hardware Software

Software Configuration best practices and tools are currently focused to ease centralized management and installation of software packages and updates but do not readily accommodate configuration freezes or roll-back. Windows XP provides a system restore tool that takes a "snapshot" of critical system files and some program files and stores this information as restore points. These restore points can be used to return Windows XP to a previous state. However, snapshots are made once daily or when software is installed with an installation wizard. Worse, system restore is not comprehensive in that it only preserves a subset of the system.

Assured Hardware Profile detection and assurance technology is practically nonexistent as convenient, centrally controllable enterprise application. On individual Microsoft Windows-based systems a basic a hardware profile utility is available allowing users to specify which drivers will be loaded when hardware is changed. However there is no ability to report against or prevent users from adding or removing hardware devices, and Unix-based systems have no similar capability.

Configuration maintenance of a single personal computer can be difficult for the non-expert user. For institutions with large inventories of widely distributed, heterogeneous computer systems, configuration maintenance and control can be a nearly impossible task. Nevertheless, in both commercial and Government environments, task, mission, and testing exercises require the purposeful modification of computer configurations. However, those systems must be easily and quickly reconfigured between un-controlled, non-operational configurations and a known good state when returned to fully working operational status.

Layered, or stackable, file systems are a powerful technique to incrementally extend the functionality of existing file systems at runtime. A stackable file system works by creating a software abstraction layer between applications and physical media. Developers may then create software filters to modify or process data before and after it is written to disk. With this method, developers can more easily implement encryption, redundancy, or restoration features without needing to develop a new file system.

UnionFS is a stackable file system that works by allowing users to specify a series of directories (or branches) and presenting them as one virtual directory. The branches can come from different file systems. This is commonly referred to as namespace unification. [i]

Union File System

UnionFS works by implementing a simple priority system which gives each branch a unique priority. If a file exists in multiple branches, the user sees only the copy in the higher-priority branch. Some branches may be read-only. Provided the highest-priority branch is read-write, UnionFS creates the illusion that all branches are writable. This feature provides a writable file system based on read-only media.

By write protecting the underlying operating system directories and joining them with a high priority, user-specific branch, operators may install, modify or even uninstall software without affecting the operating system on low-priority, read-only branches. All changes are written to the high-priority read-write user branch.

To establish and maintain computer operating system and application software in a known, configuration controlled states we propose to develop a “Fresh Reboot” technique by extending Union File System technology to workstations. Such a solution will place no new restrictions whatsoever on the computer operator but can always restore the computer system to a known configuration after rebooting.

On both Unix and Windows systems we will extend and enhance existing kernel modules to implement write-protection of the system’s root file system (ROOT branch: “/” or “C:\” respectively) by making it Read-Only (RO). We will then join it using the Union File System with a temporary, read and write enabled (RW) file system (USER branch: “/” and “C:\” respectively) to create a virtual RW root environment. With this scheme any system modifications by the operator will be exclusively written to the USER branch and may be discarded when the system is rebooted.

Protected Root Union File System

In our solution we developed a kernel module such that the USER branch to is implemented as a RAM disk or as an emulated disk image, otherwise known as a virtual or loop-back drive, which is a single binary file on the same physical hard disk yet appears to the operating system as a separate drive or drive partition.

Our UnionFS-based configuration management solution is 100% transparent to the computer user. When an application attempts to read or write to the hard drive our software redirects all WRITE data to the USER branch while all READ requests are applied to the union of USER and ROOT and serviced wherever a version exists from the highest priority branch. E.g. If a file has been deleted then it will still exist on the ROOT branch but will not be available as a newer, deleted version exists on the USER branch. When the system is rebooted, any and all changes (i.e. modified files) are discarded and the computer system will always restore to its original, default state.

[i] Unionfs: User- and Community-Oriented Development of a Unification File System. http://www.am-utils.org/docs/sipek-ols2006/index.html