Shared network testbeds rely on the ability to bring nodes to a known "clean" state, and to allow experimenters to customize the software installed on the nodes assigned to them. This is typically done by replacing the contents of the nodes’ disks with a clean disk image. Frisbee is designed for just this purpose. It is a fast, highly scalable system for creating, distributing, and installing disk images. It rapidly and reliably distributes disk images over a LAN to many simul- taneous clients, and has proven itself through many years of production use in shared testbed environments.

However, three main security features have been lacking in Frisbee: confidentiality of the image contents, integrity protection, and authentication of the image’s source. Frisbee’s design and target environment present challenges in providing these features. In this paper, we explore these challenges and present our design and implementation of a secure Frisbee.