VERIEXEC(4) BSD Kernel Interfaces Manual VERIEXEC(4)NAMEveriexec — Veriexec pseudo-device
SYNOPSIS
pseudo-device veriexecDESCRIPTION
Veriexec verifies the integrity of specified executables and files before
they are run or read. This makes it much more difficult to insert a tro‐
jan horse into the system and also makes it more difficult to run bina‐
ries that are not supposed to be running, for example, packet sniffers,
DDoS clients and so on.
The veriexec pseudo-device is used to load and delete entries to and from
the in-kernel Veriexec databases, as well as query information about
them. It can also be used to dump the entire database.
Kernel-userland interaction
Veriexec uses proplib(3) for communication between the kernel and user‐
land.
VERIEXEC_LOAD
Load an entry for a file to be monitored by Veriexec.
The dictionary passed contains the following elements:
Name Type Purpose
file string filename for this entry
entry-type uint8 entry type (see below)
fp-type string fingerprint hashing algorithm
fp data the fingerprint
“entry-type” can be one or more (binary-OR'd) of the following:
Type Effect
VERIEXEC_DIRECT can execute directly
VERIEXEC_INDIRECT can execute indirectly (interpreter, mmap(2))
VERIEXEC_FILE can be opened
VERIEXEC_UNTRUSTED located on untrusted storage
VERIEXEC_DELETE
Removes either an entry for a single file or entries for an entire
mount from Veriexec.
The dictionary passed contains the following elements:
Name Type Purpose
file string filename or mount-point
VERIEXEC_DUMP
Dump the Veriexec monitored files database from the kernel.
Only files that the filename is kept for them will be dumped. The
returned array contains dictionaries with the following elements:
Name Type Purpose
file string filename
fp-type string fingerprint hashing algorithm
fp data the fingerprint
entry-type uint8 entry type (see above)
VERIEXEC_FLUSH
Flush the Veriexec database, removing all entries.
This command has no parameters.
VERIEXEC_QUERY
Queries Veriexec about a file, returning information that may be
useful about it.
The dictionary passed contains the following elements:
Name Type Purpose
file string filename
The dictionary returned contains the following elements:
Name Type Purpose
entry-type uint8 entry type (see above)
status uint8 entry status
fp-type string fingerprint hashing algorithm
fp data the fingerprint
“status” can be one of the following:
Status Meaning
FINGERPRINT_NOTEVAL not evaluated
FINGERPRINT_VALID fingerprint match
FINGERPRINT_MISMATCH fingerprint mismatch
Note that the requests VERIEXEC_LOAD, VERIEXEC_DELETE, and VERIEXEC_FLUSH
are not permitted once the strict level has been raised past 0.
SEE ALSOproplib(3), sysctl(3), security(7), sysctl(8), veriexecctl(8),
veriexecgen(8), veriexec(9)NOTESveriexec is part of the default configuration on the following architec‐
tures: amd64, i386, prep, sparc64.
AUTHORS
Brett Lymn ⟨blymn@NetBSD.org⟩
Elad Efrat ⟨elad@NetBSD.org⟩
BSD March 19, 2011 BSD
