Copyright 2005 Elad Efrat <elad@bsd.org.il>
Copyright 2005 Brett Lymn <blymn@netbsd.org>
This code is donated to The NetBSD Foundation by the author.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. The name of the Author may not be used to endorse or promote
products derived from this software without specific prior written
permission.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
.Dd October 28, 2006 .Dt VERIEXEC 4 .Sh NAME .Nm veriexec .Nd Veriexec pseudo-device .Sh SYNOPSIS .Cd pseudo-device veriexec .Sh DESCRIPTION .Em Veriexec verifies the integrity of specified executables and files before they are run or read. This makes it much more difficult to insert a trojan horse into the system and also makes it more difficult to run binaries that are not supposed to be running, for example, packet sniffers, DDoS clients and so on.
p The .Nm pseudo-device is used to preform optimal table sizing, fingerprint loading, and querying of entries, as part of the .Em Veriexec subsystem. .Ss Veriexec file operations All the following operations are invoked using the .Xr ioctl 2 system call. Refer to that man page for the description of the .Em request and .Em argp parameters. The following section lists the requests that can be made via .Xr ioctl 2 . .Ss Veriexec file request descriptions l -tag t Dv VERIEXEC_TABLESIZE Fa struct veriexec_sizing_params Sizes the in kernel tables to accommodate the fingerprint entries. This request must be made prior to loading the fingerprints into the kernel.
p The argument structure is, as defined in
a /usr/include/sys/verified_exec.h : d -literal struct veriexec_sizing_params { size_t hash_size; u_char file[MAXPATHLEN]; .Ed
p Where .Ar hash_size is the estimated number of entries in the table for the mount, and .Ar file is the mount point. t Dv VERIEXEC_LOAD Fa struct veriexec_params Inserts a fingerprint into the in-kernel tables. These tables must have been previously sized using the .Dv VERIEXEC_TABLESIZE request. The argument structure is, as defined in
a /usr/include/sys/verified_exec.h : d -literal struct veriexec_params { unsigned char type; unsigned char fp_type[VERIEXEC_TYPE_MAXLEN]; char file[MAXPATHLEN]; unsigned int size; unsigned char *fingerprint; }; .Ed
p Where .Ar type is a bitfield that can be binary-OR'd with one or more of: l -tag t Dv VERIEXEC_DIRECT Allow direct execution of the file if fingerprint matches. t Dv VERIEXEC_INDIRECT Allow execution of the file as a script interpreter, or allow mapping the file to executable memory regions. t Dv VERIEXEC_FILE Allow opening the file for read/write/mmap/etc. purposes. t Dv VERIEXEC_UNTRUSTED The file is located on untrusted storage. .El
p .Ar fp_type is the fingerprint type. This is a case-insensitive character string that must match one of the fingerprint types supported by the running kernel.
p .Ar file is the path of the file the entry is for.
p .Ar fingerprint is a pointer to the fingerprint for the file.
p .Ar size is not used and is kept for ABI compatibility only. t Dv VERIEXEC_DELETE Fa struct veriexec_delete_params Removes either an entry or an entire table from .Em Veriexec .
p The argument structure contains a single member, .Ar file , with the path to the entry to be removed. If the path is a mount-point (directory), the entries for the entire mount-point will be removed. t Dv VERIEXEC_QUERY Fa struct veriexec_query_params Queries a .Em Veriexec table entry and returns the fingerprint and the algorithm used to calculate it, evaluation status, and entry type. .El
p Note that the requests .Dv VERIEXEC_TABLESIZE , .Dv VERIEXEC_LOAD , and .Dv VERIEXEC_DELETE are not permitted once the strict level has been raised past 0. .Sh SEE ALSO .Xr sysctl 3 , .Xr sysctl 8 , .Xr veriexecctl 8 , .Xr veriexecgen 8 , .Xr veriexec 9 .Sh NOTES It is possible for a malicious user to trigger access to random memory by passing a junk pointer for the .Ar fingerprint member in a .Dv VERIEXEC_LOAD command.
p .Nm is part of the default configuration on the following architectures: amd64, i386, prep, sparc64. .Sh AUTHORS .An Brett Lymn Aq blymn@NetBSD.org .An Elad Efrat Aq elad@NetBSD.org