Veriexec verifies the integrity of specified executables and files before they are run or read. This makes it much more difficult to insert a trojan horse into the system and also makes it more difficult to run binaries that are not supposed to be running, for example, packet sniffers, DDoS clients and so on.
The
veriexec pseudo-device is used to load and delete entries to and from the in-kernel
Veriexec databases, as well as query information about them. It can also be used to dump the entire database.
Kernel-userland interaction
Veriexec uses
proplib(3) for communication between the kernel and userland.
VERIEXEC_LOAD
Load an entry for a file to be monitored by
Veriexec.
The dictionary passed contains the following elements:
file
string
filename for this entry
entry-type
uint8
entry type (see below)
fp-type
string
fingerprint hashing algorithm
“entry-type” can be one or more (binary-OR'd) of the following:
VERIEXEC_DIRECT
can execute directly
VERIEXEC_INDIRECT
can execute indirectly (interpreter,
mmap(2))
VERIEXEC_FILE
can be opened
VERIEXEC_UNTRUSTED
located on untrusted storage
VERIEXEC_DELETE
Removes either an entry for a single file or entries for an entire mount from
Veriexec.
The dictionary passed contains the following elements:
file
string
filename or mount-point
VERIEXEC_DUMP
Dump the
Veriexec monitored files database from the kernel.
Only files that the filename is kept for them will be dumped. The returned array contains dictionaries with the following elements:
fp-type
string
fingerprint hashing algorithm
entry-type
uint8
entry type (see above)
VERIEXEC_FLUSH
Flush the
Veriexec database, removing all entries.
This command has no parameters.
VERIEXEC_QUERY
Queries
Veriexec about a file, returning information that may be useful about it.
The dictionary passed contains the following elements:
The dictionary returned contains the following elements:
entry-type
uint8
entry type (see above)
status
uint8
entry status
fp-type
string
fingerprint hashing algorithm
“status” can be one of the following:
FINGERPRINT_NOTEVAL
not evaluated
FINGERPRINT_VALID
fingerprint match
FINGERPRINT_MISMATCH
fingerprint mismatch
Note that the requests
VERIEXEC_LOAD,
VERIEXEC_DELETE, and
VERIEXEC_FLUSH are not permitted once the strict level has been raised past 0.