Veriexec
   HOME

TheInfoList



OR:

Veriexec is a file-signing scheme for the
NetBSD NetBSD is a free and open-source Unix operating system based on the Berkeley Software Distribution (BSD). It was the first open-source BSD descendant officially released after 386BSD was forked. It continues to be actively developed and is a ...
operating system. It introduces a special device node () through which a
signature A signature (; from la, signare, "to sign") is a handwritten (and often stylized) depiction of someone's name, nickname, or even a simple "X" or other mark that a person writes on documents as a proof of identity and intent. The writer of a ...
list can be loaded into the kernel. The list contains file paths, together with hashes and an expected file type ("DIRECT" for executables, "INDIRECT" for scripts and "FILE" for
shared libraries In computer science, a library is a collection of non-volatile resources used by computer programs, often for software development. These may include configuration data, documentation, help data, message templates, pre-written code and subr ...
and regular files). The kernel then verifies the contents of the signed files against their hashes just before they are opened in an exec() or open() system call. When Veriexec is enabled at level 0, the kernel will simply warn about signature mismatches. At level 1, it will prevent access to mismatched files. At level 2, it prevents signed files from being overwritten or deleted. At the highest, level 3, the kernel will not allow unsigned files to be accessed at all.


References

* Lymn, Brett (2003).
NetBSD Verified Executables
" Retrieved August 18, 2005. *

" ''The NetBSD Guide.'' Retrieved August 16, 2005. {{unix-stub NetBSD