Subject: CVS commit: src
To: None <>
From: Elad Efrat <>
List: source-changes
Date: 10/05/2005 13:48:48
Module Name:	src
Committed By:	elad
Date:		Wed Oct  5 13:48:48 UTC 2005

Modified Files:
	src/sbin/veriexecctl: veriexecctl.8 veriexecctl.c veriexecctl_parse.y
	src/share/man/man4: veriexec.4
	src/sys/dev: verified_exec.c
	src/sys/kern: kern_verifiedexec.c
	src/sys/miscfs/genfs: genfs_vnops.c
	src/sys/sys: verified_exec.h

Log Message:
Introduce per-page fingerprints in Veriexec.

This closes a hole pointed out by Thor Lancelot Simon on tech-kern ~3
years ago.

The problem was with running binaries from remote storage, where our
kernel (and Veriexec) has no control over any changes to files.

An attacker could, after the fingerprint has been verified and
program loaded to memory, inject malicious code into the backing
store on the remote storage, followed by a forced flush, causing
a page-in of the malicious data from backing store, bypassing
integrity checks.

Initial implementation by Brett Lymn.

To generate a diff of this commit:
cvs rdiff -r1.17 -r1.18 src/sbin/veriexecctl/veriexecctl.8
cvs rdiff -r1.16 -r1.17 src/sbin/veriexecctl/veriexecctl.c
cvs rdiff -r1.12 -r1.13 src/sbin/veriexecctl/veriexecctl_parse.y
cvs rdiff -r1.7 -r1.8 src/share/man/man4/veriexec.4
cvs rdiff -r1.23 -r1.24 src/sys/dev/verified_exec.c
cvs rdiff -r1.38 -r1.39 src/sys/kern/kern_verifiedexec.c
cvs rdiff -r1.104 -r1.105 src/sys/miscfs/genfs/genfs_vnops.c
cvs rdiff -r1.19 -r1.20 src/sys/sys/verified_exec.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.