On Wed, Oct 12, 2005 at 07:09:10AM +0200, Hubert Feyrer wrote:
> 
> I see... so the question that arises from that then is, how much does the 
> fingerprinting affect the memory footprint of the program?
> 

It does not add anything to the memory footprint of the running
program at all.  The page fingerprints are actually attached to the in
kernel structure that holds the overall fingerprint that was loaded.
In terms of storage, it depends on the size of your fingerprint
method, you can get a rough rule of thumb by dividing the application
on disk size by the machine page size (normally 4096 bytes).  When I
did a study on the then current NetBSD binaries the average binary
text size was about 2 to 3 pages.  For md5 fingerprints on a 3 page
binary, it would mean an extra 48 bytes of kernel memory used.  Sure
there are some much larger binaries about but even then the amount of
storage used is minimal - 8Mb of text would result in just under
1kbyte of page fingerprints for md5.  Of course, if the fingerprint
method used produces a longer output hash these numbers will be bigger
but, at worst, I think about 4 times (if I recall the sha512
sizing correctly)

> Also (I never played with veriexec), when do the per-page fingerprints get 
> created - I guess once on system install, and then reside in immutable 
> files?
> 

No, the page fingerprints are never stored in files, if a binary is
marked as being on untrusted media then as the overall fingerprint is
evaluated to verify the integrity of the whole file the fingerprinting
of each page is done and stored.  If and only if the overall
fingerprint is found to match will the page fingerprints be kept,
otherwise they will be discarded since they cannot be trusted.

-- 
Brett Lymn