Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Veriexec Overview

Verified Exec (also known as veriexec) is a file-signing and verification scheme that protects the Junos operating system (OS) against unauthorized software and activity that might compromise the integrity of your device. Originally developed for the NetBSD OS, veriexec was adapted for Junos OS and enabled by default from Junos OS Release 7.5 onward.

Authorized files, that is certain files that ship with Junos OS, have an associated fingerprint that veriexec checks to determine whether the file can be used (executed, or even opened). Any file which lacks a valid fingerprint cannot be executed or read by applications that require verified input.

Note that /bin/sh does not require verified input. It can be used to run arbitrary scripts because from a risk perspective, they are the same as interactive commands, which is already controlled through user authentication and permissions. However, if a verified shell script contains instructions to run an arbitrary script, that is, a file that does not have a signature in the manifest, execution of that file will be prevented.

How Veriexec Works

Veriexec provides the kernel with a digitally signed manifest consisting of a set of fingerprints for all the executables and other files that should remain immutable. The veriexec loader feeds the contents of the manifest to the kernel only if the digital signature of the manifest is successfully verified. The kernel can then verify if a file matches its fingerprint. If veriexec is being enforced, only executables with a verified fingerprint will run. The protected files cannot be written to, modified, or changed.

Each install image contains a manifest. The manifest is read-only. It contains entries such as the following:

If a file has been modified and the resulting fingerprint differs from the one in the manifest, you will see a log message, such as the following example:

The log message is in the following format:

The fingerprint mismatch indicates that the file has been modified. Don’t try to run the file. It could contain corrupted code. Contact JTAC.

The Importance of Veriexec

Veriexec is an effective and important tool for protecting against those seeking to breach the system security of Juniper Networks routers, switches, and firewalls. It thwarts threat actors who might want to establish a foothold on the system, gain persistent unauthorized access, or otherwise transition the system into a failure state. If such actors can run arbitrary unsigned binaries, they can make unauthorized modifications and run malware or other code that violates security policy.

Customers can add signed and authorized code with veriexec enforced to Junos OS by using the JET SDK. For more on the SDK solution, see Develop On-Device JET Applications in the Juniper Extension Toolkit Developer Guide.

How to Verify If Veriexec Is Enforced on a Device Running Junos OS

The following subsections give procedures on how to check if veriexec is enforced or not.

Some Junos OS platforms offer an optional version of Junos OS with veriexec enforcement disabled (referred to as Junos Enhanced Automation or Junos Flex). For more information about Junos Enhanced Automation, see Overview of Junos Automation Enhancements on Devices Running Junos OS with Enhanced Automation.

Use the sysctl security.mac.veriexec.state Command for Junos OS Release 15.1 and Later

Administrators can check whether veriexec is enforced by running the following commands from the Junos OS CLI shell:

  1. Start the shell.

  2. Use the sysctl security.mac.veriexec.state command.

    If veriexec is enforced, the output is security.mac.veriexec.state: loaded active enforce. If veriexec is not enforced, the output is security.mac.veriexec.state: loaded active.

Note:

The security.mac.veriexec.state command is only valid in Junos OS Release 15.1 and later.

Another Way to Check If Veriexec Is Working

You can confirm whether veriexec is working by copying an authorized file (here, /usr/bin/id), to a new location as shown below. Veriexec prevents the operation because, although there is a valid fingerprint for /usr/bin/id, there is no fingerprint for /tmp/id even though the file is identical. What is happening is that veriexec evaluates the underlying Linux properties of the file, which are not identical after being copied, rather than the file itself.

  1. Start the shell.

  2. Change directories and then copy the example file, /usr/bin/id to a new location.

Results

If veriexec is being enforced, an Authentication error appears. If it is not, the file will be run as normal.

Output when veriexec is enforced (the file is blocked):

Output when veriexec is not enforced (the file is copied):

Veriexec-Capable Loader for SRX Series devices

The veriexec-capable loader installs a Junos OS image using the install command from a TFTP server or a USB storage device.

  • Install the Junos OS image from a tftp server using the install tftp://[host]/ install command.

  • Install the Junos OS image from a USB storage device using the install file:/// install command.

The veriexec-capable loader validates the Junos OS image. The veriexec-capable loader boots up only a new Junos OS image with fingerprints and does not boot up the existing Junos OS image without fingerprints or kernel. You can use the nextboot function to check the current bootup device.

Bootupgrade is a tool available in the Junos OS package to support BIOS firmware upgrading. You can use the bootupgrade command to upgrade, check uboot, manually load, and to install the larger size veriexec-capable loader. The bootupgrade -c loader command prints the version string for current loader.

Before you install the veriexec-capable loader to Junos OS image, a Junos OS fingerprints identification is carried out in both dual-root partitions. Only when both dual-root partitions have Junos OS with fingerprints, is the veriexec capable loader installation allowed.

Install the veriexec-capable loader from the Junos OS CLI shell:

  1. Start the shell.

  2. Use the bootupgrade -l /boot/veloader command to install the veriexec-capable loader.

  3. You can see different scenarios here:

    • For Junos OS Release 20.3R1 and later, use request system software add /var/tmp/xxx.tgz no-copy no-validate command to install Junos OS with fingerprints normally.

    • For Junos OS Releases prior to 20.3R1, if the veriexec-capable loader is in use and the target Junos OS image for previous releases are not supported by the veriexec-capable loader, then use the request system software add /var/tmp/xxx.tgz no-copy no-validate command to automatically downgrade to the old loader from the veriexec-capable loader.

    • Use the request system software add /var/tmp/xxx command to check whether the Junos OS package is compatible for the installation.

      The installation is terminated because the veriexec-capable loader is not supported for Junos OS Releases prior to 20.3R1.