Veriexec File Signing and Verification for Junos OS
Learn about Veriexec file-signing and verification, benefits and how to use it.
Verified Exec (also known as veriexec) is a file-signing and verification scheme that protects the Junos operating system (OS) against unauthorized software and activity that might compromise the integrity of your device. Originally developed for the NetBSD OS, veriexec was adapted for Junos OS and is enabled by default.
Authorized files, that is certain files that ship with Junos OS, has an associated fingerprint that veriexec checks to determine whether the file can be used (executed or even opened). Any file which lacks a valid fingerprint cannot be executed or read by applications that require verified input.
The/bin/sh file does not require verified input. You can use this file to run
arbitrary scripts. From a risk perspective, these scripts are the same as interactive
commands, which are controlled through user authentication and permissions. However, if
a verified shell script contains instructions to run an arbitrary script, that is, a
file without a signature in the manifest, execution of that file is prevented.
How Veriexec Works
Veriexec provides the kernel with a digitally signed manifest consisting of a set of fingerprints for all the executables and other files that must remain immutable.The veriexec loader feeds the contents of the manifest to the kernel only if associated digital signatures of the manifest are successfully verified. The kernel can then verify if a file matches its fingerprint. If veriexec is enforced, only executables with a verified fingerprint will run. The protected files cannot be written to, modified, or changed.
Each installation image contains a manifest, which is a read-only file. It contains entries such as the following:
etc/rc sha1=478eeda6750c455fbfc18eeb06093e32a341911b uid=0 gid=0 mode=644 etc/rc.verify sha1=15566bb2731abee890fabd0ae8799e02071e006c uid=0 gid=0 mode=644 usr/libexec/veriexec-ext.so.1 sha1=8929292d008d12cd5beb2b9d9537458d4974dd22 uid=0 gid=0 mode=550 no_fips sbin/verify-sig sha1=cd3ffd45f30f1f9441e1d4a366955d8e2c284834 uid=0 gid=0 mode=555 no_ptrace sbin/veriexec sha1=7b40c1eae9658f4a450eb1aa3df74506be701baf uid=0 gid=0 mode=555 no_ptrace jail/usr/bin/php sha1=c444144fef5d65f7bbc376dc3ebb24373f1433a2 uid=0 gid=0 mode=555 indirect no_fips usr/sbin/chassisd sha1=61b82b36da9c6fb7eeb413d809ae2764a8a3cebc uid=0 gid=0 mode=555 trusted
The log message is in the following format:
/kernel:veriexec:fingerprintfordev<deviceid>,file<fileid><calculatedfingerprint>!= <fingerprintinthemanifest>
If a file has been modified and the resulting fingerprint differs from the one in the manifest, you see a log message, such as the following example:
/kernel:veriexec:fingerprintfordev100728577,file70750 64ea873ed0ca43b113f87fa25fb30f9f60030cec!= 0d9457c041bb3646eb4b9708ba605facb84a2cd0
Fingerprint mismatch indicates that the file has been modified. Don’t try to run such a file, as it could contain corrupted code. Contact JTAC for guidance.
Benefits of Veriexec
-
Secure systems—Safeguard Juniper Networks routers, switches, and firewalls from security breaches.
-
Prevent unauthorized access—Block threat actors from gaining persistent, unauthorized access or causing system failure.
-
Prevent malware execution—Block unauthorized modifications and malware through prevention of unsigned binary execution.
-
Support authorized code—Add signed, authorized code to Junos OS with veriexec enforcement using the JET SDK. For more information about the SDK solution, see Juniper Extension Toolkit Developer Guide.
How to Verify If Veriexec Works — Option 1
Some Junos OS platforms offer an optional version of Junos OS with veriexec enforcement disabled. For detailed information, see Junos Enhanced Automation.
Administrators can check whether veriexec is enforced by running the following commands from the Junos OS CLI shell:
Start the shell.
username@hostname> start shell %
Use the
sysctl security.mac.veriexec.statecommand for Junos OS Release 15.1 and Later% sysctl security.mac.veriexec.state security.mac.veriexec.state: loaded active enforce %
If veriexec is enforced, the output is
security.mac.veriexec.state: loaded active enforce. If veriexec is not enforced, the output issecurity.mac.veriexec.state: loaded active.
How to Verify If Veriexec Works — Option 2
You can confirm whether veriexec is working by copying an authorized file (for example, /usr/bin/id) to a new location as shown below. Veriexec prevents the operation, because even though the file is identical, a valid fingerprint exists only for /usr/bin/id, not for /tmp/id. To verify the file integrity, veriexec evaluates the underlying Linux properties of the file. These properties, rather than the file itself, change after you copy the file to another location.
Start the shell.
username@hostname> start shell #
Change directories and then copy an authorized file, for example, /usr/bin/id, to a new location.
# /usr/bin/id uid=928(username) gid=20 groups=20,0(wheel),10(field) # cp /usr/bin/id /tmp
Results
If veriexec is being enforced, an authentication error message is generated. If an error message is not generated, the file will run as normal.
Output generated when veriexec is enforced, showing the file is blocked:
# /tmp/id /bin/sh: /tmp/id: Authentication error #
Output generated when veriexec is not enforced, showing the file is copied
# /tmp/id #
Install Veriexec Loader
The veriexec loader validates the Junos OS image that you install from a Trivial File Transfer Protocol (TFTP) server or a USB storage device.
-
To install the Junos OS image from a TFTP server use this command:
loader> install tftp://[host]/package
-
Install the Junos OS image from a USB storage device using the following command.
loader> install file:///package
nextboot function to check the
current bootup device.username@hostname# nextboot
Platform: srx-sword
eUSB
usb
current bootdev is: eUSB
Bootupgrade is a tool
available in the Junos OS package to support BIOS firmware upgrading. You can use
the bootupgrade command to upgrade, check U-Boot, manually load,
and install the veriexec-capable loader. The bootupgrade -c loader
command prints the version string for the current loader.
Before you install the veriexec-capable loader to a Junos OS image, identification of Junos OS fingerprints is carried out in both dual-root partitions. The veriexec capable loader can be installed only when both dual-root partitions have Junos OS with fingerprints.
Install the veriexec-capable loader from the Junos OS CLI shell:
Start the shell.
username@hostname> start shell %
-
Use the
bootupgrade -l /boot/veloadercommand to install the veriexec-capable loader.% bootupgrade -l /boot/veloader Checking Loader CRC... veloader size 1251641 OK
You can see different scenarios here:
Use
request system software add /var/tmp/xxx.tgz no-copy no-validatecommand to install Junos OS with fingerprints.username@hostname> request system software add /var/tmp/junos-srxsme-20.4I-20200810_dev_common.0.0833.tgz no-copy no-validate Formatting alternate root (/dev/ad0s2a)... /dev/ad0s2a: 600.0MB (1228732 sectors) block size 16384, fragment size 2048 using 4 cylinder groups of 150.00MB, 9600 blks, 19200 inodes. super-block backups (for fsck -b #) at: 32, 307232, 614432, 921632 Installing package '/altroot/cf/packages/install-tmp/junos-20.4I-20200810_dev_common.0.0833' ... Verified junos-boot-srxsme.tgz signed by PackageDevelopmentECP256_2020 method ECDSA256+SHA256 Verified junos-srxsme-domestic signed by PackageDevelopmentECP256_2020 method ECDSA256+SHA256 Verified manifest signed by PackageDevelopmentECP256_2020 method ECDSA256+SHA256 WARNING: The software that is being installed has limited support. WARNING: Run 'file show /etc/notices/unsupported.txt' for details. JUNOS 20.4I-20200810_dev_common.0.0833 will become active at next reboot WARNING: A reboot is required to load this software correctly WARNING: Use the 'request system reboot' command WARNING: when software installation is complete Saving state for rollback ...- If the veriexec-capable loader doesn't support the target Junos OS
images of previous releases, you can downgrade to an earlier version of
the the loader compatible with the release. Use the
request system software add /var/tmp/xxx.tgz no-copy no-validatecommand to automatically downgrade to an earlier version of the loader.username@hostname> request system software add /var/tmp/junos-srxsme-19.4R1.3.tgz no-copy no-validate WARNING: Package junos-19.4R1.3 version 19.4R1.3 is not compatible with current loader WARNING: Automatic recovering loader, please wait ... Upgrading Loader... ##################################### Verifying the loader image... OK WARNING: The new boot firmware will take effect when the system is rebooted. WARNING: Loader recover finish. Formatting alternate root (/dev/ad0s1a)... /dev/ad0s1a: 598.5MB (1225692 sectors) block size 16384, fragment size 2048 using 4 cylinder groups of 149.62MB, 9576 blks, 19200 inodes. super-block backups (for fsck -b #) at: 32, 306464, 612896, 919328 Installing package '/altroot/cf/packages/install-tmp/junos-19.4R1.3' ... Verified junos-boot-srxsme-19.4R1.3.tgz signed by PackageProductionEc_2019 method ECDSA256+SHA256 Verified junos-srxsme-19.4R1.3-domestic signed by PackageProductionEc_2019 method ECDSA256+SHA256 Verified junos-boot-srxsme-19.4R1.3.tgz signed by PackageProductionEc_2019 method ECDSA256+SHA256 V erified junos-srxsme-19.4R1.3-domestic signed by PackageProductionEc_2019 method ECDSA256+SHA256 JUNOS 19.4R1.3 will become active at next reboot WARNING: A reboot is required to load this software correctly WARNING: Use the 'request system reboot' command WARNING: when software installation is complete Saving state for rollback ... -
Use the
request system software add /var/tmp/xxxcommand to check whether the Junos OS package is compatible for the installation with the veriexec loader.username@hostname> request system software add /var/tmp/junos-srxsme-19.4R2.3.tgz WARNING: Package junos-19.4R2.3 version 19.4R2.3 is not compatible with this system. WARNING: Please install a package with veloadr support, 20.3 or higher.
In this example, you see that the installation is terminated because the veriexec loader is not supported for Junos OS Releases before 20.3R1.