On Wed, Sep 1, 2010 at 4:14 PM, Milin <merlyn500@gmail.com> wrote:

quoted text
> I've just read about NetBSD's veriexec and I think it would be great
> to have it in OpenBSD.
> Is anyone working on porting/rewrite? If not, could you write why? Is
> it because some caveat in veriexec's design, not enough time, or just
> lack of developers' interest?
>

it looks like an interesting idea, but I'm not sure what vulnerability it
protects you from.  if you don't want users to replace system files, it
seems like a better idea to prevent them from being replaced, rather than
allowing replacement but then preventing access.

not that the 'preventing access' problem is much of an obstacle.  the
article I found via google didn't have a lot of details, but it seems like
if you have rights to replace the files, you probably also have rights to
write an updated signature to /dev/veriexec.  if you're not going to require
the signatures to themselves be signed I really don't see the point.

still, if some developer were interested enough to write a diff, there's
nothing stopping them.

-ken