INSUBCONTINENT EXCLUSIVE:
Microsoft has published details about a new project called Integrity Policy Enforcement (IPE) that it has been working on for the Linux
kernel.IPE is a Linux Security Module (LSM) which are optional add-ons for the Linux kernel designed to enable additional security features
Module, which allows for a configurable policy to enforce integrity requirements on the whole system
It attempts to solve the issue of code integrity: that any code being executed (or files being read), are identical to the version that was
built by a trusted source
Simply stated, IPE helps the owner of a system ensure that only code they have authorized is allowed to execute.On Linux systems with IPE
enabled, system administrators can create a list of binaries that are allowed to execute and add verification attributes which the kernel
needs to check for each binary before allowing it to run
If a binary has been altered by an attacker, IPE has the ability to block the execution of the malicious code.According to Microsoft, IPE is
not intended for general-purpose computing as it was designed for very specific use cases when security is of the utmost importance and
administrators need to be in full control of what code runs on their systems.Some examples of systems that could benefit from using the
software giant's new LSM include embedded systems such as network firewall devices running in a data center and Linux servers that are
running strict and immutable configurations and applications.Microsoft has published the specifications for the new IPE module but it is
currently in a RFC or request for comments state
It will likely be some time before IPE ships with the actual Linux kernel.The Linux kernel already includes a LSM for code integrity called
Integrity Measurement Architecture (IMA)
