Microsoft Introduces New Code Integrity Feature for Linux

• The comparison
• Tutorials
• Microsoft Introduces New Code Integrity Feature for Linux

Microsoft has released details about a new project called Integrity Policy Enforcement (IPE) that it was working on for the Linux kernel. IPE is a Linux Security Module (LSM) which are optional plugins to the Linux kernel designed to enable additional security features. On its documentation page, Microsoft explained how IPE is trying to solve the code integrity problem, saying: “IPE is a Linux security module, which allows a configurable policy to enforce system-wide integrity requirements. It tries to solve the problem of code integrity: that whatever code is being executed (or files being read) is identical to the version created by a trusted source. In short, IPE helps a system owner ensure that only code that he has authorized can run. On Linux systems with IPE enabled, system administrators can create a list of binaries that are allowed to run and add verification attributes that the kernel must check for each binary before allowing it to run. If an attacker has modified a binary, IPE can block the execution of malicious code.

Application of the integrity policy.

According to Microsoft, IPE is not intended for general purpose computing, as it was designed for very specific use cases where security is of the utmost importance and administrators must have full control of the code that runs on their systems. Some examples of systems that could benefit from using the software giant's new LSM include embedded systems like network firewall appliances running in a data center and Linux servers running strict, immutable configurations and applications Microsoft has published the specifications for the new IPE module, but it is currently in an RFC or request for comments. It will probably take some time before IPE ships with the Linux kernel. The Linux kernel already includes an LSM for code integrity called the Integrity Measurement Architecture (IMA). However, Microsoft claims that IPE differs from IMA because it "does not depend on file system metadata" and because IPE attributes "are deterministic properties that exist only in the kernel." via ZDNet