13
English
Afrikaans
Albanian
Amharic
Arabic
Armenian
Azerbaijani
Basque
Belarusian
Bengali
Bosnian
Bulgarian
Catalan
Cebuano
Chichewa
Chinese (Simplified)
Chinese (Traditional)
Corsican
Croatian
Czech
Danish
Dutch
Esperanto
Estonian
Filipino
Finnish
French
Frisian
Galician
Georgian
German
Greek
Gujarati
Haitian Creole
Hausa
Hawaiian
Hebrew
Hindi
Hmong
Hungarian
Icelandic
Igbo
Indonesian
Irish
Italian
Japanese
Javanese
Kannada
Kazakh
Khmer
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latin
Latvian
Lithuanian
Macedonian
Malagasy
Malay
Malayalam
Maltese
Maori
Marathi
Mongolian
Myanmar (Burmese)
Nepali
Norwegian
Pashto
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Samoan
Scottish Gaelic
Serbian
Sesotho
Shona
Sindhi
Sinhala
Slovak
Slovenian
Somali
Spanish
Sudanese
Swahili
Swedish
Tajik
Tamil
Telugu
Thai
Turkish
Ukrainian
Urdu
Uzbek
Vietnamese
Welsh
Xhosa
Yiddish
Yoruba
Zulu
Microsoft has published details about a new project called Integrity Policy Enforcement (IPE) that it has been working on for the Linux kernel.IPE is a Linux Security Module (LSM) which are optional add-ons for the Linux kernel designed to enable additional security features.
In its documentation page, Microsoft explained how IPE attempts to solve the issue of code integrity, saying:IPE is a Linux Security Module, which allows for a configurable policy to enforce integrity requirements on the whole system.
It attempts to solve the issue of code integrity: that any code being executed (or files being read), are identical to the version that was built by a trusted source.
Simply stated, IPE helps the owner of a system ensure that only code they have authorized is allowed to execute.On Linux systems with IPE enabled, system administrators can create a list of binaries that are allowed to execute and add verification attributes which the kernel needs to check for each binary before allowing it to run.
If a binary has been altered by an attacker, IPE has the ability to block the execution of the malicious code.According to Microsoft, IPE is not intended for general-purpose computing as it was designed for very specific use cases when security is of the utmost importance and administrators need to be in full control of what code runs on their systems.Some examples of systems that could benefit from using the software giant's new LSM include embedded systems such as network firewall devices running in a data center and Linux servers that are running strict and immutable configurations and applications.Microsoft has published the specifications for the new IPE module but it is currently in a RFC or request for comments state.
It will likely be some time before IPE ships with the actual Linux kernel.The Linux kernel already includes a LSM for code integrity called Integrity Measurement Architecture (IMA).
However, Microsoft says that IPE differs from IMA because it has no dependency on the filesystem metadata and because IPE attributes are deterministic properties that exist solely in the kernel.Via ZDNet
