Microsoft not only loves Linux (or so the company wants to see) but also wants to contribute useful things so that the Open Source kernel can better adapt to its own interests. For this, it has developed Integrity Policy Enforcement (IPE), a Security Module for Linux that imposes integrity requirements throughout the system.
The Redmond-based corporation, which emerged as Linux's biggest foe at the turn of the century, has developed IPE as an optional security module for solving code integrity issues in Linux. It is not intended to be used in general-purpose computing but will be served by servers, embedded systems, and other devices running Linux.
Microsoft explains that “there are already multiple implementations within the Linux kernel that solve some measure of integrity verification. For example, device-mapper verity, which guarantees the integrity of a block device, and fs-verity, which is a system that guarantees the integrity of a file system. What those implementations lack is a runtime verification measure that the binaries come from these locations. IPE aims to address this gap. IPE is separated into two main components: a configurable policy, provided by the LSM ("IPE Core"), and the deterministic attributes provided by the kernel to evaluate files, ("IPE Properties"). ”
When enabled, IPE allows system administrators to create a list of binaries that are allowed to run, and then add verification attributes that the kernel needs to check each binary before allowing its execution. In this way, if one of the binaries has been altered by an attacker, IPE will be in charge of blocking its execution on the suspicion that it could be malicious code.
IPE could point to Microsoft's own technologies, such as Azure, where Linux is very popular, or it could even go to Azure Sphere, the Linux system for IoT developed by the same company. The module is in RFC status for the request for comments, so it will be a while before it is included in the official branches of the Linux kernel.
As Linus Torvalds said in 2012 in an interview with the BBC, Linux has been successful thanks to selfishness, so Microsoft's intention to introduce a component that initially only responds to its own interests should not be surprising at this point.
0 Comments