Microsoft Announces IPE, an Attempt to Solve Linux’s Code Integrity Problem

Microsoft's IPE looks to fill the gaps in Linux Kernel security with a code integrity solution that includes run-time verification and a configurable policy.

Microsoft LOVES Linux

Ten years ago, offering solutions to competing OSes would have felt alien. Today, the company is a significant contributor to , owing to its multi-OS infrastructure. With those customers in mind, it has this week announced a method to solve 's code integrity issues.

Integrity Policy Enforcement, or IPE, is a Linux module that will optionally enhance user's safety. According to documentation on GitHub, the module lets admins configure a policy that allows only code they have previously authorized to execute.

While the Linux kernel has several existing methods for integrity verification, says these lack “a measure of run-time verification that binaries are sourced from these locations”.

With IPE, server admins should be able to prevent attacks like binary rewriting, malicious binary execution, and linker hijacking. These are all scary as they require little effort but can have a huge impact. Still, it's worth noting that this isn't for your average user.

“IPE is designed for use in devices with a specific purpose like embedded systems (e.g. network firewall device in a data center), where all and configuration is built and provisioned by the owner,” it explains. “Ideally, a system which leverages IPE is not intended for general purpose computing and does not utilize any or configuration built by a third party.”

Even so, it could be many weeks before IPE becomes widely available. The module is currently in a Request for Comments (RFC) state and will have to wait on feedback before anyone can utilize it.