Integrity Policy Enforcement, or IPE, is a Linux security module that will optionally enhance user’s safety. According to documentation on GitHub, the module lets admins configure a policy that allows only code they have previously authorized to execute. While the Linux kernel has several existing methods for integrity verification, Microsoft says these lack “a measure of run-time verification that binaries are sourced from these locations”. With IPE, server admins should be able to prevent attacks like binary rewriting, malicious binary execution, and linker hijacking. These are all scary as they require little effort but can have a huge impact. Still, it’s worth noting that this isn’t for your average user. “IPE is designed for use in devices with a specific purpose like embedded systems (e.g. network firewall device in a data center), where all software and configuration is built and provisioned by the owner,” it explains. “Ideally, a system which leverages IPE is not intended for general purpose computing and does not utilize any software or configuration built by a third party.” Even so, it could be many weeks before IPE becomes widely available. The module is currently in a Request for Comments (RFC) state and will have to wait on feedback before anyone can utilize it.
