Discussion about policy-integrity integration on Windows

[rdwaite]

Hi,

A while back we presented a prototype of Node’s Policy integrity integration with Window’s code integrity system. As quick refresher (it’s been a while 😃), we discussed integrity verification using a detached pkcs7 signature that’s then verified by the platform. We’ve done the work to light this feature up, and it’s currently in Windows insider builds. I’d like to take some time to discuss how this would integrate with Node, and brainstorm other platform features that would make using code integrity features easier for devs and sys admins.

I won't be able to attend the upcoming Jan 5th meeting. Do you have time on the agenda during the following security wg meeting to discuss this?

Thanks,
Robert

[RafaelGSS]

Hi Robert,

I'll include it o the agenda, so you can join the next one (Jan 19th)

[rdwaite]

Thanks!

[rdwaite]

@mhdawson , sorry I missed this notification and didn't realize there was a security WG meeting today. Could we get on the agenda for the next security WG meeting? Looking at the meeting notes history, it seems like the next meeting will be on Feb 16. If that's the case I'll put it in my calendar now.

[RafaelGSS]

It will be discussed in the next meeting (Feb 16).

[bmeck]

nodejs/node#47609 is made for --policy-required, now working on single binary bits since it stabilized in version 20. Will need some help w/ exact design for the 2 follow on required bits:

• --windows-policy-integration or w/e we want to call the flag. This flag will perform the detection of and integration of the signed signature based upon policy location? @rdwaite just verifying this detached signature is not per .js file?
• --implicit-policy-location or w/e we want to call the flag. This flag would find a relevant policy for a given application somewhere. We have some old docs on this, https://docs.google.com/document/d/1y_o9WjagX-TYUcxqfvecYi4x65v9bsSd6Sb-P3Cc4F4/edit but that suffers from a mutability and fallthrough attack on package.json. A sidecar file for application entry points might make more sense but require altering policy.json files to allow indirection and add filesystem noise ontop of these detached signatures.