If someone adds a layer to OS's file system such as only the know good white list app, exe, .so, .dll, .sys files with complete crypto-hash signatures are allowed to run in "lockdown" mode.
Everything else are reported and blocked.
Would it be enough to prevent such worm?
It would be interesting exercise to take an old exploitable OS (Win XP, or 10 years old Linux with known issue) add such layer to it. Put it on internet as honeypot and see what other kind of inflections it might get.
Depending on the hash, an attacker would look for collisions to get something running that could then change settings or launch other things. Failing that, you would look for flaws in the system or vulnerabilities in the OS in order to bypass it. Going deeper you run into trusted computing issues, of how do you know the verification firmware hasn't been tampered with?
The simplest approach though is if you're running Chrome, and I exploit Chrome, I'm now running as Chrome and could persist in memory at least until you shut down.
Everything else are reported and blocked.
Would it be enough to prevent such worm?
It would be interesting exercise to take an old exploitable OS (Win XP, or 10 years old Linux with known issue) add such layer to it. Put it on internet as honeypot and see what other kind of inflections it might get.