Mr. Mack,
The problem you are trying to solve is addressed in the computer security
business by a concept called Mandatory Access Control, or MAC. In a MAC
system, each piece of data (typically a file) and each process has a label
which determines its security classification. The system imposes rules that
prevent data from flowing across security boundaries. In a MAC system, there
are both levels and categories. Information can’t travel to a less secure
level, and information can’t travel across category boundaries.
Without a MAC security model, what you are trying to do simply cannot be
done. In the explorer, for example, copy/paste of files are two very
distinct operations, and no code in the kernel has any clue about the
relationship between the reading side and the writing.
I cannot remember if the Win32 security model has provisions for MAC. The
presence of security descriptors on all the objects is certainly part of the
required picture, but I don’t know if the descriptors have a place for the
right information.
Since processes (like the explorer) read data into memory, the granularity
of many MAC decisions is at the process. If a process has permission to read
any ‘high security’ data then it can’t have permission to write any ‘low
security’ data, except via special system calls that ensure that the source
data is low security.
Essentially, it boils down to this.
Step 1: prevent all writes outside ‘your system’.
Step 2: provide a special driver that allows writes outside your system only
of carefully identified materials.
–
Benson Margulies