Basically, one paranoid approach is you have the driver generate a block of data which is returned to the application which encrypts it with an approach of your choice and returns it to the driver which verifies it by decrypting it. If the results are not what is expected you reject all communication until the application closes the driver, and another app opens it.
Like everything else in security this is one of these competitions, where the attacker and the defender each have challenges.
Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Alex don
Sent: Saturday, June 24, 2017 7:01 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Re[2]: [ntdev] best method/approach to secure my driver?
Saturday, June 24, 2017 10:25 PM UTC from “Don Burn” :
Well you can make the device exclusive so only one application can access
it.
Okay but what if anyone take my driver and load it into an environment where my application is not running?
You obviously should set the SDDL string for the device to be very
restrictive, assuming your service runs with a secure account.
Even if I set the security descriptor of the device, it still can be accessed with enough privileges. nowadays getting administrator privileges is not a problem for hackers. UAC doesn’t help at all…
Beyond that
you are getting into the paranoid zone, things like passing some sort of
security block between the driver and the application with an appropriate
transformation by the application to make it harder for another application
to fake it.
Do you know somehow? All the ideas I thought of, I found a way to bypass it.
- checking PID
- checking file integrity
- checking process address
Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com
-----Original Message-----
From: xxxxx@lists.osr.com mailto:xxxxx
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@mail.ru mailto:xxxxx
Sent: Saturday, June 24, 2017 5:53 PM
To: Windows System Software Devs Interest List >
Subject: [ntdev] best method/approach to secure my driver?
If my service communicates with my driver via DeviceIoControl, what is the
best way to secure my driver from preventing being used by unauthorized
applications? for example, random apps sending fake IOCTLs
—
NTDEV is sponsored by OSR
Visit the list online at:
http:
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:
To unsubscribe, visit the List Server section of OSR Online at
http:
—
NTDEV is sponsored by OSR
Visit the list online at: http:
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:
To unsubscribe, visit the List Server section of OSR Online at http:
—
NTDEV is sponsored by OSR
Visit the list online at: http:
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:
To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:></http:></http:></http:></http:></http:></http:></mailto:xxxxx></mailto:xxxxx>