Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Sept/Oct 2019 Issue of The NT Insider available


Download PDF here: http://insider.osr.com/2019/ntinsider_2019_01.pdf

It’s a particularly BIG issue, too: 40 pages of technical goodness, ranging from WDF to Minifilters. Check it out.
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Verifying a service caller to a driver

AvalonAvalon Member Posts: 20
edited November 1 in NTDEV

Hello. Any ideas on how a driver can determine only it's associated service should be the one to communicate with the driver?

I've had a look and there are no cert checks API in DDK. MS code is able to do it via Code Integrity module, but how is a 3rd party driver then supposed to ensure only his service can communicate with his driver. Every scenario I thought of from filepath verification, image name, etc all have the potential of being spoofed by an actor. Cert verification is the best way to ensure the service talking to my driver is truly mine, but I don't see any obvious way of invoking it.

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,131

    There is one little terminology issue: "associated service" is the term for the driver assigned to a PnP device. i assume you're just asking how to restrict your driver to one user-mode application.

    Frankly, there's nothing you can do that is bulletproof, just like everything in user mode. Any clever lock you create can be picked by a hacker. Like all security issues, there's a serious cost/benefit analysis to be done. You can keep spending more money on security schemes, but you hit diminishing returns very quickly. Really, who's going to want to use your driver?

    If your service starts at startup, you can make your driver "exclusive" so only one app at a time can open it. That will certainly protect against casual users. A sufficiently motivated hacker could write their own service app and force it to start before yours, but why would they do that?

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,467

    I suspect you want to use a Service SID. Look up service isolation... you can lock-down your device object and only allow access to the service with the specific SID.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE