Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Verifying a service caller to a driver

AvalonAvalon Member Posts: 27
edited November 2019 in NTDEV

Hello. Any ideas on how a driver can determine only it's associated service should be the one to communicate with the driver?

I've had a look and there are no cert checks API in DDK. MS code is able to do it via Code Integrity module, but how is a 3rd party driver then supposed to ensure only his service can communicate with his driver. Every scenario I thought of from filepath verification, image name, etc all have the potential of being spoofed by an actor. Cert verification is the best way to ensure the service talking to my driver is truly mine, but I don't see any obvious way of invoking it.

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,446

    There is one little terminology issue: "associated service" is the term for the driver assigned to a PnP device. i assume you're just asking how to restrict your driver to one user-mode application.

    Frankly, there's nothing you can do that is bulletproof, just like everything in user mode. Any clever lock you create can be picked by a hacker. Like all security issues, there's a serious cost/benefit analysis to be done. You can keep spending more money on security schemes, but you hit diminishing returns very quickly. Really, who's going to want to use your driver?

    If your service starts at startup, you can make your driver "exclusive" so only one app at a time can open it. That will certainly protect against casual users. A sufficiently motivated hacker could write their own service app and force it to start before yours, but why would they do that?

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,847

    I suspect you want to use a Service SID. Look up service isolation... you can lock-down your device object and only allow access to the service with the specific SID.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA