How to clear cache of files in a volume?

Flanker · October 5, 2006, 12:05am

Hi all friends:

I’m writing a FS filter driver to decrypt files from CDROM. When the filter driver is unloaded or CDROM is ejected, I want to clear all the file cache belong to this CD volume, because some decrypted file content still resides in cache.

According to the IFS documentation, CcUninitializeCacheMap is able to clear the cache for a specific file, providing the FILE_OBJECT pointer. But how can I get all the FILE_OBJECTs corresponding to the cached files in one specific volume? I haven’t found the enumerate routines yet.

Or it there any better alternative solution?

Thanks,

Cheng

OSR_Community_User · October 5, 2006, 1:04am

Why do you care? Are you concerned someone will retrieve the unencrypted contents by compromising the OS? What’s your threat model justifying this level of paranoia (particularly in the presence of far simpler compromise mechanisms…)

Bottom line: the ONLY way to do this reliably is to reboot the computer. Otherwise, memory mappings will remain resident, and any data read by an application will remain in memory and/or in the paging file.

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Flanker · October 5, 2006, 2:20am

Hi Tony:
Thanks for your reply.
I’m not concerning someone will get the decrypted content by compromising the OS. My point is: I want to prevent other to obtain the decrypted content at any time my filter is not being loaded. However, the current problem is that some content of the decrypted file is still in the cache, even after my filter driver is unloaded or the CDROM is ejected, and later unauthorized user can access the cached decrypted content without loading the filter driver.

A specific troublesome scenario is:
I have accessed several files my filter driver. Then I unload the filter and eject the encrypted CD, and then insert this CD again WITHOUT loading filter driver. When browsing the CD, I am still able to read some of the previously accessed decrypted content (i.e. the whole content for small files, and partial for large file). These contents apparently are stored in the cache.
I have also noticed that if i insert a different CD in the second time and then insert the previous CD again, these caches seems to be cleared. Or alternatively, I wait for a long time (e.g. 10 min) before insert the CD, these caches seems to be cleared too.

Regards,

Cheng

OSR_Community_User · October 5, 2006, 2:32am

Unloading a data modified filter is, in my oppinion,
a very serious failure which can lead to data corruption.

Consider this:

CreateFile(AnEncryptedFile.ext)
ReadFile(100000 bytes) // Unencrypted data in cache
WriteFile(100000 bytes) // Data in cache until flush
UnloadYourFilter();
CloseHandle();
// Flushing cache, the file will be overwritten by unencrypted data
// and thus corrupted

I think you should not allow to unload your filter.
This also, as side effect, clears your problem with encrypted data
in the cache.

L.

Slava_Imameyev · October 5, 2006, 5:43am

>I want to clear all the file cache belong to this CD volume

This is impossible, because a file may be mapped in memory and have valid
physical page frames. You can’t purge virtual pages associated with these
physical page frames and applications will read data from memory mapping the
file.

According to the IFS documentation, CcUninitializeCacheMap is able to clear
the cache for a specific file

You can’t call this function in a filter. This function clears the data that
describes the cache but doesn’t purge the virtual pages if the file has been
mapped by a user’s application.

–
Slava Imameyev, xxxxx@hotmail.com

wrote in message news:xxxxx@ntfsd…
> Hi all friends:
>
> I’m writing a FS filter driver to decrypt files from CDROM. When the
> filter driver is unloaded or CDROM is ejected, I want to clear all the
> file cache belong to this CD volume, because some decrypted file content
> still resides in cache.
>
> According to the IFS documentation, CcUninitializeCacheMap is able to
> clear the cache for a specific file, providing the FILE_OBJECT pointer.
> But how can I get all the FILE_OBJECTs corresponding to the cached files
> in one specific volume? I haven’t found the enumerate routines yet.
>
> Or it there any better alternative solution?
>
> Thanks,
>
> Cheng
>

OSR_Community_User · October 5, 2006, 8:32am

Simple demonstration of the fundamental problem of unloading. Try the following experiment:

Load your filter.
Load FileMon.
Perform I/O.
Unload your filter.

Slava’s point is that the other complexity here: someone opens the file, maps it, closes the file but continues to use the mapping. Another fiendish sub-example:

- Open the file, marked DELETE_ON_CLOSE (alternative: set disposition later)
- Memory map the file
- Close the file (not the mapping)
- Keep the mapping, and continue performing changes through the mapping

This path creates some wonderful activities in the FSD because it tries to do precisely what you asked about - it wants to purge the cache but cannot do so. An FSD (and filter) must be able to handle this case.

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

OSR_Community_User · October 5, 2006, 11:31am

>>According to the IFS documentation, CcUninitializeCacheMap is able to

>clear the cache for a specific file

You can’t call this function in a filter. This function clears the data
that describes the cache but doesn’t purge the virtual pages if the file
has been mapped by a user’s application.

I take it that there would there be similar problems with
CcPurgeCacheSection, then? If you knew the file object and pulled the
SectionObjectPointer out of it, could you clear it out of the cache this
way? I guess I’m assuming that you couldn’t, but I don’t know why, and I’m
curious.

OSR_Community_User · October 11, 2006, 5:29pm

Try CcPurgeCacheSection

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From:
To: “Windows File Systems Devs Interest List”
Sent: Thursday, October 05, 2006 8:06 AM
Subject: [ntfsd] How to clear cache of files in a volume?

> Hi all friends:
>
> I’m writing a FS filter driver to decrypt files from CDROM. When the
filter driver is unloaded or CDROM is ejected, I want to clear all the file
cache belong to this CD volume, because some decrypted file content still
resides in cache.
>
> According to the IFS documentation, CcUninitializeCacheMap is able to
clear the cache for a specific file, providing the FILE_OBJECT pointer. But how
can I get all the FILE_OBJECTs corresponding to the cached files in one
specific volume? I haven’t found the enumerate routines yet.
>
> Or it there any better alternative solution?
>
> Thanks,
>
> Cheng
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com