How to erase cache after closing file ?

I am writing an encryption filter driver and I have the following problem:
after unloading the filter driver I can see the unencrypted content of
the encrypted files because the cache has not been cleared. I tried a
workaround by using CcPurgeCacheSection or CcUninitializeCache after
closing the encrypted file but the data still remains in cache. After
reseting the computer I see the file correctly, as being encrypted.
Any ideeas?

Daniel

Daniel,

First, let me note that it is *not* safe to construct filter drivers that
unload for several reasons, particularly when the file is still in cache
(which implies it is still not closed). Yes, you can get away with it
during development, but it cannot be done safely in production.

If the data is still in cache, the file is not closed. You may have
received an IRP_MJ_CLEANUP, but you have not received an IRP_MJ_CLOSE
against that file - something is still using it. Maybe that something is
the memory manager caching the file, but it might also be an application
memory mapping the file.

Calling CcPurgeCacheSection is unsafe if it is not *your* file object and
section object pointers structure. This is because you cannot ensure the
file locks are acquired in the correct order. Remember: lock the FSD locks,
then the Cache Manager locks, then the Memory Manager locks. Thus, if you
are calling CcPurgeCacheSection and this causes a call back INTO the file
system it could deadlock.

If you do own the sections, then you can always call MmForceSectionClosed.
This will only fail when someone really is using the section.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: Daniel Turcanu [mailto:xxxxx@ipdevel.ro]
Sent: Wednesday, April 23, 2003 12:59 PM
To: File Systems Developers
Subject: [ntfsd] How to erase cache after closing file ?

I am writing an encryption filter driver and I have the following problem:
after unloading the filter driver I can see the unencrypted content of
the encrypted files because the cache has not been cleared. I tried a
workaround by using CcPurgeCacheSection or CcUninitializeCache after
closing the encrypted file but the data still remains in cache. After
reseting the computer I see the file correctly, as being encrypted.
Any ideeas?

Daniel


You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Thank you Tony.
But this is not quite the answer I was expecting. Of course I will not
unload the driver, but the user can activate and deactivate it freely.
When the user ends a secured session and loggs out then his files must
not be readable by other users. This is the goal and I need some
solutions. CcPurgeCacheSection is the only function I saw to be more
close to what I need although I don’t own that SectionPointer. I am
calling this function when opening a file, and it seems to have a good
effect and when closing the file (last MJ_CLOSE that has a related
MJ_CREATE) but it has no effect. Maybe adding a
FILE_NO_INTERMEDIATE_BUFFERING flag when sending lower a MJ_CREATE will
eliminate the cache but this will be an ugly solution because all the
reads and writes will need to be aligned to 4096, plus that I can decide
if a file is encrypted only after I open it, so all files will be opened
without cache. Also I don’t know how memory mapped files will be affected.
Maybe user mode is more suited for purging cache ? I have also an
application, close friend to the driver, maybe I can ask it to do the job.
Anyone?

Tony Mason wrote:

Daniel,

First, let me note that it is *not* safe to construct filter drivers that
unload for several reasons, particularly when the file is still in cache
(which implies it is still not closed). Yes, you can get away with it
during development, but it cannot be done safely in production.

If the data is still in cache, the file is not closed. You may have
received an IRP_MJ_CLEANUP, but you have not received an IRP_MJ_CLOSE
against that file - something is still using it. Maybe that something is
the memory manager caching the file, but it might also be an application
memory mapping the file.

Calling CcPurgeCacheSection is unsafe if it is not *your* file object and
section object pointers structure. This is because you cannot ensure the
file locks are acquired in the correct order. Remember: lock the FSD locks,
then the Cache Manager locks, then the Memory Manager locks. Thus, if you
are calling CcPurgeCacheSection and this causes a call back INTO the file
system it could deadlock.

If you do own the sections, then you can always call MmForceSectionClosed.
This will only fail when someone really is using the section.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: Daniel Turcanu [mailto:xxxxx@ipdevel.ro]
Sent: Wednesday, April 23, 2003 12:59 PM
To: File Systems Developers
Subject: [ntfsd] How to erase cache after closing file ?

I am writing an encryption filter driver and I have the following problem:
after unloading the filter driver I can see the unencrypted content of
the encrypted files because the cache has not been cleared. I tried a
workaround by using CcPurgeCacheSection or CcUninitializeCache after
closing the encrypted file but the data still remains in cache. After
reseting the computer I see the file correctly, as being encrypted.
Any ideeas?

Daniel


You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@ipdevel.ro
To unsubscribe send a blank email to xxxxx@lists.osr.com

>When the user ends a secured session and loggs out then his files must

not be readable by other users. This is the goal and I need some
solutions. CcPurgeCacheSection is the only function I saw to be more
close to what I need although I don’t own that SectionPointer

You should not use purging cache as indirect way of denying access to the
file. You need to deny access to an encrypted file when the file is being
opened.

Alexei.

It is very hard to make Windows work for use as a multi-user, secure,
system, if you don’t trust the basic access control model or the wrong
people have admin access. Data in the cache is only accessible to people
who either (a) have privilege access, or (b) have ACL access to the
files that contain it.

If (a) is compromised, then you have this scenario:

  1. Bob logs in, and uses admin access to install a service that spies on
    memory.
  2. Alice logs in, supplies her keys, and decrypts files.
  3. Bob’s service grabs all the data and shovels it down a socket or into
    a file.
  4. Alice logs out. Even if you do flush all her data from the cache, …
  5. Bob collects.

If the machine is secure enough to prevent this scenario, then leftover
cleartext in the cache is not very much of a worry.

-----Original Message-----
From: Alexei Jelvis [mailto:xxxxx@rogers.com]
Sent: Thursday, April 24, 2003 10:18 AM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?

When the user ends a secured session and loggs out then his files must
not be readable by other users. This is the goal and I need some
solutions. CcPurgeCacheSection is the only function I saw to be more
close to what I need although I don’t own that SectionPointer

You should not use purging cache as indirect way of denying access to
the file. You need to deny access to an encrypted file when the file is
being opened.

Alexei.


You are currently subscribed to ntfsd as: xxxxx@basistech.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

Encryption IS supposed to protect Users from Administrators. It’s a
must.
While NTFS permissions CANNOT save Users from Administrators (Admin can
take Ownership), an encryption driver that is Users aware can.

Benson Margulies wrote:

It is very hard to make Windows work for use as a multi-user, secure,
system, if you don’t trust the basic access control model or the wrong
people have admin access. Data in the cache is only accessible to people
who either (a) have privilege access, or (b) have ACL access to the
files that contain it.

If (a) is compromised, then you have this scenario:

  1. Bob logs in, and uses admin access to install a service that spies on
    memory.
  2. Alice logs in, supplies her keys, and decrypts files.
  3. Bob’s service grabs all the data and shovels it down a socket or into
    a file.
  4. Alice logs out. Even if you do flush all her data from the cache, …
  5. Bob collects.

If the machine is secure enough to prevent this scenario, then leftover
cleartext in the cache is not very much of a worry.

-----Original Message-----
From: Alexei Jelvis [mailto:xxxxx@rogers.com]
Sent: Thursday, April 24, 2003 10:18 AM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?

>When the user ends a secured session and loggs out then his files must
>not be readable by other users. This is the goal and I need some
>solutions. CcPurgeCacheSection is the only function I saw to be more
>close to what I need although I don’t own that SectionPointer

You should not use purging cache as indirect way of denying access to
the file. You need to deny access to an encrypted file when the file is
being opened.

Alexei.


You are currently subscribed to ntfsd as: xxxxx@basistech.com To
unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.

Keep in mind that ultimately you simply cannot protect user data from
administrators if that user data is capable of being accessed (at least,
not with the current hardware). At the end of the day, if you define an
administrator as one who has physical access to the machine, an
administrator can just use a debugger to peek at the data the way the
user sees it.

jr tipton
This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
Sent: Thursday, April 24, 2003 9:42 AM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?

Encryption IS supposed to protect Users from Administrators. It’s a
must.
While NTFS permissions CANNOT save Users from Administrators (Admin
can
take Ownership), an encryption driver that is Users aware can.

Benson Margulies wrote:

It is very hard to make Windows work for use as a multi-user, secure,
system, if you don’t trust the basic access control model or the wrong
people have admin access. Data in the cache is only accessible to
people
who either (a) have privilege access, or (b) have ACL access to the
files that contain it.

If (a) is compromised, then you have this scenario:

  1. Bob logs in, and uses admin access to install a service that spies
    on
    memory.
  2. Alice logs in, supplies her keys, and decrypts files.
  3. Bob’s service grabs all the data and shovels it down a socket or
    into
    a file.
  4. Alice logs out. Even if you do flush all her data from the cache,
  5. Bob collects.

If the machine is secure enough to prevent this scenario, then
leftover
cleartext in the cache is not very much of a worry.

-----Original Message-----
From: Alexei Jelvis [mailto:xxxxx@rogers.com]
Sent: Thursday, April 24, 2003 10:18 AM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?

>When the user ends a secured session and loggs out then his files
must
>not be readable by other users. This is the goal and I need some
>solutions. CcPurgeCacheSection is the only function I saw to be more
>close to what I need although I don’t own that SectionPointer

You should not use purging cache as indirect way of denying access to
the file. You need to deny access to an encrypted file when the file
is
being opened.

Alexei.


You are currently subscribed to ntfsd as: xxxxx@basistech.com To
unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.


You are currently subscribed to ntfsd as: xxxxx@winse.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Maybe that’s what encryption is supposed to do, but I don’t think that a
filter-driver encryption scheme can possibly do it.

An admin can, for example, make arrangements to splice your filter
driver back out of the system.

Even if avoid a driver, and just have a user-mode program to descrypt, a
service installed by an admin can spy on memory and catch your data.

You can make it more difficult, but you can’t make it impossible.

Don’t store embarassing things on computers which you don’t control.

About CcFlushCache/CcPurgeCacheSection… I believe it is safe to call
from a filter provided both of the following are true:

  1. You are calling at top level, which means that Cc and Mm have not
    taken any locks before you. IRP_MJ_CLEANUP is always called at top
    level, as far as I know.

  2. You acquire both FCB locks before you call
    CcFlushCache/CcPurgeCacheSection. There IS a safe algorithm to do this
    that has been posted on this list (and that I’ve used with success).
    Simply take one lock exclusive, then try to take the other with the Wait
    parameter set to FALSE. If it can’t be acquired, then release the FIRST
    lock, wait for a very short period of time, then try again.

There is nothing to say that non-standard filesystems may acquire
additional resources in their acquire callback routines (that you won’t
be acquiring here), but this technique is rock-solid with Microsoft’s
filesystems as far as I can tell.

  • Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Wednesday, April 23, 2003 11:20 AM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?

Daniel,

First, let me note that it is *not* safe to construct filter
drivers that unload for several reasons, particularly when
the file is still in cache (which implies it is still not
closed). Yes, you can get away with it during development,
but it cannot be done safely in production.

If the data is still in cache, the file is not closed. You
may have received an IRP_MJ_CLEANUP, but you have not
received an IRP_MJ_CLOSE against that file - something is
still using it. Maybe that something is the memory manager
caching the file, but it might also be an application memory
mapping the file.

Calling CcPurgeCacheSection is unsafe if it is not *your*
file object and section object pointers structure. This is
because you cannot ensure the file locks are acquired in the
correct order. Remember: lock the FSD locks, then the Cache
Manager locks, then the Memory Manager locks. Thus, if you
are calling CcPurgeCacheSection and this causes a call back
INTO the file system it could deadlock.

If you do own the sections, then you can always call
MmForceSectionClosed. This will only fail when someone really
is using the section.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: Daniel Turcanu [mailto:xxxxx@ipdevel.ro]
Sent: Wednesday, April 23, 2003 12:59 PM
To: File Systems Developers
Subject: [ntfsd] How to erase cache after closing file ?

I am writing an encryption filter driver and I have the
following problem: after unloading the filter driver I can
see the unencrypted content of
the encrypted files because the cache has not been cleared. I tried a
workaround by using CcPurgeCacheSection or CcUninitializeCache after
closing the encrypted file but the data still remains in cache. After
reseting the computer I see the file correctly, as being
encrypted. Any ideeas?

Daniel


You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

If the data is encrypted, that’s enough if so that he cannot see it on
different hardware.

“J.R. Tipton” wrote:

Keep in mind that ultimately you simply cannot protect user data from
administrators if that user data is capable of being accessed (at least,
not with the current hardware). At the end of the day, if you define an
administrator as one who has physical access to the machine, an
administrator can just use a debugger to peek at the data the way the
user sees it.

jr tipton
This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
Sent: Thursday, April 24, 2003 9:42 AM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?

Encryption IS supposed to protect Users from Administrators. It’s a
must.
While NTFS permissions CANNOT save Users from Administrators (Admin
can
take Ownership), an encryption driver that is Users aware can.

Benson Margulies wrote:

> It is very hard to make Windows work for use as a multi-user, secure,
> system, if you don’t trust the basic access control model or the wrong
> people have admin access. Data in the cache is only accessible to
people
> who either (a) have privilege access, or (b) have ACL access to the
> files that contain it.
>
> If (a) is compromised, then you have this scenario:
>
> 1) Bob logs in, and uses admin access to install a service that spies
on
> memory.
> 2) Alice logs in, supplies her keys, and decrypts files.
> 3) Bob’s service grabs all the data and shovels it down a socket or
into
> a file.
> 4) Alice logs out. Even if you do flush all her data from the cache,

> 5) Bob collects.
>
> If the machine is secure enough to prevent this scenario, then
leftover
> cleartext in the cache is not very much of a worry.
>
> -----Original Message-----
> From: Alexei Jelvis [mailto:xxxxx@rogers.com]
> Sent: Thursday, April 24, 2003 10:18 AM
> To: File Systems Developers
> Subject: [ntfsd] RE: How to erase cache after closing file ?
>
> >When the user ends a secured session and loggs out then his files
must
> >not be readable by other users. This is the goal and I need some
> >solutions. CcPurgeCacheSection is the only function I saw to be more
> >close to what I need although I don’t own that SectionPointer
>
> You should not use purging cache as indirect way of denying access to
> the file. You need to deny access to an encrypted file when the file
is
> being opened.
>
> Alexei.
>
> —
> You are currently subscribed to ntfsd as: xxxxx@basistech.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> You are currently subscribed to ntfsd as: xxxxx@alfasp.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com


Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.


You are currently subscribed to ntfsd as: xxxxx@winse.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.

I don’t understand what you mean by that statement – ultimately, an
administrator can attach a kernel debugger to the machine and just look
at what the decrypted user view of the data is while the user is
accessing it. The cache is irrelevant here.

jr tipton
This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
Sent: Friday, April 25, 2003 8:45 AM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?

If the data is encrypted, that’s enough if so that he cannot see it
on
different hardware.

“J.R. Tipton” wrote:

Keep in mind that ultimately you simply cannot protect user data from
administrators if that user data is capable of being accessed (at
least,
not with the current hardware). At the end of the day, if you define
an
administrator as one who has physical access to the machine, an
administrator can just use a debugger to peek at the data the way the
user sees it.

jr tipton
This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
Sent: Thursday, April 24, 2003 9:42 AM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?

Encryption IS supposed to protect Users from Administrators. It’s
a
must.
While NTFS permissions CANNOT save Users from Administrators
(Admin
can
take Ownership), an encryption driver that is Users aware can.

Benson Margulies wrote:

> It is very hard to make Windows work for use as a multi-user,
secure,
> system, if you don’t trust the basic access control model or the
wrong
> people have admin access. Data in the cache is only accessible to
people
> who either (a) have privilege access, or (b) have ACL access to the
> files that contain it.
>
> If (a) is compromised, then you have this scenario:
>
> 1) Bob logs in, and uses admin access to install a service that
spies
on
> memory.
> 2) Alice logs in, supplies her keys, and decrypts files.
> 3) Bob’s service grabs all the data and shovels it down a socket or
into
> a file.
> 4) Alice logs out. Even if you do flush all her data from the cache,

> 5) Bob collects.
>
> If the machine is secure enough to prevent this scenario, then
leftover
> cleartext in the cache is not very much of a worry.
>
> -----Original Message-----
> From: Alexei Jelvis [mailto:xxxxx@rogers.com]
> Sent: Thursday, April 24, 2003 10:18 AM
> To: File Systems Developers
> Subject: [ntfsd] RE: How to erase cache after closing file ?
>
> >When the user ends a secured session and loggs out then his files
must
> >not be readable by other users. This is the goal and I need some
> >solutions. CcPurgeCacheSection is the only function I saw to be
more
> >close to what I need although I don’t own that SectionPointer
>
> You should not use purging cache as indirect way of denying access
to
> the file. You need to deny access to an encrypted file when the file
is
> being opened.
>
> Alexei.
>
> —
> You are currently subscribed to ntfsd as: xxxxx@basistech.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> You are currently subscribed to ntfsd as: xxxxx@alfasp.com
> To unsubscribe send a blank email to
xxxxx@lists.osr.com


Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption
services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.


You are currently subscribed to ntfsd as: xxxxx@winse.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.


You are currently subscribed to ntfsd as: xxxxx@winse.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Sure, but the administrator cannot force the user to access the file,
right? He could ultimately look at a file the user accesses, but he
can’t choose when/which files the user accesses and are therefore
decrypted. This is slightly different than an attack which would let
the administrator have free reign over any file he wishes to view at any
time.

Matt

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of J.R. Tipton
Sent: Friday, April 25, 2003 1:28 PM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?

I don’t understand what you mean by that statement – ultimately, an
administrator can attach a kernel debugger to the machine and just look
at what the decrypted user view of the data is while the user is
accessing it. The cache is irrelevant here.

jr tipton
This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
Sent: Friday, April 25, 2003 8:45 AM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?

If the data is encrypted, that’s enough if so that he cannot see it
on different hardware.

“J.R. Tipton” wrote:

Keep in mind that ultimately you simply cannot protect user data from
administrators if that user data is capable of being accessed (at
least,
not with the current hardware). At the end of the day, if you define
an
administrator as one who has physical access to the machine, an
administrator can just use a debugger to peek at the data the way the
user sees it.

jr tipton
This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
Sent: Thursday, April 24, 2003 9:42 AM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?

Encryption IS supposed to protect Users from Administrators. It’s
a
must.
While NTFS permissions CANNOT save Users from Administrators
(Admin
can
take Ownership), an encryption driver that is Users aware can.

Benson Margulies wrote:

> It is very hard to make Windows work for use as a multi-user,
secure,
> system, if you don’t trust the basic access control model or the
wrong
> people have admin access. Data in the cache is only accessible to
people
> who either (a) have privilege access, or (b) have ACL access to the
> files that contain it.
>
> If (a) is compromised, then you have this scenario:
>
> 1) Bob logs in, and uses admin access to install a service that
spies
on
> memory.
> 2) Alice logs in, supplies her keys, and decrypts files.
> 3) Bob’s service grabs all the data and shovels it down a socket or
into
> a file.
> 4) Alice logs out. Even if you do flush all her data from the cache,

> 5) Bob collects.
>
> If the machine is secure enough to prevent this scenario, then
leftover
> cleartext in the cache is not very much of a worry.
>
> -----Original Message-----
> From: Alexei Jelvis [mailto:xxxxx@rogers.com]
> Sent: Thursday, April 24, 2003 10:18 AM
> To: File Systems Developers
> Subject: [ntfsd] RE: How to erase cache after closing file ?
>
> >When the user ends a secured session and loggs out then his files
must
> >not be readable by other users. This is the goal and I need some
> >solutions. CcPurgeCacheSection is the only function I saw to be
more
> >close to what I need although I don’t own that SectionPointer
>
> You should not use purging cache as indirect way of denying access
to
> the file. You need to deny access to an encrypted file when the file
is
> being opened.
>
> Alexei.
>
> —
> You are currently subscribed to ntfsd as: xxxxx@basistech.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> You are currently subscribed to ntfsd as: xxxxx@alfasp.com To
> unsubscribe send a blank email to
xxxxx@lists.osr.com


Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption
services.
Alfa File Protector - File protection and hiding library for Win32
developers. Alfa File Monitor - File monitoring library for Win32
developers.


You are currently subscribed to ntfsd as: xxxxx@winse.microsoft.com

To unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers. Alfa File Monitor - File monitoring library for Win32
developers.


You are currently subscribed to ntfsd as: xxxxx@winse.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@fsnnet.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

Matthew,

Unless you are using per-file keys (that the user has to enter for EACH
file), as an administrator I can decrypt *anything* that another user on the
system can decrypt. This isn’t even particularly difficult to accomplish.

Once I can run something within the TCB, I can do or access anything that
any user on the system can do or access. That is why it is the “Trusted
Computing Base”. So anyone who has “load driver” privilege can compromise
system security (not just “Administrator”).

If you really want to flush all information from the system, the safest
thing to do is to reboot the system, scrub the paging file and physical
memory. Otherwise, it is possible that the *application* used to access the
data employed the ReadFile API - and read the (unencrypted) data into a
buffer within its address space. Of course, such buffers are subject to
normal paging (remember - this is a private buffer, not a memory mapped
file) and hence cleartext data could be written into the paging file and be
present even after the *cache* is cleared. In fact, I can probably
encourage this type of behavior (as a different user on the system) without
any special privileges so when the original user leaves later I can access
the data he left around in the paging file.

Cleartext data is also present in the physical memory that was used by the
application during its execution. It is quite possible that some/all of
that data could be obtained after the application exits merely by using a
“large ping packet” attack so that the network drivers will send partially
unscrubbed data packets back to the caller. This is a little more
speculative, but it is something I can try while he is using/running his
application - and I can do so from a different computer on the network.

My point is that focusing on the cleartext data in the cache doesn’t make
sense unless you are going through a thorough threat analysis and
determining all of the potential sources for this data to remain in memory
and eliminate all of them - focusing on those that do not require being
inside the TCB first.

So my vote is that when the user disables encryption or logs out, you should
reboot the machine after scrubbing the paging file and all of physical
memory. That way there’s no data available to be compromised - in the
cache, the paging file, or physical memory that has not yet been scrubbed.

There is a reason that hardened secure systems are slow…

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: Matthew White [mailto:xxxxx@fsnnet.net]
Sent: Friday, April 25, 2003 2:06 PM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?

Sure, but the administrator cannot force the user to access the file,
right? He could ultimately look at a file the user accesses, but he
can’t choose when/which files the user accesses and are therefore
decrypted. This is slightly different than an attack which would let
the administrator have free reign over any file he wishes to view at any
time.

Matt

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of J.R. Tipton
Sent: Friday, April 25, 2003 1:28 PM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?

I don’t understand what you mean by that statement – ultimately, an
administrator can attach a kernel debugger to the machine and just look
at what the decrypted user view of the data is while the user is
accessing it. The cache is irrelevant here.

jr tipton
This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
Sent: Friday, April 25, 2003 8:45 AM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?

If the data is encrypted, that’s enough if so that he cannot see it
on different hardware.

“J.R. Tipton” wrote:

Keep in mind that ultimately you simply cannot protect user data from
administrators if that user data is capable of being accessed (at
least,
not with the current hardware). At the end of the day, if you define
an
administrator as one who has physical access to the machine, an
administrator can just use a debugger to peek at the data the way the
user sees it.

jr tipton
This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
Sent: Thursday, April 24, 2003 9:42 AM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?

Encryption IS supposed to protect Users from Administrators. It’s
a
must.
While NTFS permissions CANNOT save Users from Administrators
(Admin
can
take Ownership), an encryption driver that is Users aware can.

Benson Margulies wrote:

> It is very hard to make Windows work for use as a multi-user,
secure,
> system, if you don’t trust the basic access control model or the
wrong
> people have admin access. Data in the cache is only accessible to
people
> who either (a) have privilege access, or (b) have ACL access to the
> files that contain it.
>
> If (a) is compromised, then you have this scenario:
>
> 1) Bob logs in, and uses admin access to install a service that
spies
on
> memory.
> 2) Alice logs in, supplies her keys, and decrypts files.
> 3) Bob’s service grabs all the data and shovels it down a socket or
into
> a file.
> 4) Alice logs out. Even if you do flush all her data from the cache,

> 5) Bob collects.
>
> If the machine is secure enough to prevent this scenario, then
leftover
> cleartext in the cache is not very much of a worry.
>
> -----Original Message-----
> From: Alexei Jelvis [mailto:xxxxx@rogers.com]
> Sent: Thursday, April 24, 2003 10:18 AM
> To: File Systems Developers
> Subject: [ntfsd] RE: How to erase cache after closing file ?
>
> >When the user ends a secured session and loggs out then his files
must
> >not be readable by other users. This is the goal and I need some
> >solutions. CcPurgeCacheSection is the only function I saw to be
more
> >close to what I need although I don’t own that SectionPointer
>
> You should not use purging cache as indirect way of denying access
to
> the file. You need to deny access to an encrypted file when the file
is
> being opened.
>
> Alexei.
>
> —
> You are currently subscribed to ntfsd as: xxxxx@basistech.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> You are currently subscribed to ntfsd as: xxxxx@alfasp.com To
> unsubscribe send a blank email to
xxxxx@lists.osr.com


Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption
services.
Alfa File Protector - File protection and hiding library for Win32
developers. Alfa File Monitor - File monitoring library for Win32
developers.


You are currently subscribed to ntfsd as: xxxxx@winse.microsoft.com

To unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers. Alfa File Monitor - File monitoring library for Win32
developers.


You are currently subscribed to ntfsd as: xxxxx@winse.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@fsnnet.net
To unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Tony,
I wholeheartedly agree with your statement concerning per-file
keys. Yes, you would have to be using per-file keys that are not
available to the administrator in order for my previous reply to make
much sense. The main point I was trying to make was that an attack that
gives you full, no holds barred access to every encrypted file is
different from one in which you use remnants of plaintext left in
memory, pagefile, etc. How much better security such a scenario would
provide is an arguable point, to be sure.

Matt

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Friday, April 25, 2003 2:43 PM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?

Matthew,

Unless you are using per-file keys (that the user has to enter for EACH
file), as an administrator I can decrypt *anything* that another user on
the system can decrypt. This isn’t even particularly difficult to
accomplish.

Once I can run something within the TCB, I can do or access anything
that any user on the system can do or access. That is why it is the
“Trusted Computing Base”. So anyone who has “load driver” privilege can
compromise system security (not just “Administrator”).

If you really want to flush all information from the system, the safest
thing to do is to reboot the system, scrub the paging file and physical
memory. Otherwise, it is possible that the *application* used to access
the data employed the ReadFile API - and read the (unencrypted) data
into a buffer within its address space. Of course, such buffers are
subject to normal paging (remember - this is a private buffer, not a
memory mapped
file) and hence cleartext data could be written into the paging file and
be present even after the *cache* is cleared. In fact, I can probably
encourage this type of behavior (as a different user on the system)
without any special privileges so when the original user leaves later I
can access the data he left around in the paging file.

Cleartext data is also present in the physical memory that was used by
the application during its execution. It is quite possible that
some/all of that data could be obtained after the application exits
merely by using a “large ping packet” attack so that the network drivers
will send partially unscrubbed data packets back to the caller. This is
a little more speculative, but it is something I can try while he is
using/running his application - and I can do so from a different
computer on the network.

My point is that focusing on the cleartext data in the cache doesn’t
make sense unless you are going through a thorough threat analysis and
determining all of the potential sources for this data to remain in
memory and eliminate all of them - focusing on those that do not require
being inside the TCB first.

So my vote is that when the user disables encryption or logs out, you
should reboot the machine after scrubbing the paging file and all of
physical memory. That way there’s no data available to be compromised -
in the cache, the paging file, or physical memory that has not yet been
scrubbed.

There is a reason that hardened secure systems are slow…

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: Matthew White [mailto:xxxxx@fsnnet.net]
Sent: Friday, April 25, 2003 2:06 PM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?

Sure, but the administrator cannot force the user to access the file,
right? He could ultimately look at a file the user accesses, but he
can’t choose when/which files the user accesses and are therefore
decrypted. This is slightly different than an attack which would let
the administrator have free reign over any file he wishes to view at any
time.

Matt

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of J.R. Tipton
Sent: Friday, April 25, 2003 1:28 PM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?

I don’t understand what you mean by that statement – ultimately, an
administrator can attach a kernel debugger to the machine and just look
at what the decrypted user view of the data is while the user is
accessing it. The cache is irrelevant here.

jr tipton
This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
Sent: Friday, April 25, 2003 8:45 AM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?

If the data is encrypted, that’s enough if so that he cannot see it
on different hardware.

“J.R. Tipton” wrote:

Keep in mind that ultimately you simply cannot protect user data from
administrators if that user data is capable of being accessed (at
least,
not with the current hardware). At the end of the day, if you define
an
administrator as one who has physical access to the machine, an
administrator can just use a debugger to peek at the data the way the
user sees it.

jr tipton
This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
Sent: Thursday, April 24, 2003 9:42 AM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?

Encryption IS supposed to protect Users from Administrators. It’s
a
must.
While NTFS permissions CANNOT save Users from Administrators
(Admin
can
take Ownership), an encryption driver that is Users aware can.

Benson Margulies wrote:

> It is very hard to make Windows work for use as a multi-user,
secure,
> system, if you don’t trust the basic access control model or the
wrong
> people have admin access. Data in the cache is only accessible to
people
> who either (a) have privilege access, or (b) have ACL access to the
> files that contain it.
>
> If (a) is compromised, then you have this scenario:
>
> 1) Bob logs in, and uses admin access to install a service that
spies
on
> memory.
> 2) Alice logs in, supplies her keys, and decrypts files.
> 3) Bob’s service grabs all the data and shovels it down a socket or
into
> a file.
> 4) Alice logs out. Even if you do flush all her data from the cache,

> 5) Bob collects.
>
> If the machine is secure enough to prevent this scenario, then
leftover
> cleartext in the cache is not very much of a worry.
>
> -----Original Message-----
> From: Alexei Jelvis [mailto:xxxxx@rogers.com]
> Sent: Thursday, April 24, 2003 10:18 AM
> To: File Systems Developers
> Subject: [ntfsd] RE: How to erase cache after closing file ?
>
> >When the user ends a secured session and loggs out then his files
must
> >not be readable by other users. This is the goal and I need some
> >solutions. CcPurgeCacheSection is the only function I saw to be
more
> >close to what I need although I don’t own that SectionPointer
>
> You should not use purging cache as indirect way of denying access
to
> the file. You need to deny access to an encrypted file when the file
is
> being opened.
>
> Alexei.
>
> —
> You are currently subscribed to ntfsd as: xxxxx@basistech.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> You are currently subscribed to ntfsd as: xxxxx@alfasp.com To
> unsubscribe send a blank email to
xxxxx@lists.osr.com


Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption
services.
Alfa File Protector - File protection and hiding library for Win32
developers. Alfa File Monitor - File monitoring library for Win32
developers.


You are currently subscribed to ntfsd as: xxxxx@winse.microsoft.com

To unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers. Alfa File Monitor - File monitoring library for Win32
developers.


You are currently subscribed to ntfsd as: xxxxx@winse.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@fsnnet.net
To unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@fsnnet.net
To unsubscribe send a blank email to xxxxx@lists.osr.com