Tony,
I wholeheartedly agree with your statement concerning per-file
keys. Yes, you would have to be using per-file keys that are not
available to the administrator in order for my previous reply to make
much sense. The main point I was trying to make was that an attack that
gives you full, no holds barred access to every encrypted file is
different from one in which you use remnants of plaintext left in
memory, pagefile, etc. How much better security such a scenario would
provide is an arguable point, to be sure.
Matt
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Friday, April 25, 2003 2:43 PM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?
Matthew,
Unless you are using per-file keys (that the user has to enter for EACH
file), as an administrator I can decrypt *anything* that another user on
the system can decrypt. This isn’t even particularly difficult to
accomplish.
Once I can run something within the TCB, I can do or access anything
that any user on the system can do or access. That is why it is the
“Trusted Computing Base”. So anyone who has “load driver” privilege can
compromise system security (not just “Administrator”).
If you really want to flush all information from the system, the safest
thing to do is to reboot the system, scrub the paging file and physical
memory. Otherwise, it is possible that the *application* used to access
the data employed the ReadFile API - and read the (unencrypted) data
into a buffer within its address space. Of course, such buffers are
subject to normal paging (remember - this is a private buffer, not a
memory mapped
file) and hence cleartext data could be written into the paging file and
be present even after the *cache* is cleared. In fact, I can probably
encourage this type of behavior (as a different user on the system)
without any special privileges so when the original user leaves later I
can access the data he left around in the paging file.
Cleartext data is also present in the physical memory that was used by
the application during its execution. It is quite possible that
some/all of that data could be obtained after the application exits
merely by using a “large ping packet” attack so that the network drivers
will send partially unscrubbed data packets back to the caller. This is
a little more speculative, but it is something I can try while he is
using/running his application - and I can do so from a different
computer on the network.
My point is that focusing on the cleartext data in the cache doesn’t
make sense unless you are going through a thorough threat analysis and
determining all of the potential sources for this data to remain in
memory and eliminate all of them - focusing on those that do not require
being inside the TCB first.
So my vote is that when the user disables encryption or logs out, you
should reboot the machine after scrubbing the paging file and all of
physical memory. That way there’s no data available to be compromised -
in the cache, the paging file, or physical memory that has not yet been
scrubbed.
There is a reason that hardened secure systems are slow…
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: Matthew White [mailto:xxxxx@fsnnet.net]
Sent: Friday, April 25, 2003 2:06 PM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?
Sure, but the administrator cannot force the user to access the file,
right? He could ultimately look at a file the user accesses, but he
can’t choose when/which files the user accesses and are therefore
decrypted. This is slightly different than an attack which would let
the administrator have free reign over any file he wishes to view at any
time.
Matt
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of J.R. Tipton
Sent: Friday, April 25, 2003 1:28 PM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?
I don’t understand what you mean by that statement – ultimately, an
administrator can attach a kernel debugger to the machine and just look
at what the decrypted user view of the data is while the user is
accessing it. The cache is irrelevant here.
jr tipton
This posting is provided “AS IS” with no warranties, and confers no
rights.
-----Original Message-----
From: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
Sent: Friday, April 25, 2003 8:45 AM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?
If the data is encrypted, that’s enough if so that he cannot see it
on different hardware.
“J.R. Tipton” wrote:
Keep in mind that ultimately you simply cannot protect user data from
administrators if that user data is capable of being accessed (at
least,
not with the current hardware). At the end of the day, if you define
an
administrator as one who has physical access to the machine, an
administrator can just use a debugger to peek at the data the way the
user sees it.
jr tipton
This posting is provided “AS IS” with no warranties, and confers no
rights.
-----Original Message-----
From: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
Sent: Thursday, April 24, 2003 9:42 AM
To: File Systems Developers
Subject: [ntfsd] RE: How to erase cache after closing file ?
Encryption IS supposed to protect Users from Administrators. It’s
a
must.
While NTFS permissions CANNOT save Users from Administrators
(Admin
can
take Ownership), an encryption driver that is Users aware can.
Benson Margulies wrote:
> It is very hard to make Windows work for use as a multi-user,
secure,
> system, if you don’t trust the basic access control model or the
wrong
> people have admin access. Data in the cache is only accessible to
people
> who either (a) have privilege access, or (b) have ACL access to the
> files that contain it.
>
> If (a) is compromised, then you have this scenario:
>
> 1) Bob logs in, and uses admin access to install a service that
spies
on
> memory.
> 2) Alice logs in, supplies her keys, and decrypts files.
> 3) Bob’s service grabs all the data and shovels it down a socket or
into
> a file.
> 4) Alice logs out. Even if you do flush all her data from the cache,
…
> 5) Bob collects.
>
> If the machine is secure enough to prevent this scenario, then
leftover
> cleartext in the cache is not very much of a worry.
>
> -----Original Message-----
> From: Alexei Jelvis [mailto:xxxxx@rogers.com]
> Sent: Thursday, April 24, 2003 10:18 AM
> To: File Systems Developers
> Subject: [ntfsd] RE: How to erase cache after closing file ?
>
> >When the user ends a secured session and loggs out then his files
must
> >not be readable by other users. This is the goal and I need some
> >solutions. CcPurgeCacheSection is the only function I saw to be
more
> >close to what I need although I don’t own that SectionPointer
>
> You should not use purging cache as indirect way of denying access
to
> the file. You need to deny access to an encrypted file when the file
is
> being opened.
>
> Alexei.
>
> —
> You are currently subscribed to ntfsd as: xxxxx@basistech.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> You are currently subscribed to ntfsd as: xxxxx@alfasp.com To
> unsubscribe send a blank email to
xxxxx@lists.osr.com
–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption
services.
Alfa File Protector - File protection and hiding library for Win32
developers. Alfa File Monitor - File monitoring library for Win32
developers.
You are currently subscribed to ntfsd as: xxxxx@winse.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers. Alfa File Monitor - File monitoring library for Win32
developers.
You are currently subscribed to ntfsd as: xxxxx@winse.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
You are currently subscribed to ntfsd as: xxxxx@fsnnet.net
To unsubscribe send a blank email to xxxxx@lists.osr.com
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
You are currently subscribed to ntfsd as: xxxxx@fsnnet.net
To unsubscribe send a blank email to xxxxx@lists.osr.com