> But the x86 doesn’t extend this to registers. So if I mov al, <> address>>, the how do you mrk al as “tainted”? If I store al somewhere,
> 10,000 instructions later (carefully crafted to not disturb al) how do I
> find the target of mov <>, al, without doing a
> co,plete instruction-set simulation? Perhaps this is the source of the
> “inefficiency”, which means even legitimate users using approved apps
> suffer.
You’ve got the right idea. People have explored many clever optimizations,
but as far as I’ve seen the performance is quite poor,
> In addition, is a “display driver” not a driver? And if I spoof
> a display driver with one that has a “send to network” module built in…?
Depends on your application of course, but one could allow writing to the
display driver, and use a TPM-based attested boot process to ensure that
only signed drivers are loaded, or if you’re doing all this at the
hypervisor level then the drivers in your windows VM are all virtualized
and you’d catch recognize the network traffic for what it is as it exits
the VM, regardless of what driver did it.
Anyway, it ends up being a bit off-topic for this list, but hey… he asked.
> joe
> > Not sure I follow - it’s really not an encryption thing. The idea with
> > taint tracking is that you track memory movement in the system. When the
> > application opens a files in the protected folder, the buffer that you
> > read
> > into becomes tainted. Anytime any process or the OS reads that tainted
> > memory into a register or copies it into RAM, those locations becomes
> > tainted too until they are overwritten. You do that by marking the
> > tainted
> > memory unreadable in the OS (or lower) and then trapping when they are
> > accessed and running binary analysis on the code accessing your tainted
> > buffer. When your binary analysis tells you that tainted data is about
> to
> > be sent to a driver (particularly the disk or the network), you fail the
> > memory access or kill the application. If all that doesn’t sound scary
> > enough, the nasty bit is that if the process takes a branch based on data
> > in the tainted buffer you have to then taint everything the application
> > does within the branching code block.
> >
> > I think you’d have to run windows in a VM to have any hope of getting it
> > to
> > work, but I think this is basically what the OP is asking for.
> >
> > I won’t argue that it’s practical, but if you’re willing to sacrifice
> > performance, possibly stability, a tremendous developer effort, and
> > portability, the result is that you probably can prevent a system from
> > making any digital copies of select data. If you are also worried about
> > someone copying the screen with a camera or a notepad, then you need
> > security cameras.
> >
> > --Dutch
> >
> > On Sun, Jun 30, 2013 at 10:03 PM, wrote:
> >
> >> Keeping the data encrypted, and protecting the private decryption keys,
> >> solves one set of problems. It doesn’t keep the file from being “copied
> >> out” but it makes sure the contents are not easily usable if they are
> >> copied. But this requires a LOT more effort, and at the moment, lacking
> >> the “secure core”, there is no way to guarantee the private keys are
> >> adequately protected. And it still doesn’t protect the record against
> >> having its contents photographed from the screen.
> >> joe
> >>
> >>
> >> > There is an area of systems research called “taint tracking” that has
> >> been
> >> > used to allow data to be read but not digially copied (e.g.
> >> > http://static.usenix.org/event/osdi10/tech/full_papers/Enck.pdf) and
> >> > would
> >> > seem to address your needs. Generally speaking Taint Tracking is
> >> > extremely
> >> > expensive to enforce and requires considerably more hooks into the OS
> >> than
> >> > a minifilter can provide.
> >> >
> >> > --Dutch
> >> >
> >> > On Sun, Jun 30, 2013 at 8:20 PM, wrote:
> >> >
> >> >> Joseph,
> >> >>
> >> >> Thanks for feedback 
> >> >>
> >> >> I have a minifilter driver that monitors files within a folder so
> >> that
> >> >> files cannot be copied out
> >> >> from the protected folder. This can be done with non-readable files
> >> >> method.
> >> >>
> >> >> Problem is, users (nurses in hospital) want to read files within that
> >> >> protected folder which in this case, I have to set these files to
> >> >> READ-ONLY, the same time not to be protected from being copied out.
> >> >>
> >> >> I can understand the concern of, in the first place why should we
> >> allow
> >> >> file to be opened for READ and
> >> >> opened chances to be copied into other locations and I really find it
> >> >> hard
> >> >> to explain to non-technical peoples as this is one of requirements.
> >> >>
> >> >> I am aware that “COPY” is means to open for reading, which actually
> >> >> allowing files to be copied out and
> >> >> is this reason that I place the question here.
> >> >>
> >> >> Please advise.
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> —
> >> >> NTFSD is sponsored by OSR
> >> >>
> >> >> OSR is hiring!! Info at http://www.osr.com/careers
> >> >>
> >> >> For our schedule of debugging and file system seminars visit:
> >> >> http://www.osr.com/seminars
> >> >>
> >> >> To unsubscribe, visit the List Server section of OSR Online at
> >> >> http://www.osronline.com/page.cfm?name=ListServer
> >> >>
> >> >
> >> >
> >> >
> >> > –
> >> > -=-Dutch
> >> >
> >> > —
> >> > NTFSD is sponsored by OSR
> >> >
> >> > OSR is hiring!! Info at http://www.osr.com/careers
> >> >
> >> > For our schedule of debugging and file system seminars visit:
> >> > http://www.osr.com/seminars
> >> >
> >> > To unsubscribe, visit the List Server section of OSR Online at
> >> > http://www.osronline.com/page.cfm?name=ListServer
> >>
> >>
> >>
> >> —
> >> NTFSD is sponsored by OSR
> >>
> >> OSR is hiring!! Info at http://www.osr.com/careers
> >>
> >> For our schedule of debugging and file system seminars visit:
> >> http://www.osr.com/seminars
> >>
> >> To unsubscribe, visit the List Server section of OSR Online at
> >> http://www.osronline.com/page.cfm?name=ListServer
> >>
> >
> >
> >
> > –
> > -=-Dutch
> >
> > —
> > NTFSD is sponsored by OSR
> >
> > OSR is hiring!! Info at http://www.osr.com/careers
> >
> > For our schedule of debugging and file system seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
-=-Dutch
> Of course, that would require him to actually be in Russia, which we KNOW
isn’t true
IIRC he’s stuck in Moscow/SVO airport, being officially not allowed to Russia beyound the border control.
Nevertheless, this can be a lie and he can be telling NSA secrets to Russian agents just now.
How funny. DriveCrypt already uses the name “Snowden” in their ads
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
If you need to limit access to high-level verbs like “copy” - then you need to do high-level things and not low-level.
You need to create a system where low-level verbs like RW are just plain not exposed to the user.
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
“Dutch Meyer” wrote in message news:xxxxx@ntfsd…
Not sure I follow - it’s really not an encryption thing. The idea with taint tracking is that you track memory movement in the system. When the application opens a files in the protected folder, the buffer that you read into becomes tainted. Anytime any process or the OS reads that tainted memory into a register or copies it into RAM, those locations becomes tainted too until they are overwritten. You do that by marking the tainted memory unreadable in the OS (or lower) and then trapping when they are accessed and running binary analysis on the code accessing your tainted buffer. When your binary analysis tells you that tainted data is about to be sent to a driver (particularly the disk or the network), you fail the memory access or kill the application. If all that doesn’t sound scary enough, the nasty bit is that if the process takes a branch based on data in the tainted buffer you have to then taint everything the application does within the branching code block.
I think you’d have to run windows in a VM to have any hope of getting it to work, but I think this is basically what the OP is asking for.
I won’t argue that it’s practical, but if you’re willing to sacrifice performance, possibly stability, a tremendous developer effort, and portability, the result is that you probably can prevent a system from making any digital copies of select data. If you are also worried about someone copying the screen with a camera or a notepad, then you need security cameras.
–Dutch
On Sun, Jun 30, 2013 at 10:03 PM, wrote:
Keeping the data encrypted, and protecting the private decryption keys,
solves one set of problems. It doesn’t keep the file from being “copied
out” but it makes sure the contents are not easily usable if they are
copied. But this requires a LOT more effort, and at the moment, lacking
the “secure core”, there is no way to guarantee the private keys are
adequately protected. And it still doesn’t protect the record against
having its contents photographed from the screen.
joe
> There is an area of systems research called “taint tracking” that has been
> used to allow data to be read but not digially copied (e.g.
> http://static.usenix.org/event/osdi10/tech/full_papers/Enck.pdf) and
> would
> seem to address your needs. Generally speaking Taint Tracking is
> extremely
> expensive to enforce and requires considerably more hooks into the OS than
> a minifilter can provide.
>
> --Dutch
>
> On Sun, Jun 30, 2013 at 8:20 PM, wrote:
>
>> Joseph,
>>
>> Thanks for feedback
>>
>> I have a minifilter driver that monitors files within a folder so that
>> files cannot be copied out
>> from the protected folder. This can be done with non-readable files
>> method.
>>
>> Problem is, users (nurses in hospital) want to read files within that
>> protected folder which in this case, I have to set these files to
>> READ-ONLY, the same time not to be protected from being copied out.
>>
>> I can understand the concern of, in the first place why should we allow
>> file to be opened for READ and
>> opened chances to be copied into other locations and I really find it
>> hard
>> to explain to non-technical peoples as this is one of requirements.
>>
>> I am aware that “COPY” is means to open for reading, which actually
>> allowing files to be copied out and
>> is this reason that I place the question here.
>>
>> Please advise.
>>
>>
>>
>>
>>
>>
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> –
> -=-Dutch
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
—
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
-=-Dutch
my .2$,
using your filter driver what you can do is,
-restrict what gets installed or executed on the machine.
-restrict access to removable media and network share.
-only let opens from your ‘privileged’ app to happen on the ‘privileged’ file.
Also, do lots and lots of architectural analysis around your driver
and the privileged app.
As wise ppl on this forum already pointed out best case you will be
able to provide a solution that makes it really expensive for files to
be copied and perhaps prevent accidental disclosure.
The question about security though is moot
On Tue, Jul 2, 2013 at 4:35 AM, Maxim S. Shatskih
wrote:
> If you need to limit access to high-level verbs like “copy” - then you need to do high-level things and not low-level.
>
> You need to create a system where low-level verbs like RW are just plain not exposed to the user.
>
> –
> Maxim S. Shatskih
> Microsoft MVP on File System And Storage
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> “Dutch Meyer” wrote in message news:xxxxx@ntfsd…
> Not sure I follow - it’s really not an encryption thing. The idea with taint tracking is that you track memory movement in the system. When the application opens a files in the protected folder, the buffer that you read into becomes tainted. Anytime any process or the OS reads that tainted memory into a register or copies it into RAM, those locations becomes tainted too until they are overwritten. You do that by marking the tainted memory unreadable in the OS (or lower) and then trapping when they are accessed and running binary analysis on the code accessing your tainted buffer. When your binary analysis tells you that tainted data is about to be sent to a driver (particularly the disk or the network), you fail the memory access or kill the application. If all that doesn’t sound scary enough, the nasty bit is that if the process takes a branch based on data in the tainted buffer you have to then taint everything the application does within the branching code block.
>
>
> I think you’d have to run windows in a VM to have any hope of getting it to work, but I think this is basically what the OP is asking for.
>
>
> I won’t argue that it’s practical, but if you’re willing to sacrifice performance, possibly stability, a tremendous developer effort, and portability, the result is that you probably can prevent a system from making any digital copies of select data. If you are also worried about someone copying the screen with a camera or a notepad, then you need security cameras.
>
>
> --Dutch
>
>
>
> On Sun, Jun 30, 2013 at 10:03 PM, wrote:
>
> Keeping the data encrypted, and protecting the private decryption keys,
> solves one set of problems. It doesn’t keep the file from being “copied
> out” but it makes sure the contents are not easily usable if they are
> copied. But this requires a LOT more effort, and at the moment, lacking
> the “secure core”, there is no way to guarantee the private keys are
> adequately protected. And it still doesn’t protect the record against
> having its contents photographed from the screen.
> joe
>
>
>
>> There is an area of systems research called “taint tracking” that has been
>> used to allow data to be read but not digially copied (e.g.
>> http://static.usenix.org/event/osdi10/tech/full_papers/Enck.pdf) and
>> would
>> seem to address your needs. Generally speaking Taint Tracking is
>> extremely
>> expensive to enforce and requires considerably more hooks into the OS than
>> a minifilter can provide.
>>
>> --Dutch
>>
>> On Sun, Jun 30, 2013 at 8:20 PM, wrote:
>>
>>> Joseph,
>>>
>>> Thanks for feedback
>>>
>>> I have a minifilter driver that monitors files within a folder so that
>>> files cannot be copied out
>>> from the protected folder. This can be done with non-readable files
>>> method.
>>>
>>> Problem is, users (nurses in hospital) want to read files within that
>>> protected folder which in this case, I have to set these files to
>>> READ-ONLY, the same time not to be protected from being copied out.
>>>
>>> I can understand the concern of, in the first place why should we allow
>>> file to be opened for READ and
>>> opened chances to be copied into other locations and I really find it
>>> hard
>>> to explain to non-technical peoples as this is one of requirements.
>>>
>>> I am aware that “COPY” is means to open for reading, which actually
>>> allowing files to be copied out and
>>> is this reason that I place the question here.
>>>
>>> Please advise.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> —
>>> NTFSD is sponsored by OSR
>>>
>>> OSR is hiring!! Info at http://www.osr.com/careers
>>>
>>> For our schedule of debugging and file system seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>>
>>
>> –
>> -=-Dutch
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
>
>
>
>
> –
> -=-Dutch
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
As already pointed out, there is no such thing as copyfile at kernel so you can not intercept it. The place to do it; is user mode, using some hooking technique. though that still leaves many other holes as Scott pointed out., print screen, clipboard etc etc
Maxim, is x64 PatchGuard preventing DLL hooking mechanism under Windows environment ?
> Maxim, is x64 PatchGuard preventing DLL hooking mechanism under Windows
environment ?
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Well, the problem is how to actually hook a DLL in every possible process.
This can be done by DLL injection, but the “integrity level” mechanism of
Vista+ means that you can’t do this hooking into higher-integrity
processes, which is the inverse of the typical problem, which is exactly
to prevent DLL injection or hooking of processes by malware. So I go
back to my previous statement: you can’t prevent copying a file. As
pointed out, you CAN manage removable media, although social engineering
goes a long way in circumventing this. But managing removable media is
only one dimension of the problem; I can still steal information as long
as I can get some code to run under a legitimate account.
This is why you won’t find Windows, Unix, or linux in actual secure
environments. If they ARE used, they are “sandboxed” with no external
access. I’ve taught courses in secure environments, and physical security
is one of the powerful techniques used. I once taught a course in a hotel
near a secure facility, and at the end of the course, I raffled off a
flash drive. The person who won it asked me to pick another card, because
she had to stop at work, and posession of a removable media device, even
if it was left in her car, was not just a firable offense, but a felony.
joe
>> is x64 PatchGuard preventing DLL hooking mechanism under Windows environment ?
I am not sure I got your point. patch guard is to protect SSDT and other kernel structures. DLL hooking is done at user mode by overwriting some bytes in process address space.
What do you meant here?
Aditya
> I am not sure I got your point. patch guard is to protect SSDT and other kernel structures. DLL
hooking is done at user mode by overwriting some bytes in process address space.
Yes, and AppInit_DLLs is the registry key to enforce the hooker DLL load to all processes (actually to all processes which use user32.dll)
Anyway this is all dirty.
The solution is to strip the nurse’s machine from all standard Windows stuff and only show the special nursing app to her. The nursing app will just have no ability to write to flash drives, or to copy the files, it will only be able to view them.
If you will use Python+Qt bindings for the nursing app, then it will be automatically 100% portable across Windows and Linux, and, for a task when you need to strip the OS down, Linux is better.
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
> Well, the problem is how to actually hook a DLL in every possible process.
AppInit_DLLs
This is why you won’t find Windows, Unix, or linux in actual secure
environments.
- Tell this to Iranian nuclear guys
- Stripped-down OS is OK, and Linux is easy to be stripped down.
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
Think about the era of MULTICS, mid-1960s. The informal description of
their security model was “The Americans and Russians can run their War
Game simulations on the same mainframe with perfect confidence that the
other side cannot spy on them”. Fine. Now talk to the guys really
concerned about military security. They absolutely HATE the concept of
unclassified, confidential, secret, top secret, and burn-before-reading
security classifications sharing a single machine, or a mixed set of
clients sharing a single server, or even a single network.
Their major concern is that someone who has access to documents at one
security level being able to “downcast” (in the C++ sense) the information
somehow. For example, an unclassified report created on Tuesday whose
title is “On the endochronic properties of resublimated thiotimoline” or
“On the exochronic properties of resublimated thiotimoline”. One means
“Another aircraft carrier will be deployed in the mideast” and the other
means “The existing aircraft carriers will be withdrawn from the mideast”.
Or, as they characterize it, “a one-time pad leaking a single bit”.
The danger is in either introducing a corrupted human into the mix (MICE -
Money, Ideology, Conscience, Ego; ref: from Tom Clancy), or a digital
agent.
How’s this for a scenario for Windows: corrupt digital agent is programmed
to spin off a thread at 3pm, in an infinite loop, reading the system time.
This digital agent runs only as “unclassified” and has no access to
higher-level documents. The other digital agent, running from a
burn-before-reading security context, at 3pm, will take one of two
actions: go to sleep for five minutes, or place its thread in priority 15
and do a loop for five minutes. Guess what: we have leaked our one bit.
And this is one of the simplest scenarios for leaking. I’m not sure about
the NDA I signed, so I can’t talk about the sophisticated ones. (I know I
can talk about this one because I just invented it)
StuxNet got in because they were not running a secure environment.
Sloppy, sloppy. In a secure environment, there would have been
protections against this sort of thing.
Most security exploits I know would not be blocked by using a “stripped”
OS. I could spend a whole day talking about exploits like this. Wait a
minute–I DO have a whole-day talk on this. Which I’ve taught several
times.
joe
> Well, the problem is how to actually hook a DLL in every possible
> process.AppInit_DLLs
> This is why you won’t find Windows, Unix, or linux in actual secure
> environments.
- Tell this to Iranian nuclear guys
- Stripped-down OS is OK, and Linux is easy to be stripped down.
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
My answer is this requirement could change to prevent the target folder.
What is “copied out” meaning? is the file could not be copy to other folder in same local machine, or meaning could not copy to mobile device, USB driver?
So , I guess this requirement could change to All USB driver should read only, all CD should disable burn …