Please forgive my nub-ness…
I would like to implement PID-based access control in a file system device driver. The driver stores its data in a file on a “real” file system, creates a device, and adds a logical drive that maps to this device.
The authorization code works somewhat. For example, it rejects IRP_MJ_CREATE/CLOSE/READ/WRITE from “explorer.exe”. But as soon as “notepad.exe” accesses a file, “explorer.exe” starts to “see” it as well.
Is my problem related to caching? If so, how can I fix this?
Is what I am trying to do even possible?
Thanks in advance for any help.
First the concept of authentication based on process names has been
discussed many times on NTFSD all showing how easy it is to spoof this.
Second this is a question for NTFSD, not NTDEV. Third we need more data
than this to have a chance of answering it.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
wrote in message news:xxxxx@ntdev…
> Please forgive my nub-ness…
>
> I would like to implement PID-based access control in a file system device
> driver. The driver stores its data in a file on a “real” file system,
> creates a device, and adds a logical drive that maps to this device.
>
> The authorization code works somewhat. For example, it rejects
> IRP_MJ_CREATE/CLOSE/READ/WRITE from “explorer.exe”. But as soon as
> “notepad.exe” accesses a file, “explorer.exe” starts to “see” it as well.
>
> Is my problem related to caching? If so, how can I fix this?
>
> Is what I am trying to do even possible?
>
> Thanks in advance for any help.
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4662 (20091205)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 4662 (20091205)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
I thought the OP meant process id by PID, which would not be name
based but instead PID based. However it is a mystery as to how one
decides which PID has the right security credentials and which
doesn’t, other than by using the security credentials, which would
make the security ‘security credentials’ based, or the process name,
which would make it broken.
Mark Roddy
On Sat, Dec 5, 2009 at 1:51 PM, Don Burn wrote:
> First the concept of authentication based on process names has been
> discussed many times on NTFSD all showing how easy it is to spoof this.
> Second this is a question for NTFSD, not NTDEV. ?Third we need more data
> than this to have a chance of answering it.
>
>
> –
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
> wrote in message news:xxxxx@ntdev…
>> Please forgive my nub-ness…
>>
>> I would like to implement PID-based access control in a file system device
>> driver. ?The driver stores its data in a file on a “real” file system,
>> creates a device, and adds a logical drive that maps to this device.
>>
>> The authorization code works somewhat. ?For example, it rejects
>> IRP_MJ_CREATE/CLOSE/READ/WRITE from “explorer.exe”. ?But as soon as
>> “notepad.exe” accesses a file, “explorer.exe” starts to “see” it as well.
>>
>> Is my problem related to caching? ?If so, how can I fix this?
>>
>> Is what I am trying to do even possible?
>>
>> Thanks in advance for any help.
>>
>>
>>
>> Information from ESET NOD32 Antivirus, version of virus
>> signature database 4662 (20091205)
>>
>> The message was checked by ESET NOD32 Antivirus.
>>
>> http://www.eset.com
>>
>>
>>
>
>
>
> Information from ESET NOD32 Antivirus, version of virus signature database 4662 (20091205)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
> However it is a mystery as to how one decides which PID has the right security credentials
Actually, I am more mystified by a filesystem driver that " creates a device, and adds a logical drive that maps to this device" without any underlying block device in sight,emulated or otherwise. I just wonder what this file system is mounted on and how it makes itself available to the UM apps - judging from his description, a logical drive gets added by FSD itself…
I think what he actually tries to do here is just to port some Linux code to Windows. Apparently, he tires to port some feature that is implemented as a special file system under Linux. Such file system never gets mounted directly by a user - it gets mounted by kernel right upon FS registration, and, hence, does not have its underlying block device. Furthermore, it may be made unaccessible to standard open() call with its content being hidden (sockfs and pipefs are just two examples), which fully explains the OP’s willingness to hide his filesystem from explorer.exe.
Anton Bassov
> I would like to implement PID-based access control in a file system device driver.
Bad idea, the PIDs are too volatile.
The proper way is to create a user account for your “special” process, and keep the password for this account (generated by CryptGenRandom) in system-wide store of Data Protection API.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Sorry for the confusion guys. Like I said, I’m new to this… Nevertheless, thank you for trying.
The solution was to use a minifilter.
As for how it tells which PIDs are authoriozed and which are not… That’s done by asking another driver via an IOCTL. That other driver communicates with a privileged process in user space. I’m not sure how that privileged process tells which PID is authorized and which is not (don’t know, don’t really care) but I suppose that one way to do it would be by checking the signature of the EXE file from which the process was spawned.
Again, thanks to those who were kind enough to try to provide an answer and did not beat up too much an a newby.
It’s not clear what “bigger problem” it’s all trying to solve. I’m afraid it is another ill-conceived attemp to replace proper security practices and secure system configuration (for example, limiting user privileges) with illusion of protection.