> ----------
From: xxxxx@osr.com[SMTP:xxxxx@osr.com]
Reply To: xxxxx@lists.osr.com
Sent: Thursday, September 05, 2002 12:04 AM
To: xxxxx@lists.osr.com
Subject: [ntdev] Re: Passing event notification from driver to
applica tion> I always believed you don’t need admin rights to open event for
SYNCHRONIZE
> access. Is it correct?
>Never tried it for an event… it’d make for a quick and interesting
experiment, though.
Well, I’m almost sure it worked at NT and w2k, don’t know about XP.
> If it is possible and driver is dependent on this state, it
> seems as security hole because any app could change event state and
control
> driver.
>It’s wouldn’t be a security hole… it’d be by design. As I said in a
(torturously long and boring) previous post, named events are global to
the
system.
Exactly. So they have to be used with care.
You can change the SD on the event (using various documented and
undocumented functions) thereby restricting access, but that’s only going
to
go so far (the finest level of granularity being the SID).Yes, I agree that signalling in only 1 direction would be secure – it
shifts the security problem to focus on the whatever’s being signalled
(does
the event being set mean that data’s available in a shared buffer? Can
that
buffer be accessed from another process?).The whole issue makes “hanging IOCTLs” look attractive, doesn’t it. Then
again, even with that method, one has to be sure one is actually talking
to
the right process. That probably means protecting a device object with an
SD. Which means that granularity is the SID, again.
Yes, trying to make things secure isn’t easy and as you showed, solving one
problem raises another one. Changing SDs to restrict access seems as a good
method to me; SID granularity isn’t a problem because it is the way OS
offers and uses itself. There is the only problem with changing SDs,
necessary kernel APIs aren’t documented enough. Though I’m not quite sure,
it is some time before I’ve used them and haven’t examined how XP DDK was
improved in this area.
As for device object SD, isn’t the default security “admin only”? Again, I’m
not sure and remember it was changed in the past. Once I had to change it to
allow everyone’s access (and probably created a security hole :).
I guess most readers don’t care about security issues now if things work.
Once most buffer overflow holes are fixed (hey, I’m optimist) and hackers
will try to find another target, maybe will find there are many drivers to
attack.
Best regards,
Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]