Secure communication between Kernel and User modes

NTFSD
1

Hi!
I’m currently developing a minifilter, and I need to SECURELY transmit
small amounts of data (500-1000 bytes) to the User mode. As I understand, “*
FltSendMessagehttp:
" is not exactly secure, right? Are there alternatives? I read about "
FltCreateNamedPipeFilehttp:
*”, but I can’t find any good documentation and/or examples of how and
where to use them.

Can anyone please help with using named pipes, or suggest a secure way for
kernel to user communication?

Regards,
George.</http:></http:>

2

How are you coming to the conclusion that it is not “secure”?

  • S (Msft)

From: George Gauci
Sent: 11/17/2011 5:19
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Secure communication between Kernel and User modes

Hi!
I’m currently developing a minifilter, and I need to SECURELY transmit small amounts of data (500-1000 bytes) to the User mode. As I understand, “FltSendMessagehttp:” is not exactly secure, right? Are there alternatives? I read about “FltCreateNamedPipeFilehttp:”, but I can’t find any good documentation and/or examples of how and where to use them.

Can anyone please help with using named pipes, or suggest a secure way for kernel to user communication?

Regards,
George.
— NTFSD is sponsored by OSR For our schedule of debugging and file system seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</http:></http:>

3

>>I need to SECURELY transmit small amounts of data (500-1000 bytes) to the User mode. As I understand, FltSendMessage is not exactly secure

Define secure? you have some bytes, you put them in memory, the API ensures that it reaches to the target process. you can specify who can open this port(only admin/system).

Now if you are worried about some admin level code being able to intercept it and read it; than I doubt you can do anything about it. Because if it can intercept FltSendMessage it can intercept your driver as well. The actual question in such case should be; what such an interceptor is doing on that machine or how it reaches there?

If you could tell us; what exactly is this software(encryption for example) and why you need this. Someone might be able to help you.

4

Thx for your replies!
What I’m doing is encrypting data in Kernel mode; I need to send an AES
password to be encrypted in RSA using a 3rd party COM object which in turn
‘calls’ a smartcard reader. So my real question is: how can I do this? My
idea is to send the password to a user mode application which will in turn
encrypt it using RSA. My fear is undesired interception of the data. So,
is FltSendMessage safe enough? And if not, could anyone please suggest an
alternative method?

Thank you in adbance for your help!

On 18 November 2011 06:23, wrote:

> >>I need to SECURELY transmit small amounts of data (500-1000 bytes) to
> the User mode. As I understand, FltSendMessage is not exactly secure
>
> Define secure? you have some bytes, you put them in memory, the API
> ensures that it reaches to the target process. you can specify who can open
> this port(only admin/system).
>
> Now if you are worried about some admin level code being able to intercept
> it and read it; than I doubt you can do anything about it. Because if it
> can intercept FltSendMessage it can intercept your driver as well. The
> actual question in such case should be; what such an interceptor is doing
> on that machine or how it reaches there?
>
> If you could tell us; what exactly is this software(encryption for
> example) and why you need this. Someone might be able to help you.
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

5

Could you please elaborate on the type of attack you are trying to protect against ? What does the attacker look like ? Is he an admin on the machine ? and so on…

Thanks,
Alex.

6

Create the password in user mode using CryptoAPI, then send it down to kernel mode.

Or: there is kernel-mode CryptoAPI in Vista up.

Or: try using KSecDD.sys to ask the auth provider to do your crypto.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

“George Gauci” wrote in message news:xxxxx@ntfsd…
Thx for your replies!
What I’m doing is encrypting data in Kernel mode; I need to send an AES password to be encrypted in RSA using a 3rd party COM object which in turn ‘calls’ a smartcard reader. So my real question is: how can I do this? My idea is to send the password to a user mode application which will in turn encrypt it using RSA. My fear is undesired interception of the data. So, is FltSendMessage safe enough? And if not, could anyone please suggest an alternative method?

Thank you in adbance for your help!

On 18 November 2011 06:23, wrote:

>>I need to SECURELY transmit small amounts of data (500-1000 bytes) to the User mode. As I understand, FltSendMessage is not exactly secure

Define secure? you have some bytes, you put them in memory, the API ensures that it reaches to the target process. you can specify who can open this port(only admin/system).

Now if you are worried about some admin level code being able to intercept it and read it; than I doubt you can do anything about it. Because if it can intercept FltSendMessage it can intercept your driver as well. The actual question in such case should be; what such an interceptor is doing on that machine or how it reaches there?

If you could tell us; what exactly is this software(encryption for example) and why you need this. Someone might be able to help you.


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

7

Much of this ultimately relates to your threat model. If you put it in user mode memory there is the risk that it will be paged out (and thus passwords can appear in the paging file.) There are a couple of options here:

  • Ignore the problem because it is outside your threat model (e.g., you don’t count “groveling through the paging file for passwords” to be a realistic threat)
  • Encrypt the paging file
  • Only write the passwords into paged locked by the driver (so they cannot be written out to the paging file.) There are a number of ways to do this, and you MUST handle the errors (e.g., process exit with those pages locked - you ARE responsible for cleaning them up or the system will give you a blue screen, or in Windows 8 the new frowning face.)

Filter Manager pipes are as reliable as any other mechanism that the OS provides. Again, what “reliable” means in this context relates to your threat model. So, what’s your threat model?

Tony
OSR

8

>screen, or in Windows 8 the new frowning face.)

Wow! Win8 have remade the bugcheck screen?


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com