Security In Obscurity

amitr0-2 · July 25, 2006, 6:30am

Hi all,

In my FSFD, I need to add directory protection so that on;y certain
processes can access these folders. The client requirement isa non ACL
solution, as it needs to work on all FSDs windows supports.

The problem is that for a path with n levels, the number of name
combinations is 2n! And the applications can use any format (short and long
and a mixture of both) to get into the directory.

The only solution I know of to stop this, is to query the file system about
the long file name, but this is going to be expensive in terms of CPU
cycles.

IS there any other way out? How are these type of protections designed?

–

amitr0

OSR_Community_User · July 25, 2006, 7:28am

If you will pass the protected information into the driver,
pass both full path name and short path name.

Like:

\Device\HarddiskVolume1\Progra~1\Common~1\Microso~1\Data
\Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\Data

Then, in IRP_MJ_CREATE, compare the path element by element
with both element in short path and long path.

Also use native NT name ONLY, so you will not have to deal
with DOS drive letters.

This should work.

L.

----- Original Message -----
From: amitr0
To: Windows File Systems Devs Interest List
Sent: Tuesday, July 25, 2006 12:29 PM
Subject: [ntfsd] Security In Obscurity

Hi all,

In my FSFD, I need to add directory protection so that on;y certain processes can access these folders. The client requirement isa non ACL solution, as it needs to work on all FSDs windows supports.

The problem is that for a path with n levels, the number of name combinations is 2n! And the applications can use any format (short and long and a mixture of both) to get into the directory.

The only solution I know of to stop this, is to query the file system about the long file name, but this is going to be expensive in terms of CPU cycles.

IS there any other way out? How are these type of protections designed?

–

amitr0
— Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: xxxxx@volny.cz To unsubscribe send a blank email to xxxxx@lists.osr.com

amitr0-2 · July 25, 2006, 7:39am

Yes, I believe it should, and I did condider doing so, my only apprehension
is that this is going to make the CREATE call very slow? Though someone in
this list had pointed out previously “till u get an actual degrade in
performance, dont assume it will happen”

OSR_Community_User · July 26, 2006, 4:14pm

Hi,
Use: FilterGetDosName(lpVolumeName, lpDosName , dwDosNameBufferSize );
Parameters
lpVolumeName : Pointer to a NULL-terminated wide-character string containing the volume name. This parameter is required and cannot be NULL.
lpDosName : Pointer to a caller-allocated buffer that receives the MS-DOS device name as a NULL-terminated wide-character string.
dwDosNameBufferSize : Size, in wide characters, of the buffer that lpDosName points to.

I hope that it serves to you;

Samuel Raya

amitr0-2 · July 27, 2006, 8:19am

where is this function documented, I cannot find it in IFS 3790.

On 7/27/06, xxxxx@yahoo.es wrote:
>
> Hi,
> Use: FilterGetDosName(lpVolumeName, lpDosName , dwDosNameBufferSize );
> Parameters
> lpVolumeName : Pointer to a NULL-terminated wide-character string
> containing the volume name. This parameter is required and cannot be NULL.
> lpDosName : Pointer to a caller-allocated buffer that receives the
> MS-DOS device name as a NULL-terminated wide-character string.
> dwDosNameBufferSize : Size, in wide characters, of the buffer that
> lpDosName points to.
>
> I hope that it serves to you;
>
> Samuel Raya
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

–

- amitr0

OSR_Community_User · July 27, 2006, 10:27am

Hi again,

This function is documented in WINDDK 3790.1830.

Development kit>Windows IFS Kit and DDK 3790.1830>Help>IFS Kit Documentation.

I have used it in my projects.

Regards.

Samuel Raya

S2F ENTERTAINMENT
(511) 2214772 / 2745102
Lima - 27
Perú

Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam ¡gratis!
Regístrate ya - http://correo.espanol.yahoo.com/

amitr0-2 · July 28, 2006, 3:03am

tyhanks for the tip, but the documentation of this function (which I
checked up with IFS 3790.1830) tells me, it is for Getting the volume name
of teh device, my problem is with shot and long file names. Can you please
explain, how to solve that issuee with with function.

OSR_Community_User · July 28, 2006, 6:24am

You are aware that function is a fltmgr usermode api right?

I figure your still working with the legacy model; if your using a minifilter now, then use FltGetFileNameInformation. That will give you short and long names for the file or dir.

m.
----- Original Message -----
From: amitr0
To: Windows File Systems Devs Interest List
Sent: Friday, July 28, 2006 2:03 AM
Subject: Re: [ntfsd] Security In Obscurity

tyhanks for the tip, but the documentation of this function (which I checked up with IFS 3790.1830) tells me, it is for Getting the volume name of teh device, my problem is with shot and long file names. Can you please explain, how to solve that issuee with with function. — Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: xxxxx@comcast.net To unsubscribe send a blank email to xxxxx@lists.osr.com

amitr0-2 · July 28, 2006, 7:33am

hi matt,

I am still with legacy. And I know that it is filter manager API still I
asked the guy.