Where is the best encrypt place in FSD?

Murphy_W · May 11, 2007, 1:22am

Hi all,
In my minifilter encrypted driver,file be encrypted in POS_CLOSE
routine,and decrypt in POS_READ routin.It works fine with most apps.But when
it works wiht MS word/excel,it cause them report error ruleless.

I have tried all places below:
1.Encrypted file in PRE_CLEANUP,and read/write file use
FltReadFile/FltWriteFile with original File Object.
2.Encrypted file in POS_CLEANUP,and read/write file use
FltReadFile/FltWriteFile with original File Object.
3.Encrypted file in POS_CLOSE,and read/write file use
FltReadFile/FltWriteFile with Self File Object(Got the file full name in
Pos_Create and use FltCreateFile open the file).

If encrypt routin can’t got original File Object(after close),it will open
the file by self(With the file name got from Pos_Create),then pending the
IRP and encrypt file (use FltQueueDeferredIoWorkItem).
All read/write with out Lock operation,and the open file parameter(in
Pos_Close,Self Open) is:
status = FltCreateFile( MyDriver.Filter,
p2pCtx->SCtx->Instance,
&FHandle,
GENERIC_READ | GENERIC_WRITE,
&OAtt,
&IOSB,
NULL,
FILE_ATTRIBUTE_NORMAL,
0,//FILE_SHARE
FILE_OPEN,
FILE_NO_INTERMEDIATE_BUFFERING,
NULL,
0,
IO_FORCE_ACCESS_CHECK);

Encryption use cached read,NON_CACHED write.

All these operating will cause word/excel report error ruleless,and works
fine with most other apps.(Such as autocad,acdsee…etc)

Where is the best encrypt place? Or my encrypting operating is wrong?

Thanks!

=============================
Murphy W.(CHN)

Aditya_Shrivastava · May 11, 2007, 1:50am

I have observed this behaviour with MS Word 2003.

Word creates & use temprory files for reading & writing, when you open an existing doc file It creates a temp file & write all data to that. And it happens at IRP_MJ_WRITE which is generally the most obvious place to do so.

If you check this operation in FileSpy you’ll find that there is no IRP_MJ_CLOSE for temporary file untill you close the original file so your filter will never actually encrypt data for temporary file as word will delete it immediatly after use. Which probably be causing problem.

You may have some reason for not doing encryption in write IRP but we did encryption in WRITE routine, and it is the place meant for doing such things.

Murphy_W · May 11, 2007, 4:13pm

Hi,

First of all,thanks for your reply.

In fact,some apps not wirte file orderly, encrypting in write routine will
cause my driver encrypt the data incorrectly.

My driver can catch the tmp file's close operation during MS Word Saving
file.
This issue also be proved by Filespy.

The problem is:
When MS Word saving file,it'll report error "File permission error,word
can't save file [the file name]",this error ruleless appearing.

When Ms Excel saving file,it'll report error "File saved,but can't
reopen",this error appear every times.

I think maybe driver should lock the file when encrypting it,in other
words,driver should exclusive access the file,isn't it?

If so,how to lock the file or got exclusive access privilege?Use EXCLUSIVE
flag with FltCreatefile?

Need your help!

Thanks!

--

Murphy W.(CHN)

OSR_Community_User · May 11, 2007, 7:06pm

Murphy.W wrote:

Hi,

First of all,thanks for your reply.

In fact,some apps not wirte file orderly, encrypting in write routine will
cause my driver encrypt the data incorrectly.

There’s no requirement for the file to be completely written at all -
sparse files are not too commmon but where they are used there is a good
reason for it.

Your encryption algorithm should not care where or in what order the
data is written.

Tony

OSR_Community_User · May 12, 2007, 10:50am

A filter-based encryption technique that depends upon the order in which
the data is written is broken. Files need not be written (or read)
sequentially and many applications rely upon random access to use their
files (think of Outlook, or any file using structured storage, such as
Word, etc.) I might write my own copy routine that copies things from
the end to the beginning, and your scheme would break in the face of
that type of implementation.

The goal is to build a filter that is robust in the face of all allowed
usage models. Restricting the usage models to those supported by the
filter is not going to work unless you can restrict the machine to only
the supported usage models (e.g., an embedded device or other highly
controlled environment.)

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

coder_security · May 13, 2007, 9:59pm

hi,wang Murphy
i have same questions with you ,but i encrpytr in wirte routie
small file is true with word but large is false in some time