Hi all,
I am write an encyrption driver by minifilter, Can I just intercept cached io and encrypt/decrypt? And if the encrypted/decrypted data length is not blocked, I can extend the buffer and buffer length in IRP structure.
Maybe MMF will have some problem under this situation, but I think this can be considered separately. In terms of MMF, I just encrypt/decrypt under paging io.
So is this method feasible ? Need your help!
The answer for generic encryption/decryption filter driver based on my experience is No. try with notepad and it should fail. check for windows prefatching. IIRC if you have read some file in notepad once and trying to open it again simultaneously with another notepad process, there will be no read IRPs generated for second notepad process, so you’ll not get any chance to decrypt the data and hence notepad will show encrypted data, which is of no use for user. This is how all applications using memory mapped IO will behave and the list is big.
>Maybe MMF will have some problem under this situation, but I think this can be considered separately. In terms of MMF, I just encrypt/decrypt under paging io.
And how you will decide whether a paging IO is generated for a MMF or normal file. I feel that you are unnecessary complicating your architecture.
Wait till some encryption driver expert provide you some concrete explanation.
Thanks
Aditya
> Maybe MMF will have some problem under this situation, but I think this can be considered
separately. In terms of MMF, I just encrypt/decrypt under paging io.
MMFs reuse the same data pages as the cache, so, if the cache is cleartext, then MMFs are cleartext too.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Thanks for reminding me of this important point.
So as to Word document, MMF will have no effect, isn’t it ? Since a word doc can only be opened once by winword process.
penjiu@163.com wrote:
Thanks for reminding me of this important point.
So as to Word document, MMF will have no effect, isn’t it ? Since a word doc can only be opened once by winword process.
So users cannot copy a Word document?
What will happen if another tool wishes to read the data? For example,
there is an AV product on the machine calling
FsRtlCreateSectionForDataScan and attempting to scan the data via a
memory mapped section?
That is to say, encryption/decryption can not be done in cached io path, I can only pay more attention on Noncached write/read when refering to encryption/decryption, is it right?
And therein lies the problem when it comes to sitting on top of redirectors - you won’t know when they are performing cached or non-cached I/O. That is ultimately why we decided to move to a model in which we controlled the cache; we don’t care what the underlying cache state is.
Interestingly enough, we found that using cached I/O, even with the overhead of double buffering, yields substantially better performance than non-cached I/O.
I know this is not what you want to hear, but you are on the very early part of the learning curve about building an encryption filter. I’ve been working on this problem for a dozen years now and solving the general problem is surprisingly complex.
Best of luck on your project!
Tony
OSR
Looking forward to seeing everyone at our next File Systems seminar in Vancouver, BC, October 20-23, 2009.