best method/approach to secure my driver?

If my service communicates with my driver via DeviceIoControl, what is the best way to secure my driver from preventing being used by unauthorized applications? for example, random apps sending fake IOCTLs

Well you can make the device exclusive so only one application can access
it. You obviously should set the SDDL string for the device to be very
restrictive, assuming your service runs with a secure account. Beyond that
you are getting into the paranoid zone, things like passing some sort of
security block between the driver and the application with an appropriate
transformation by the application to make it harder for another application
to fake it.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@mail.ru
Sent: Saturday, June 24, 2017 5:53 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] best method/approach to secure my driver?

If my service communicates with my driver via DeviceIoControl, what is the
best way to secure my driver from preventing being used by unauthorized
applications? for example, random apps sending fake IOCTLs


NTDEV is sponsored by OSR

Visit the list online at:
http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:>

Don’t forget that a security boundary, as far as any Windows kernel object is concerned, is a user account. Therefore, the closest solution that you can get is to set up a dedicated account for an app that is authorised to use your driver. However, all apps that run under this account are potentially capable of opening a handle to your device and sending IOCTLs to it. There is nothing that you can do about it without turning the entire system security model upside down and inside out by means of really tricky hackery…

Anton Bassov

An easy thing you can do in a day or three is configure a user mode service to run in a unique special service security account (which has a security identifier based on a hash of the service name, so can be predetermined at development time, and can’t be faked by a non-service process or another service with a different name). You then set the security descriptor for your device to only allow access from that specific security descriptor (and not general high privilege accounts like administrator). A slight detail is if you want your secure service to access any files, you will need to set the security descriptor on the files/directories too (like at product install time). You also can set network filters on that service to restrict who can talk to it over a network, this is called service hardening, and applies even if you disable the normal network firewall.

The page at https://blogs.technet.microsoft.com/askperf/2008/02/03/ws2008-windows-service-hardening/ talks about all this.

Jan

On 6/24/17, 2:52 PM, “xxxxx@lists.osr.com on behalf of xxxxx@mail.ru” wrote:

If my service communicates with my driver via DeviceIoControl, what is the best way to secure my driver from preventing being used by unauthorized applications? for example, random apps sending fake IOCTLs


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>