none
IOCTLs with access bits mask FILE_ANY_ACCESS RRS feed

  • Question

  • In general IOCTLs defined with FILE_ANY_ACCESS access poses security risk since the I/O Manager will let it through for any caller user mode thread, regardless of its granted access right.

    I got a couple of questions here on this topic and hope someone can shred some lights on them:

    1/ For the old WDM driver, the driver would use IoValidateDeviceIoControlAccess() to check the required access to the device object that the user mode thread must have. Does anyone here know the WDF counterpart API for IoValidateDeviceIoControlAccess ?

    2/ There are a lot of standard system IOCTL defined with FILE_ANY_ACCESS. For example the IOCTL_SERIAL_XXX_XXX. Are these safe and check somewhere in the OS? if not and they are not checked in the OS, I do not see the serial function driver (i.e. serial.sys) handles these anywhere.

    I have a custom function driver that must process these standard system IOCTL and want to know if I should tighten the security in my driver for these standard system IOCTL.

    thanks,

    Kiet


    KAL

    Tuesday, June 17, 2014 7:41 PM

Answers

  • I think you are reading into this too much. The caller still needs to be able to open a handle and that is where the security checks should be made. Typically you assign a DACL to the device object and let the io manager do the check for you.  You can then assign DACLs specifically for read and write access (separately if you want) and then use FILE_READ/WRITE_ACCESS in the IOCTL definition to let the io manager perform the access checks for you before allowing the IOCTL through.

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, June 17, 2014 8:56 PM
  • Well in general the FILE_ANY_ACCESS should be used for requests that as long as the driver can access the device at all then the request should be ok.

    There isn't an equivalent of IoValidateDeviceIoControlAccess(), but you can certainly use:

    IoValidateDeviceIoControlAccess( WdfRequestWdmGetIrp( Request ), Access );
      

    In general the best article on security checking is OSR's 3 part article at http://www.osronline.com/article.cfm?article=56  While it is WDM, the principles all apply.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Tuesday, June 17, 2014 7:54 PM

All replies

  • Well in general the FILE_ANY_ACCESS should be used for requests that as long as the driver can access the device at all then the request should be ok.

    There isn't an equivalent of IoValidateDeviceIoControlAccess(), but you can certainly use:

    IoValidateDeviceIoControlAccess( WdfRequestWdmGetIrp( Request ), Access );
      

    In general the best article on security checking is OSR's 3 part article at http://www.osronline.com/article.cfm?article=56  While it is WDM, the principles all apply.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Tuesday, June 17, 2014 7:54 PM
  • I think you are reading into this too much. The caller still needs to be able to open a handle and that is where the security checks should be made. Typically you assign a DACL to the device object and let the io manager do the check for you.  You can then assign DACLs specifically for read and write access (separately if you want) and then use FILE_READ/WRITE_ACCESS in the IOCTL definition to let the io manager perform the access checks for you before allowing the IOCTL through.

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, June 17, 2014 8:56 PM
  • Thanks for the osr article. With regards to the FILE_ANY_ACCESS, I do not understand the reason in your comment for supporting the usage of FILE_ANY_ACCESS

    An example here:

    The IOCTL_SERIAL_GET_BAUD_RATE is defined with FILE_ANY_ACCESS access mask where it should be defined with FILE_READ_DATA since this is a read only operation.

    Here is an article on this topic:

    http://msdn.microsoft.com/en-us/library/windows/hardware/dn613909(v=vs.85).aspx



    KAL

    Tuesday, June 17, 2014 9:05 PM
  • Either I am reading into this too much, or I do not understand the argument which this article below talk about with regards precaution when defining an IOCTL

    http://msdn.microsoft.com/en-us/library/windows/hardware/dn613909(v=vs.85).aspx

    I thought that this article is talking about where the app already obtained the open handle to the device object. At this point, an IOCTL defined with FILE_ANY_ACCESS will by passing the additional checking where io manager would normally do it for you, and you will have to do this check in the driver yourself.



    KAL

    Tuesday, June 17, 2014 10:00 PM
  • you are reading too much into this, but the article is a little over zealous too. Like I said, the typical security gate is opening the handle and once allowed, all Io is ok. If you want a deeper model, you can implement it, but it is typically not necessary

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, June 18, 2014 2:04 AM
  • Okay, thanks. If so, I will not bother.

    KAL

    Wednesday, June 18, 2014 1:09 PM