none
Namespace and security RRS feed

  • Question

  • When I wrote my driver I decided to follow Walter Oney's advice not to name my device object.
    According on Oney, there are security issues that make this approach less secure. I admit that I never understood this point.
    So I decided not to name my device but rather to take the "device interface" approach (WdfDeviceCreateDeviceInterface).
    Now I need to extend my driver to support many (250) virtual devices and I was advised to use a "namespace" instead of creating 250 device interfaces.

    1. What makes named object less secure? An example please.
    2. Is it possible to use a namespace with an unnamed device object?

    Thank you
    Wednesday, April 22, 2015 5:59 AM

Answers

  • you don't need to give your device a name. the PDO has a name and when you create a device interface, the interface symbolic link will always point to the PDO's name, never the FDO.  Yes, anything after the base interface string will be passed do you as a file name, so device_BlaBla will be passed to your driver. see

    http://blogs.msdn.com/b/doronh/archive/2007/10/03/devices-and-namespaces.aspx

    http://blogs.msdn.com/b/doronh/archive/2006/08/18/706717.aspx


    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    • Marked as answer by shaul_ei Saturday, April 25, 2015 3:15 PM
    Thursday, April 23, 2015 4:40 PM
  • > 1. What makes named object less secure?

    Basically this is the deal, IIRC:

    a device stack consists of several device objects managed by different drivers. At the bottom there's the physical DO created by the bus, then go the FDO and various filters. Nevertheless all these DOs are distinct and can have different names and conflicting security. Therefore it is very important that a device [stack] can be opened only via one DO, and there you apply the security. So MS has decided to assign the PDO as the dev object that has both the name (that ugly long name created by PnP) and security settings of the whole stack. All other DOs in the stack should remain unnamed so they cannot be opened from usermode and circumvent the settings applied to the PDO. This eliminates possible confusion of several entry points in the stack.

    > 2. Is it possible to use a namespace with an unnamed device object?

    Obviously not: unnamed DO has no name :) so no namespaces.Just create a namespace based on the (long ugly auto-generated) name of your instance. Your driver above the PDO will properly see the requests even though its own DOs are unnamed.

    > Now I need to extend my driver to support many (250) virtual devices

    250 joysticks?!  that's insane ...

    -- pa



    • Edited by Pavel A Wednesday, April 22, 2015 12:24 PM
    • Marked as answer by shaul_ei Thursday, April 23, 2015 2:08 PM
    Wednesday, April 22, 2015 12:20 PM
  • you need to device interface for enumeration and discovery of the root of the name space. This is why the recommendation for you is to have one interface and use the name space to additional "things". If I had time to write, I would , but I don't ... and I don't write drivers or wdf code full time anymore so the list of ideas has ebbed.

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    • Marked as answer by shaul_ei Sunday, April 26, 2015 5:13 AM
    Saturday, April 25, 2015 7:05 PM
  • Not true, Pavel. Whether or not the device object has a name, or not, is not relevant to whether it can have a namespace. Remember, the I/O manager at the level of opening a handle treats everything as if it were a file system. When it parses the name string passed to CreateFile, it starts walking the string from left to right, looking for a symbolic link name that translates to a device name. As soon as it finds a translation, it basically stops parsing, creates the file object, and the entire string that was passed to CreateFile is placed in the file object. Whether the symbolic link name is a device interface class name or a driver-created name is irrelevant.

    Of course, like a file system driver, a driver managing its own namespace must parse and verify the namespace and implement appropriate security.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    • Marked as answer by shaul_ei Thursday, April 23, 2015 2:08 PM
    Wednesday, April 22, 2015 5:57 PM
    Moderator

All replies

  • Most of the security concern that Walter described was due to the problem of using a file name with IoCreateDevice which bypassed the security.  At the time the book was written IoCreateDeviceSecure was new and was not well understood.  This call (which is used by WDF) takes care of the problems that the book was concerned about, see http://www.osronline.com/article.cfm?article=507 for a detailed discussion.

    While the article is old, you may want to consider using more protection take a look at http://www.osronline.com/article.cfm?id=100 and the articles it references.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Wednesday, April 22, 2015 11:28 AM
  • Given that ISO C++ uses namespaces, I use them to carve up larger code blocks 

    The basic kernel mode uses C but calling up a driver can be with C++ rather then the old way.

    within a namespace you can a stream to anything and the identifier will remain within the namespace

    as such you can then use a qualified call to namepace::phile etc

    time for another tranche of 40 books



    MSFT Signature

    Place your rig specifics into your signature like I have, makes it 100x easier!

    Hardcore Games Legendary is the Only Way to Play!
    Vegan Advocate How can you be an environmentalist and still eat meat?

    Wednesday, April 22, 2015 11:37 AM
  • > 1. What makes named object less secure?

    Basically this is the deal, IIRC:

    a device stack consists of several device objects managed by different drivers. At the bottom there's the physical DO created by the bus, then go the FDO and various filters. Nevertheless all these DOs are distinct and can have different names and conflicting security. Therefore it is very important that a device [stack] can be opened only via one DO, and there you apply the security. So MS has decided to assign the PDO as the dev object that has both the name (that ugly long name created by PnP) and security settings of the whole stack. All other DOs in the stack should remain unnamed so they cannot be opened from usermode and circumvent the settings applied to the PDO. This eliminates possible confusion of several entry points in the stack.

    > 2. Is it possible to use a namespace with an unnamed device object?

    Obviously not: unnamed DO has no name :) so no namespaces.Just create a namespace based on the (long ugly auto-generated) name of your instance. Your driver above the PDO will properly see the requests even though its own DOs are unnamed.

    > Now I need to extend my driver to support many (250) virtual devices

    250 joysticks?!  that's insane ...

    -- pa



    • Edited by Pavel A Wednesday, April 22, 2015 12:24 PM
    • Marked as answer by shaul_ei Thursday, April 23, 2015 2:08 PM
    Wednesday, April 22, 2015 12:20 PM
  • You should be aware that device namespaces have nothing to do with C++ namespaces, they are totally different concepts.  Driver namespaces can be implemented in C, and if you go back through operating system design predate the C++ language.

        

    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Wednesday, April 22, 2015 12:36 PM
  • You should be aware that device namespaces have nothing to do with C++ namespaces, they are totally different concepts.  Driver namespaces can be implemented in C, and if you go back through operating system design predate the C++ language.

        

    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    That is true, which is why I suggested another 40 books

    I have some older books on WDM which dates back to Windows 98 but it never really gained any adoption until Windows XP was released.

    Windows 95 used the old VXD which is now obsolete.

    The modern BIOS/UEFI is now very complex which does a lot of the work for driver developers today.

    One book, by Walter Oney is the primary reference I use.

    Programming the Microsoft Windows Driver Model (2nd Edition) (Developer Reference)



    MSFT Signature

    Place your rig specifics into your signature like I have, makes it 100x easier!

    Hardcore Games Legendary is the Only Way to Play!
    Vegan Advocate How can you be an environmentalist and still eat meat?

    Wednesday, April 22, 2015 12:47 PM
  • Actually, WDM was pretty active before Windows 2000, in fact as someone who interviewed a lot of developers one of the big problems was that people learned WDM in Win98 and did not understand the locking models needed for Windows 2000 or later OS'es.

    Walter's book is like all the Windows device driver books getting obsolete.  The closest to a current book is Developing Driver with the Windows Driver Foundation, since using WDM as described in Walter's book has been pretty much replaced by WDF.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Wednesday, April 22, 2015 1:06 PM
  • I have one other reference that came from MSDN which I found on an old Windows 7 WDK DVD

    Its called the Windows Driver Kit documentation: This release of the Microsoft Windows Driver Kit (WDK) documentation provides information about driver development for Windows 7 and earlier versions of the Windows operating system. The content in this documentation targets build 7600, and later, of the WDK.

    Stuff with this DVD is still viable for Windows 8 and 10

    Developing Drivers with the Windows Driver Foundation 1st (first) Edition by Penny Orwick, Guy Smith published by Microsoft Press (2007)



    MSFT Signature

    Place your rig specifics into your signature like I have, makes it 100x easier!

    Hardcore Games Legendary is the Only Way to Play!
    Vegan Advocate How can you be an environmentalist and still eat meat?


    Wednesday, April 22, 2015 1:19 PM
  • Not true, Pavel. Whether or not the device object has a name, or not, is not relevant to whether it can have a namespace. Remember, the I/O manager at the level of opening a handle treats everything as if it were a file system. When it parses the name string passed to CreateFile, it starts walking the string from left to right, looking for a symbolic link name that translates to a device name. As soon as it finds a translation, it basically stops parsing, creates the file object, and the entire string that was passed to CreateFile is placed in the file object. Whether the symbolic link name is a device interface class name or a driver-created name is irrelevant.

    Of course, like a file system driver, a driver managing its own namespace must parse and verify the namespace and implement appropriate security.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    • Marked as answer by shaul_ei Thursday, April 23, 2015 2:08 PM
    Wednesday, April 22, 2015 5:57 PM
    Moderator

  • Thank you for the excellent replies.

    I now understand that not naming my DO was not a wise decision but this will not be reversed. However, I can still name the DO so that its devices will be interfaced either by the new namespace or by the old interfaces.


    250 joysticks?!  that's insane ...

    Not Exactly. One of my users wants to use it for over-the-net gaming server where many players play simultaneously. Anyhow, the current 16 device limitation was relevant for the old WINMM interface and should be removed.

     

    Whether or not the device object has a name, or not, is not relevant to whether it can have a namespace.

    Good news then? Suppose the driver creates this name for my driver interface:
    \\?\{d6e55ca0-1a2e-4234-aaf3-3852170b492f}#vjoyrawpdo#1&2d595ca7&147&vjoyinstance00#{781ef630-72b2-11d2-b852-00c04fad5101}\device_001

    Can I assume that the string followed by device_001 is my namespace? If so, what is the use of creating an interface? What happens if I try to create file (CreateFile()) with a arbitrary sub-name such as
    \\?\{d6e55ca0-1a2e-4234-aaf3-3852170b492f}#vjoyrawpdo#1&2d595ca7&147&vjoyinstance00#{781ef630-72b2-11d2-b852-00c04fad5101}\device_BlaBla?


    • Edited by shaul_ei Thursday, April 23, 2015 2:30 PM typos
    Thursday, April 23, 2015 2:28 PM
  • you don't need to give your device a name. the PDO has a name and when you create a device interface, the interface symbolic link will always point to the PDO's name, never the FDO.  Yes, anything after the base interface string will be passed do you as a file name, so device_BlaBla will be passed to your driver. see

    http://blogs.msdn.com/b/doronh/archive/2007/10/03/devices-and-namespaces.aspx

    http://blogs.msdn.com/b/doronh/archive/2006/08/18/706717.aspx


    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    • Marked as answer by shaul_ei Saturday, April 25, 2015 3:15 PM
    Thursday, April 23, 2015 4:40 PM
  • Much clearer, thank you.

    From what I experimented with my code I found out that you can indeed CreateFile and get a valid handle to any name in the namespace without defining an interface (WdfDeviceCreateDeviceInterface) to it. You can also send an IOCTL using this handle and it is treated correctly.

    So, if you know what are the names in the namespace - you don't really need to create interfaces. You need the interfaces only if you wish to enumerate them. Correct?

    Actually, you need one interface. Otherwise there's no way to get the driver-created namespace. Or is there?

    Let's put it this way: Why create Device Interfaces if I mean to use the namespace?

    P.S.: "A Hole In My Head" is a gem. I wish Doron had resumed it.

    Saturday, April 25, 2015 3:14 PM
  • you need to device interface for enumeration and discovery of the root of the name space. This is why the recommendation for you is to have one interface and use the name space to additional "things". If I had time to write, I would , but I don't ... and I don't write drivers or wdf code full time anymore so the list of ideas has ebbed.

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    • Marked as answer by shaul_ei Sunday, April 26, 2015 5:13 AM
    Saturday, April 25, 2015 7:05 PM
  • Much clearer, thank you.

    From what I experimented with my code I found out that you can indeed CreateFile and get a valid handle to any name in the namespace without defining an interface (WdfDeviceCreateDeviceInterface) to it. You can also send an IOCTL using this handle and it is treated correctly.

    So, if you know what are the names in the namespace - you don't really need to create interfaces. You need the interfaces only if you wish to enumerate them. Correct?

    Actually, you need one interface. Otherwise there's no way to get the driver-created namespace. Or is there?

    Let's put it this way: Why create Device Interfaces if I mean to use the namespace?

    P.S.: "A Hole In My Head" is a gem. I wish Doron had resumed it.

    That is what I was saying originally. I have lots of experience with game engines and servers.



    MSFT Signature

    Place your rig specifics into your signature like I have, makes it 100x easier!

    Hardcore Games Legendary is the Only Way to Play!
    Vegan Advocate How can you be an environmentalist and still eat meat?

    Saturday, April 25, 2015 7:23 PM