locked
How do you add protection to your device's IOCTLs? RRS feed

  • Question

  • Hello experts!

    Has anyone implemented any secure-IOCTL mechanism ? 

    I know this question had been asked and suggestions were made that this is a sure losing battle as if hacker has enough time he can disassembles and figures out the mechanism. We can only add hacking-complexity to prevent unauthorized IOCTL and this is what I intend to do (without creating too much overhead).

    From what I read, the supported way is to use account-based ACL but this method easily fails if malware also runs as admin (I feel this is quite normal). If we add a special user account for this, then that account can be manipulated outside our control.. which is not good either.

    Any real world experiences and suggestions is appreciated.

     

    Best regards,

    Peter.





    Wednesday, June 22, 2011 8:48 AM

Answers

  • I've known of clients who used an encryption or hash key of a unique design which is added to the block passed in for the IOCTL.  Most secure IOCTL mechanisms just use Windows security, either for the device or on a specific IOCTL.

     


    Don Burn (MVP, Windows DKD) Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr
    Wednesday, June 22, 2011 3:32 PM
  • but once the malware runs as admin, you have lost.  they can do any number of things to circumvent your measures. Just use windows security mechanisms and you will be fine for what you want to do.  typically you do this by specifying your ACL for restricting read or write access and then in your IOCTL definition, specify that read or write access is required.
    d -- This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, June 22, 2011 5:17 PM

All replies

  • I've known of clients who used an encryption or hash key of a unique design which is added to the block passed in for the IOCTL.  Most secure IOCTL mechanisms just use Windows security, either for the device or on a specific IOCTL.

     


    Don Burn (MVP, Windows DKD) Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr
    Wednesday, June 22, 2011 3:32 PM
  • but once the malware runs as admin, you have lost.  they can do any number of things to circumvent your measures. Just use windows security mechanisms and you will be fine for what you want to do.  typically you do this by specifying your ACL for restricting read or write access and then in your IOCTL definition, specify that read or write access is required.
    d -- This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, June 22, 2011 5:17 PM