EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Preventing rule modification \ driver unload by other application

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#17340
Posted: 08/20/2011 15:32:17
by Ophir Yoktan (Basic support level)
Joined: 08/20/2011
Posts: 1

I'm considering the use of CallbackFilter for a security related application.

One of the issues I encountered, is that it appears that there's no way to protect the API of the driver.

so if I define some filters, an attacker (assuming he knows i'm using this product) may just issue the relevant API calls to disable the filters or unload the driver.

Is this correct? is there some way to protect the product from such attacks?
#17341
Posted: 08/21/2011 07:03:54
by Vladimir Cherniga (EldoS Corp.)

Only users with administrative rights may install or uninstall driver. Unloading is not supported by legacy file system filter drivers.
To protect the user API we may add process restriction mechanism to our future releases.
#17342
Posted: 08/21/2011 09:02:17
by Eugene Mayevski (EldoS Corp.)

Addition: currently any application can modify or delete rules set by other application, however, it needs to know what rules have been set.

We will add a function to the next version to track the process that added the rule and prevent other applications from changing this rule. The function will be optional.


Sincerely yours
Eugene Mayevski
#17343
Posted: 08/21/2011 13:44:04
by Ophir Yoktan (Basic support level)
Joined: 08/21/2011
Posts: 7

Thanks.

What do you mean by
Quote
it needs to know what rules have been set

Wouldn't a call to
Code
CallbackFilter.DeleteAllFilterRules
clear all filters?

Is there a time line for the new version?

Ophir
#17344
Posted: 08/21/2011 15:10:41
by Vladimir Cherniga (EldoS Corp.)

Each CallbackFilter instance has unique identifier. It is assigned internally during filter initialization (CallbackFilter::AttachFilter()). CallbackFilter API applies to the rules that belongs to specific filter instance, and has not affect on rules assigned with another filter instance.
The new version will be available within a month.
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 2074 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!