EldoS | Feel safer!

Software components for data protection, secure storage and transfer

EncryptwithHeader Sample

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#24278
Posted: 03/25/2013 08:41:26
by Vladimir Cherniga (EldoS Corp.)

Quote
I think with EaName I can filter all system files or allow only user files

EA - Extended Attributes, the way to add an additional file stream for the existent file. This doesn't help in your case. It could be useful when you tag a selected files with EA data and want to filter them based on "filter mask" + EA. Here is a link to some information about additional file streams
http://msdn.microsoft.com/en-us/libra...s.85).aspx

EA are not supported by FAT32.
#24279
Posted: 03/25/2013 08:44:37
by Vladimir Cherniga (EldoS Corp.)

Quote
One more thing ... I am working on NTFS win 7 system

Here is a bug in current implementation that may cause hang in SetEOFAsync call on Windows Vista or later. The fix is on the way to the next build of CallbackFilter.
#24280
Posted: 03/25/2013 08:51:17
by Vladimir Cherniga (EldoS Corp.)

#24287
Posted: 03/25/2013 10:09:33
by Manoj Jain (Standard support level)
Joined: 02/28/2013
Posts: 94

Can I set priority in two instances of callbackfilter

I have declared two callback filter, g_CbFlt and g_CbFlt2

G_CbFlt with all callback procedures and g_CbFlt2 with only FileOpenCallback

I have set following filter

Code
  g_CbFlt2.AddPassThroughCallbackRule (FolderName, (CallbackFilter::CbFltCallbackFlags)(
      CallbackFilter::OpenCallback ));

       g_CbFlt2.AddFilterCallbackRule(L"*.*", (CallbackFilter::CbFltCallbackFlags)(
      CallbackFilter::OpenCallback ));

       g_CbFlt.AddFilterCallbackRule(FolderName, (CallbackFilter::CbFltCallbackFlags)(
      CallbackFilter::ReadCallback |
      CallbackFilter::WriteCallback |
      CallbackFilter::CreateCallback |
      CallbackFilter::RenameCallback |
      CallbackFilter::SetSizesCallback |
      CallbackFilter::EnumerateDirectoryCallback |
      CallbackFilter::OpenCallback |
      CallbackFilter::CloseCallback |
      CallbackFilter::GetSizesCallback
      ));



This effectively blocks all the folder from being accessed and allows only FolderName folder. [which I require]

But I am expecting all the files saved in FolderName to be encrypted as per setting of g_CbFlt but files saved in FolderName all not encrypted.

How can I ensure that call back events of g_CbFlt fires first and then g_CbFlt2.

I have tried various options like activating g_CbFlt first and than g_CbFlt2 and vise versa but result is same.

[I have tested this on XP after your comments below:

Quote
Here is a bug in current implementation that may cause hang in SetEOFAsync call on Windows Vista or later. The fix is on the way to the next build of CallbackFilter.


If we can make fire write call back of g_CbFlt in the FolderName [Folder mask] my problem would be solved.
#24288
Posted: 03/25/2013 10:50:55
by Vladimir Cherniga (EldoS Corp.)

If you specified rule with exact folder mask, without wildcard symbols (*, ?), the resulting callbacks fired only for the folder request, excluding the files resides in folder. To filter files in particular folder you should specify "folder_full_path\*.*"
You cannot rely on callback filter order, because they work in different worker threads, that scheduled by the system.
I am not sure what is your FolderName exactly, mask or absolute folder path, but in order to make encryption works you should use a "folder_full_path\*.*" in g_CbFlt. g_CbFlt2 rule will give you open callback for the all files in system, except for FolderName (but this may deadlock in opening some of the system dlls)
#24291
Posted: 03/25/2013 11:51:29
by Manoj Jain (Standard support level)
Joined: 02/28/2013
Posts: 94

My FolderName is "folder_full_path\*.*"

This is what I want to achieve

User should be able to save files only in a specified folder and no where else on the computer, not even network. g_CbFlt2 can achieve that [I have test for system dlls] but it was working on XP when I tested.

All files in that specified folder should be encrypted [as per EncryptwithHeader sample as set in g_CbFlt]

I will set "My documents" folder for folder name which is defualt for windows.

As per the code above, All files in the specified folders are normal files .... that means g_CbFlt is not firing any call back.

In OpenFileCallback of g_CbFlt2, I have given RequestAccepted=FALSE.

All the callbacks of g_CbFlt as exactly same as EncryptwithHeader sample

Why I want to achieve that:
For example, we open a text file in notepad, we can save it in any format because save as option in notepad allows "*.*" as type of file. So I have to protect all the file formats by encrypting them at any possible location.

Please guide me how to achieve that.
#24292
Posted: 03/25/2013 12:26:22
by Manoj Jain (Standard support level)
Joined: 02/28/2013
Posts: 94

Quote
but this may deadlock in opening some of the system dlls

I will add sysytem and system32 folder to bypass ....
This is safe because normal user cannot write to these folder.

I hope this will solve dll deadlock issue
#24294
Posted: 03/25/2013 13:53:39
by Vladimir Cherniga (EldoS Corp.)

Quote
As per the code above, All files in the specified folders are normal files .... that means g_CbFlt is not firing any call back

It's not clear for me. g_Cbflt is set to trigger withing filtered path. g_Cbflt2 is set to not trigger within filtered path. What is your final goal ? To keep all files encrypted within target folder and forbid copy any file out of that folder ? Or do not allow to save any opened(from anywhere) file to other location than filtered path, or protect any file within special folder from being copied out of that folder, encrypting them ? Sorry for the misunderstanding.
#24296
Posted: 03/25/2013 20:00:01
by Manoj Jain (Standard support level)
Joined: 02/28/2013
Posts: 94

My Final Goal is this:

1. Encrypted Text files will be in a specified folder [say c:\text\*.*]. These Text files will be encrypted before giving to customer using a program exactly same as Encryptwithheader. Program given to customer will have code as given below [or earlier]

2. Customer should be able to open these encrypted text files but not be able to save in a decrypted form [or normal files]

3. As you know, In notepad, if we select "*.*" as file type during save as, we can save with any extension and later change the extension as desired. And hence protecting any specific file format does not make sense.

4. I am trying to prevent user from accessing all the folders except one folder [say c:\text\*.*] using g_CbFlt and gCbFlt2 combination plus allowing setting bypass for system and system32 folders.

5. Yesterday when I posted this message, files saved by user in c:\text\*.* folder were non-encrypted that means normal files. My understanding was that they will be encrypted.

6. As per set rules this should not have happened.

So please guide me what should me my filter setting in code below: VC++ EncryptwithHeader sample


Code
  g_CbFlt2.AddPassThroughCallbackRule (L"C:\Test\*.*", (CallbackFilter::CbFltCallbackFlags)(
      CallbackFilter::OpenCallback ));

       g_CbFlt2.AddFilterCallbackRule(L"*.*", (CallbackFilter::CbFltCallbackFlags)(
      CallbackFilter::OpenCallback ));

       g_CbFlt.AddFilterCallbackRule(L"C:\Test\*.*", (CallbackFilter::CbFltCallbackFlags)(
      CallbackFilter::ReadCallback |
      CallbackFilter::WriteCallback |
      CallbackFilter::CreateCallback |
      CallbackFilter::RenameCallback |
      CallbackFilter::SetSizesCallback |
      CallbackFilter::EnumerateDirectoryCallback |
      CallbackFilter::OpenCallback |
      CallbackFilter::CloseCallback |
      CallbackFilter::GetSizesCallback
      ));


As the user will not be able to open any folder. We will instruct the user to open the program [notepad] first and than open files. we will set My_Documents as the folder so that user is not required to browse.

My Question is : Is my rules correct as per my requirement?

I will test again today when I reach office in few hours. I needed more guidance on this issue.

Thanks for your support ....
#24299
Posted: 03/26/2013 04:09:50
by Vladimir Cherniga (EldoS Corp.)

You should keep in mind, that in the case of more than one filter active, they will callback in a cycle. If any filter callback returns FALSE or raise exception from callback, this cycle will break and return immediately from request handling. In your case, if g_CbFlt2 filter get control on OpenFile callback and return FALSE, it will break handle creation and you will not get PosOpenFile callback for g_CbFlt filter.
Quote
2. Customer should be able to open these encrypted text files but not be able to save in a decrypted form [or normal files]

3. As you know, In notepad, if we select "*.*" as file type during save as, we can save with any extension and later change the extension as desired. And hence protecting any specific file format does not make sense.


I think this is not possible, if you allow some application to open and read file, then nothing to prevent it open an arbitrary file and save it somewhere else. Also should note, that notepad works with a memory mapped files, and it could close a file handle as soon as using a handle for memory mapped section. This is not break a filter rules, because all non-paging read/write requests going through the filesystem and filter, but if the file changed outside from the notepad, this changes will not affect on memory mapping representation.
Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.

Reply

Statistics

Topic viewed 14271 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!