EldoS | Feel safer!

Software components for data protection, secure storage and transfer

CallbackFilter permissions and security

Posted: 07/10/2014 21:22:28
by Daryl van den Brink (Basic support level)
Joined: 07/10/2014
Posts: 1

I was concerned about whether CallbackFilter honours access restrictions on the file system when a process tells the kernel driver to place a filter on part of the file system. Because the kernel driver is in the kernel, it has unrestricted access to the entire system, so it is up to the kernel driver to check that the calling process has permission to access the part of the file system on which it is trying to place a filter.

So I created a small test program, based on one of the standard test programs, which tries to place a filter on a file in the "Program Files" directory, then I tried running it as a restricted user. I confirmed that this user doesn't have permission to modify or delete this file by trying to do those things in Windows Explorer. Yet the test program seemed to be able to place a filter on that file which it isn't supposed to be able to modify.

I must have got something wrong in my test program because it didn't seem to work as I intended. I wanted to override its contents, but instead made the file appear to not exist when someone tried to open it (this happened regardless of which user ran it, so had nothing to do with permissions but was rather a bug in my program). Nevertheless, the fact that it was able to do that much was concerning, and shows that it probably would have been able to override the contents if I'd got it right.

Is this the way CallbackFilter is supposed to behave? Is it supposed to let users place filters on files they don't have write access to?
Posted: 07/10/2014 22:52:03
by Eugene Mayevski (Team)

Thank you for your interest in our products.

The filter driver knows nothing about user permissions. Indeed it can be used on files otherwise inaccessible for the user and can be used by the application to circumvent security restrictions set for NTFS files and folders. This behavior is by design - the developer should be careful to follow whatever limitations are needed to prevent information leaks, and administrators (you need admin rights to install the driver on the computer) should be careful not to install unknown applications which could try to steal information.

If you'd like the driver to check security permissions for you when filtering the directory, you are welcome to add an idea to the WishList and possibly we will implement it in future versions of the product. There's a small problem with such option though - if it's an option, it should be turned on and off from the application (either via registry or in code). This means that it can be turned off by the user unless the permissions are set right not to allow restricted accounts modify the registry and/or application code.

Sincerely yours
Eugene Mayevski



Topic viewed 3051 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!