Best Practices for More Secure and Reliable Device Drivers
Other versions of this page are also available for the following:
.gif "A hyphen indicates that the information in this topic is not relevant for this platform, or that the platform does not support the API that is listed.")
.gif "A checkmark indicates that the information in this topic is relevant for this platform, and that any API listed is also supported on this platform.")
8/28/2008
Device drivers should not unexpectedly crash or unexpectedly elevate privilege.
The following list shows best practices for security and reliability:
Use structured exception handling (SEH) only as needed. SEH is also known as __try/__except blocks.
Check access permissions on nested pointers in IOCTL calls.
Check access permissions on nested pointers in non-stream interface driver entry points, such as the GWES keyboard functions.
Use the Ceddk.dll functions to access hardware.
Do not use the macros in Wdm.h.Check return values for any function calls that can fail or return unexpected results.
Use DEBUGCHK or a related macro to check assumptions, but appropriately handle the error circumstances that can occur.
Perform thorough threat modeling and mitigation.
Use CeAllocAsynchronousBuffer and SEH when an internal thread accesses an externally provided buffer. This function marshals the buffer of the caller into the virtual memory of the kernel. In Windows Embedded CE 6.0, you do not need to change the permission of the thread to access the externally provided buffer.
Verify that any applications that call into a device driver are trusted.
Check the trust of the calling application with the CeGetCallerTrust function. Then, if necessary, enforce access to trusted callers only with the DEVFLAGS_TRUSTEDCALLERONLY Flags registry value.
Use the C/C++ Code Analysis.
See Also
Reference
Concepts
CEDDK Dynamic-Link Library
Device Manager Security
Windows Embedded CE Drivers