How safe is your device namespace?

  • Article

The I/O Manager can protect your device's namespace from unprivileged access if you set the FILE_DEVICE_SECURE_OPEN device characteristic.

The I/O Manager can protect your device's namespace from unprivileged access if you allow it to. Setting the FILE_DEVICE_SECURE_OPEN device characteristic directs the I/O Manager to apply the security descriptor of the device object to all open requests, including file-open requests into the device's namespace. Essentially, the I/O Manager performs access checks and fails requests that don't have the privileges you established for the device object. FILE_DEVICE_SECURE_OPEN is supported on Microsoft Windows NT 4.0 SP5 and later versions of Windows.

A client usually opens a driver's named device objects ("\Device\MyDevice") in order to access the device. However, a client can also attempt to open files on a device by appending a file path to the device object name ("\Device\MyDevice\Some\Arbitrary\Path\To\A\File"). When this happens, the file object has a FileName equal to the trailing portion of the name ("\Some\Arbitrary\Path\To\A\File"). Unless the device driver watches for this case and either fails the create request or applies a security check, this can create a security hole in the system, because an unprivileged user could bypass security and obtain handles with read and write access simply by opening a file in the device's namespace.

Your driver is always responsible for managing its namespace, and using FILE_DEVICE_SECURE_OPEN makes that easier by having the I/O Manager perform security checks for your driver. Setting FILE_DEVICE_SECURE_OPEN closes potential security holes because the security descriptor for the device is applied to all open attempts, including those with trailing names, no matter how deep into the namespace they go. (To be absolutely sure of preventing a caller from opening files, make sure that IrpSp->FileObject->FileName.Length is 0 in every create IRP your driver receives).

What should you do?

Almost all drivers that create device objects should set FILE_DEVICE_SECURE_OPEN when the device object is created. The only drivers that shouldn't are those that implement their own security checking, such as file systems.

  • Set FILE_DEVICE_SECURE_OPEN when calling IoCreateDevice or IoCreateDeviceSecure to create a device object.
  • For Plug and Play drivers for Microsoft Windows 2000 and later, use the INF file to assign FILE_DEVICE_SECURE_OPEN to the DeviceCharacteristics value name in the registry.
  • If your driver cannot use FILE_DEVICE_SECURE_OPEN for some reason, perform your own access checks or reject I/O requests from unprivileged callers.
  • If your driver does not support opening files or supports exclusive opens, fail any IRP_MJ_CREATE requests that specify an IrpSp->FileObject->FileName parameter with a nonzero length.

Kernel-Mode Drivers: Fixing Common Driver Reliability Issues

Controlling Device Namespace Access

 

 

Send comments about this topic to Microsoft