[18784] in bugtraq
Re: win32/memory locking (Re: Reply to EFS note on Bugtraq)
daemon@ATHENA.MIT.EDU (John Wiltshire)
Wed Jan 24 12:44:22 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Class: urn:content-classes:message
Message-Id: <0A3BB0EB963F2240A6A417216D2CDC3C0382C4@tsd2.qits.net.au>
Date: Wed, 24 Jan 2001 14:07:19 +1000
Reply-To: John Wiltshire <jw@QITS.NET.AU>
From: John Wiltshire <jw@QITS.NET.AU>
X-To: Peter W <peterw@USA.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
From: Peter W [mailto:peterw@USA.NET]
> Bits _never_ get written to the disk? Guaranteed never to use
> swap space?
>
> The GnuPG FAQ (http://www.gnupg.org/faq.html#q6.1) suggests that it is
> not possible to make a Windows program insist on physical RAM
> the way a
> program can in Open Systems. Does EFS really use only physical RAM? If
> so, is there some win32 API that can be used by other
> application designers
> who want to guarantee that certain blocks of allocated memory
> are *never*
> swapped out to disk? The most likely candidate I've come across is
> VirtualLock() which, unfortunately, "does not mean that the
> page will not be
> paged to disk"
(http://msdn.microsoft.com/library/techart/msdn_virtmm.htm).
This is certainly possible as EFS is a kernel mode device driver and not
a Win32 application. Non pageable memory can be easily allocated from
the non-paged pool by a device driver (and is one of the fundamental
concepts in writing a Win2000 driver).
The EFS driver communicates with the local security authority (lsass) to
allow the use of CryptoAPI for encryption of the data, but as lsass is a
Native applciation (not Win32) then it may have access to other
(undocumented) functions, or simply pass a pointer to the non-paged
memory it has allocated for the encryption buffers.
Note that the PGP implementation uses a device driver (PGPmemlock.sys)
to lock pages into memory and prevent them from being swapped out. I am
unsure as to the motives of the GPG team if they have not implemented a
similar feature, but smells like FUD to me.
John Wiltshire
