trunk/Src/wptSecmem.cpp

/* wptSecmem.cpp - W32 ``Secure`` memory handling
 *      Copyright (C) 2001, 2002 Timo Schulz <[email protected]>
 *
 * This file is part of WinPT.
 *
 * WinPT is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License 
 * as published by the Free Software Foundation; either version 2 
 * of the License, or (at your option) any later version.
 *  
 * WinPT is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License 
 * along with WinPT; if not, write to the Free Software Foundation, 
 * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
 *
 * This is the notice from the original author:
 *
 * win32vmSafe - a 'no write to disk' volatile buffer
 * implemented via standard win32 api calls.
 *
 * Copyright (C) 2001 John J. Kane <[email protected]>
 * Brief notice: This code is released under the terms of
 * the GNU Lesser General Public License (LGPL) Version 2.1;
 * refer to www.gnu.org if you're clueless.
 *
 * WARNING:
 * This is win32vmSafe ALPHA v0.2.1. No security analysis has
 * been done on this version; do not use in production code.
 * It demonstrates basic functionality only.
 * This version should be considered deprecated after 2001-09-01.
 * Contact John Kane for information on the current status
 * of this package.
 *
 * Heavily modified for the use with WinPT by Timo Schulz.
 */

#if 0
#include <windows.h>

/*  CONTEXT:
  Under Windows, a user process cannot lock pages in memory.
Normally, critical data will be flushed to the system VMM swap
file at unpredictable intervals.  Only a kernel-level VXD/DLL
can lock physical pages, and we do not have a GPL page-locker.
*HOWEVER:
Please note the following distinction:
  (1) A page can be locked IN memory to guarantee that it is
always accessible and never triggers a page fault.
  (2) A page can be protected to ensure that its contents
are never copied OUT of memory into permanent storage.
  It turns out that there is a way to implement (2) without
the work required to ensure (1).  Win32 memory-mapped files
allow you to map the first N bytes of any file into a page.
The remaining 4096-N bytes of that page become a VOLATILE
BUFFER area which is not written back to the mapped file even
if the process is swapped out.  The data is DISCARDED without
being written; when the process is swapped back in, the former
contents of the unmapped area are not preserved.
  A 'magic number', sentinel, or any other integrity check
scheme can be used to detect the loss of the contents of
the volatile buffer.
  The application can respond by aborting the interrupted
action with an error message, or by retrying.
*SUMMARY:
  This approach DOES satisfy a security constraint of not
allowing critical key data to be written to disk.  It does
not attempt to prevent the process from being swapped, and
does not preserve the volatile buffer across swap-outs.
This behavior (although safe) is non-intuitive; it may be
best to make it a non-default option if implemented.
*COMPLEXITY IMPLICATIONS FOR NON-WINDOWS PORTS:
  None.
*COMPLEXITY IMPLICATIONS FOR WINDOWS PORTS:
  The code footprint is small.  No VXD; it's compiled
right into the main executable.  No end-user installation
step.  Data in excess of 4k requires multiple buffers.
May allow the elimination of certain previously-implemented
win32 security workarounds.  The parent routine must detect
and handle the (rare) loss-of-data event.
*PORTABILITY:
  There are reasons why this method is likely to be portable
across all flavors of win32 systems, even in environments
where the user lacks NT Administrator rights.  It relies
only on core win32 primitives which are supported on
everything since Win95 (possibly Win3.1).
*/

struct secmem_s {
    HANDLE fh;
    HANDLE mh;
    char *ptr;
    int mapsize;
};

static secmem_s mem;
static char fname[128];
static int fname_set = 0;

int
vm_safe_init(int mapsize)
{
    if ( !fname_set )
        return 1;
    
    mem.fh = CreateFile(
        fname,
        GENERIC_READ | GENERIC_WRITE,
        FILE_SHARE_READ | FILE_SHARE_WRITE,
        NULL,
        OPEN_ALWAYS,
        FILE_ATTRIBUTE_TEMPORARY, 
        NULL );
    if ( mem.fh == INVALID_HANDLE_VALUE )
        return 1;
    
    mem.mh = CreateFileMapping( mem.fh, NULL, PAGE_READWRITE, 0, mapsize, 
                                NULL );
    mem.ptr = (char *)MapViewOfFile( mem.mh, FILE_MAP_READ | FILE_MAP_WRITE,
                                     0, 0, 0 );
    if ( mem.ptr == NULL ) {
        CloseHandle( mem.fh );
        CloseHandle( mem.mh );
        return 1;
    }
    
    VirtualLock( mem.ptr, mapsize );
    mem.mapsize = mapsize;
    
    return 0;
} /* vm_safe_init */

int
vm_safe_init_noswap(void)
{
    int rc;
    
    rc = vm_safe_init( 512 );
    if ( rc )
        return 1;
    mem.ptr += 512;
    return 0;
} /* vm_safe_init_noswap */

void
vm_safe_free( void )
{
    memset( mem.ptr, 0, mem.mapsize );
    mem.ptr = NULL;
    mem.mapsize = 0;
    
    CloseHandle( mem.mh );
    mem.mh = NULL;
    CloseHandle( mem.fh );
    mem.fh = INVALID_HANDLE_VALUE;
} /* vm_safe_init */

void*
vm_safe_get( void )
{
        return mem.ptr;
} /* vm_safe_get */

void
vm_safe_set_swapfile( const char *swapname )
{
    if ( swapname ) {
        strcpy( fname, swapname );
        fname_set = 1;
    }
} /* vm_safe_set_swapfile */

int
vm_safe_create_swapfile( const char *swapname, int size )
{
    HANDLE fd;
    char *buf = NULL;
    DWORD nwritten;
    
    if ( !size )
        return 1;
    
    fd = CreateFile( swapname, GENERIC_WRITE, FILE_SHARE_WRITE, NULL, 
                     CREATE_ALWAYS,     0, NULL );
    if ( fd == INVALID_HANDLE_VALUE )
        return 1;
    
    buf = new char[size+1];
    if( !buf )
        BUG( NULL );
    memset( buf, 0, size );
    WriteFile( fd, buf, size, &nwritten, NULL );
    
    CloseHandle( fd );
    free_if_alloc( buf );
    return 0;
} /* vm_safe_create_swapfile */
#endif
1	twoaday	2	/* wptSecmem.cpp - W32 ``Secure`` memory handling
2			* Copyright (C) 2001, 2002 Timo Schulz <[email protected]>
3			*
4			* This file is part of WinPT.
5			*
6			* WinPT is free software; you can redistribute it and/or
7			* modify it under the terms of the GNU General Public License
8			* as published by the Free Software Foundation; either version 2
9			* of the License, or (at your option) any later version.
10			*
11			* WinPT is distributed in the hope that it will be useful,
12			* but WITHOUT ANY WARRANTY; without even the implied warranty of
13			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14			* General Public License for more details.
15			*
16			* You should have received a copy of the GNU General Public License
17			* along with WinPT; if not, write to the Free Software Foundation,
18			* Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19			*
20			* This is the notice from the original author:
21			*
22			* win32vmSafe - a 'no write to disk' volatile buffer
23			* implemented via standard win32 api calls.
24			*
25			* Copyright (C) 2001 John J. Kane <[email protected]>
26			* Brief notice: This code is released under the terms of
27			* the GNU Lesser General Public License (LGPL) Version 2.1;
28			* refer to www.gnu.org if you're clueless.
29			*
30			* WARNING:
31			* This is win32vmSafe ALPHA v0.2.1. No security analysis has
32			* been done on this version; do not use in production code.
33			* It demonstrates basic functionality only.
34			* This version should be considered deprecated after 2001-09-01.
35			* Contact John Kane for information on the current status
36			* of this package.
37			*
38			* Heavily modified for the use with WinPT by Timo Schulz.
39			*/
40
41			#if 0
42			#include <windows.h>
43
44			/* CONTEXT:
45			Under Windows, a user process cannot lock pages in memory.
46			Normally, critical data will be flushed to the system VMM swap
47			file at unpredictable intervals. Only a kernel-level VXD/DLL
48			can lock physical pages, and we do not have a GPL page-locker.
49			*HOWEVER:
50			Please note the following distinction:
51			(1) A page can be locked IN memory to guarantee that it is
52			always accessible and never triggers a page fault.
53			(2) A page can be protected to ensure that its contents
54			are never copied OUT of memory into permanent storage.
55			It turns out that there is a way to implement (2) without
56			the work required to ensure (1). Win32 memory-mapped files
57			allow you to map the first N bytes of any file into a page.
58			The remaining 4096-N bytes of that page become a VOLATILE
59			BUFFER area which is not written back to the mapped file even
60			if the process is swapped out. The data is DISCARDED without
61			being written; when the process is swapped back in, the former
62			contents of the unmapped area are not preserved.
63			A 'magic number', sentinel, or any other integrity check
64			scheme can be used to detect the loss of the contents of
65			the volatile buffer.
66			The application can respond by aborting the interrupted
67			action with an error message, or by retrying.
68			*SUMMARY:
69			This approach DOES satisfy a security constraint of not
70			allowing critical key data to be written to disk. It does
71			not attempt to prevent the process from being swapped, and
72			does not preserve the volatile buffer across swap-outs.
73			This behavior (although safe) is non-intuitive; it may be
74			best to make it a non-default option if implemented.
75			*COMPLEXITY IMPLICATIONS FOR NON-WINDOWS PORTS:
76			None.
77			*COMPLEXITY IMPLICATIONS FOR WINDOWS PORTS:
78			The code footprint is small. No VXD; it's compiled
79			right into the main executable. No end-user installation
80			step. Data in excess of 4k requires multiple buffers.
81			May allow the elimination of certain previously-implemented
82			win32 security workarounds. The parent routine must detect
83			and handle the (rare) loss-of-data event.
84			*PORTABILITY:
85			There are reasons why this method is likely to be portable
86			across all flavors of win32 systems, even in environments
87			where the user lacks NT Administrator rights. It relies
88			only on core win32 primitives which are supported on
89			everything since Win95 (possibly Win3.1).
90			*/
91
92			struct secmem_s {
93			HANDLE fh;
94			HANDLE mh;
95			char *ptr;
96			int mapsize;
97			};
98
99			static secmem_s mem;
100			static char fname[128];
101			static int fname_set = 0;
102
103			int
104			vm_safe_init(int mapsize)
105			{
106			if ( !fname_set )
107			return 1;
108
109			mem.fh = CreateFile(
110			fname,
111			GENERIC_READ \| GENERIC_WRITE,
112			FILE_SHARE_READ \| FILE_SHARE_WRITE,
113			NULL,
114			OPEN_ALWAYS,
115			FILE_ATTRIBUTE_TEMPORARY,
116			NULL );
117			if ( mem.fh == INVALID_HANDLE_VALUE )
118			return 1;
119
120			mem.mh = CreateFileMapping( mem.fh, NULL, PAGE_READWRITE, 0, mapsize,
121			NULL );
122			mem.ptr = (char *)MapViewOfFile( mem.mh, FILE_MAP_READ \| FILE_MAP_WRITE,
123			0, 0, 0 );
124			if ( mem.ptr == NULL ) {
125			CloseHandle( mem.fh );
126			CloseHandle( mem.mh );
127			return 1;
128			}
129
130			VirtualLock( mem.ptr, mapsize );
131			mem.mapsize = mapsize;
132
133			return 0;
134			} /* vm_safe_init */
135
136			int
137			vm_safe_init_noswap(void)
138			{
139			int rc;
140
141			rc = vm_safe_init( 512 );
142			if ( rc )
143			return 1;
144			mem.ptr += 512;
145			return 0;
146			} /* vm_safe_init_noswap */
147
148			void
149			vm_safe_free( void )
150			{
151			memset( mem.ptr, 0, mem.mapsize );
152			mem.ptr = NULL;
153			mem.mapsize = 0;
154
155			CloseHandle( mem.mh );
156			mem.mh = NULL;
157			CloseHandle( mem.fh );
158			mem.fh = INVALID_HANDLE_VALUE;
159			} /* vm_safe_init */
160
161			void*
162			vm_safe_get( void )
163			{
164			return mem.ptr;
165			} /* vm_safe_get */
166
167			void
168			vm_safe_set_swapfile( const char *swapname )
169			{
170			if ( swapname ) {
171			strcpy( fname, swapname );
172			fname_set = 1;
173			}
174			} /* vm_safe_set_swapfile */
175
176			int
177			vm_safe_create_swapfile( const char *swapname, int size )
178			{
179			HANDLE fd;
180			char *buf = NULL;
181			DWORD nwritten;
182
183			if ( !size )
184			return 1;
185
186			fd = CreateFile( swapname, GENERIC_WRITE, FILE_SHARE_WRITE, NULL,
187			CREATE_ALWAYS, 0, NULL );
188			if ( fd == INVALID_HANDLE_VALUE )
189			return 1;
190
191			buf = new char[size+1];
192			if( !buf )
193			BUG( NULL );
194			memset( buf, 0, size );
195			WriteFile( fd, buf, size, &nwritten, NULL );
196
197			CloseHandle( fd );
198			free_if_alloc( buf );
199			return 0;
200			} /* vm_safe_create_swapfile */
201			#endif