trunk/Src/wptSecmem.cpp

/* wptSecmem.cpp - W32 ``Secure`` memory handling
 *      Copyright (C) 2001, 2002 Timo Schulz <[email protected]>
 *
 * This file is part of WinPT.
 *
 * WinPT is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License 
 * as published by the Free Software Foundation; either version 2 
 * of the License, or (at your option) any later version.
 *  
 * WinPT is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License 
 * along with WinPT; if not, write to the Free Software Foundation, 
 * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
 *
 * This is the notice from the original author:
 *
 * win32vmSafe - a 'no write to disk' volatile buffer
 * implemented via standard win32 api calls.
 *
 * Copyright (C) 2001 John J. Kane <[email protected]>
 * Brief notice: This code is released under the terms of
 * the GNU Lesser General Public License (LGPL) Version 2.1;
 * refer to www.gnu.org if you're clueless.
 *
 * WARNING:
 * This is win32vmSafe ALPHA v0.2.1. No security analysis has
 * been done on this version; do not use in production code.
 * It demonstrates basic functionality only.
 * This version should be considered deprecated after 2001-09-01.
 * Contact John Kane for information on the current status
 * of this package.
 *
 * Heavily modified for the use with WinPT by Timo Schulz.
 */

#if 0
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif

#include <windows.h>
#include <windows.h>

/*  CONTEXT:
  Under Windows, a user process cannot lock pages in memory.
Normally, critical data will be flushed to the system VMM swap
file at unpredictable intervals.  Only a kernel-level VXD/DLL
can lock physical pages, and we do not have a GPL page-locker.
*HOWEVER:
Please note the following distinction:
  (1) A page can be locked IN memory to guarantee that it is
always accessible and never triggers a page fault.
  (2) A page can be protected to ensure that its contents
are never copied OUT of memory into permanent storage.
  It turns out that there is a way to implement (2) without
the work required to ensure (1).  Win32 memory-mapped files
allow you to map the first N bytes of any file into a page.
The remaining 4096-N bytes of that page become a VOLATILE
BUFFER area which is not written back to the mapped file even
if the process is swapped out.  The data is DISCARDED without
being written; when the process is swapped back in, the former
contents of the unmapped area are not preserved.
  A 'magic number', sentinel, or any other integrity check
scheme can be used to detect the loss of the contents of
the volatile buffer.
  The application can respond by aborting the interrupted
action with an error message, or by retrying.
*SUMMARY:
  This approach DOES satisfy a security constraint of not
allowing critical key data to be written to disk.  It does
not attempt to prevent the process from being swapped, and
does not preserve the volatile buffer across swap-outs.
This behavior (although safe) is non-intuitive; it may be
best to make it a non-default option if implemented.
*COMPLEXITY IMPLICATIONS FOR NON-WINDOWS PORTS:
  None.
*COMPLEXITY IMPLICATIONS FOR WINDOWS PORTS:
  The code footprint is small.  No VXD; it's compiled
right into the main executable.  No end-user installation
step.  Data in excess of 4k requires multiple buffers.
May allow the elimination of certain previously-implemented
win32 security workarounds.  The parent routine must detect
and handle the (rare) loss-of-data event.
*PORTABILITY:
  There are reasons why this method is likely to be portable
across all flavors of win32 systems, even in environments
where the user lacks NT Administrator rights.  It relies
only on core win32 primitives which are supported on
everything since Win95 (possibly Win3.1).
*/

struct secmem_s {
    HANDLE fh;
    HANDLE mh;
    char *ptr;
    int mapsize;
};

static secmem_s mem;
static char fname[128];
static int fname_set = 0;

int
vm_safe_init(int mapsize)
{
    if ( !fname_set )
        return 1;
    
    mem.fh = CreateFile(
        fname,
        GENERIC_READ | GENERIC_WRITE,
        FILE_SHARE_READ | FILE_SHARE_WRITE,
        NULL,
        OPEN_ALWAYS,
        FILE_ATTRIBUTE_TEMPORARY, 
        NULL );
    if ( mem.fh == INVALID_HANDLE_VALUE )
        return 1;
    
    mem.mh = CreateFileMapping( mem.fh, NULL, PAGE_READWRITE, 0, mapsize, 
                                NULL );
    mem.ptr = (char *)MapViewOfFile( mem.mh, FILE_MAP_READ | FILE_MAP_WRITE,
                                     0, 0, 0 );
    if ( mem.ptr == NULL ) {
        CloseHandle( mem.fh );
        CloseHandle( mem.mh );
        return 1;
    }
    
    VirtualLock( mem.ptr, mapsize );
    mem.mapsize = mapsize;
    
    return 0;
} /* vm_safe_init */

int
vm_safe_init_noswap(void)
{
    int rc;
    
    rc = vm_safe_init( 512 );
    if ( rc )
        return 1;
    mem.ptr += 512;
    return 0;
} /* vm_safe_init_noswap */

void
vm_safe_free( void )
{
    memset( mem.ptr, 0, mem.mapsize );
    mem.ptr = NULL;
    mem.mapsize = 0;
    
    CloseHandle( mem.mh );
    mem.mh = NULL;
    CloseHandle( mem.fh );
    mem.fh = INVALID_HANDLE_VALUE;
} /* vm_safe_init */

void*
vm_safe_get( void )
{
        return mem.ptr;
} /* vm_safe_get */

void
vm_safe_set_swapfile( const char *swapname )
{
    if ( swapname ) {
        strcpy( fname, swapname );
        fname_set = 1;
    }
} /* vm_safe_set_swapfile */

int
vm_safe_create_swapfile( const char *swapname, int size )
{
    HANDLE fd;
    char *buf = NULL;
    DWORD nwritten;
    
    if ( !size )
        return 1;
    
    fd = CreateFile( swapname, GENERIC_WRITE, FILE_SHARE_WRITE, NULL, 
                     CREATE_ALWAYS,     0, NULL );
    if ( fd == INVALID_HANDLE_VALUE )
        return 1;
    
    buf = new char[size+1];
    if( !buf )
        BUG( NULL );
    memset( buf, 0, size );
    WriteFile( fd, buf, size, &nwritten, NULL );
    
    CloseHandle( fd );
    free_if_alloc( buf );
    return 0;
} /* vm_safe_create_swapfile */
#endif
1	werner	36	/* wptSecmem.cpp - W32 ``Secure`` memory handling
2			* Copyright (C) 2001, 2002 Timo Schulz <[email protected]>
3			*
4			* This file is part of WinPT.
5			*
6			* WinPT is free software; you can redistribute it and/or
7			* modify it under the terms of the GNU General Public License
8			* as published by the Free Software Foundation; either version 2
9			* of the License, or (at your option) any later version.
10			*
11			* WinPT is distributed in the hope that it will be useful,
12			* but WITHOUT ANY WARRANTY; without even the implied warranty of
13			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14			* General Public License for more details.
15			*
16			* You should have received a copy of the GNU General Public License
17			* along with WinPT; if not, write to the Free Software Foundation,
18			* Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19			*
20			* This is the notice from the original author:
21			*
22			* win32vmSafe - a 'no write to disk' volatile buffer
23			* implemented via standard win32 api calls.
24			*
25			* Copyright (C) 2001 John J. Kane <[email protected]>
26			* Brief notice: This code is released under the terms of
27			* the GNU Lesser General Public License (LGPL) Version 2.1;
28			* refer to www.gnu.org if you're clueless.
29			*
30			* WARNING:
31			* This is win32vmSafe ALPHA v0.2.1. No security analysis has
32			* been done on this version; do not use in production code.
33			* It demonstrates basic functionality only.
34			* This version should be considered deprecated after 2001-09-01.
35			* Contact John Kane for information on the current status
36			* of this package.
37			*
38			* Heavily modified for the use with WinPT by Timo Schulz.
39			*/
40
41			#if 0
42			#ifdef HAVE_CONFIG_H
43			#include <config.h>
44	twoaday	2	#endif
45	werner	36
46			#include <windows.h>
47			#include <windows.h>
48
49			/* CONTEXT:
50			Under Windows, a user process cannot lock pages in memory.
51			Normally, critical data will be flushed to the system VMM swap
52			file at unpredictable intervals. Only a kernel-level VXD/DLL
53			can lock physical pages, and we do not have a GPL page-locker.
54			*HOWEVER:
55			Please note the following distinction:
56			(1) A page can be locked IN memory to guarantee that it is
57			always accessible and never triggers a page fault.
58			(2) A page can be protected to ensure that its contents
59			are never copied OUT of memory into permanent storage.
60			It turns out that there is a way to implement (2) without
61			the work required to ensure (1). Win32 memory-mapped files
62			allow you to map the first N bytes of any file into a page.
63			The remaining 4096-N bytes of that page become a VOLATILE
64			BUFFER area which is not written back to the mapped file even
65			if the process is swapped out. The data is DISCARDED without
66			being written; when the process is swapped back in, the former
67			contents of the unmapped area are not preserved.
68			A 'magic number', sentinel, or any other integrity check
69			scheme can be used to detect the loss of the contents of
70			the volatile buffer.
71			The application can respond by aborting the interrupted
72			action with an error message, or by retrying.
73			*SUMMARY:
74			This approach DOES satisfy a security constraint of not
75			allowing critical key data to be written to disk. It does
76			not attempt to prevent the process from being swapped, and
77			does not preserve the volatile buffer across swap-outs.
78			This behavior (although safe) is non-intuitive; it may be
79			best to make it a non-default option if implemented.
80			*COMPLEXITY IMPLICATIONS FOR NON-WINDOWS PORTS:
81			None.
82			*COMPLEXITY IMPLICATIONS FOR WINDOWS PORTS:
83			The code footprint is small. No VXD; it's compiled
84			right into the main executable. No end-user installation
85			step. Data in excess of 4k requires multiple buffers.
86			May allow the elimination of certain previously-implemented
87			win32 security workarounds. The parent routine must detect
88			and handle the (rare) loss-of-data event.
89			*PORTABILITY:
90			There are reasons why this method is likely to be portable
91			across all flavors of win32 systems, even in environments
92			where the user lacks NT Administrator rights. It relies
93			only on core win32 primitives which are supported on
94			everything since Win95 (possibly Win3.1).
95			*/
96
97			struct secmem_s {
98			HANDLE fh;
99			HANDLE mh;
100			char *ptr;
101			int mapsize;
102			};
103
104			static secmem_s mem;
105			static char fname[128];
106			static int fname_set = 0;
107
108			int
109			vm_safe_init(int mapsize)
110			{
111			if ( !fname_set )
112			return 1;
113
114			mem.fh = CreateFile(
115			fname,
116			GENERIC_READ \| GENERIC_WRITE,
117			FILE_SHARE_READ \| FILE_SHARE_WRITE,
118			NULL,
119			OPEN_ALWAYS,
120			FILE_ATTRIBUTE_TEMPORARY,
121			NULL );
122			if ( mem.fh == INVALID_HANDLE_VALUE )
123			return 1;
124
125			mem.mh = CreateFileMapping( mem.fh, NULL, PAGE_READWRITE, 0, mapsize,
126			NULL );
127			mem.ptr = (char *)MapViewOfFile( mem.mh, FILE_MAP_READ \| FILE_MAP_WRITE,
128			0, 0, 0 );
129			if ( mem.ptr == NULL ) {
130			CloseHandle( mem.fh );
131			CloseHandle( mem.mh );
132			return 1;
133			}
134
135			VirtualLock( mem.ptr, mapsize );
136			mem.mapsize = mapsize;
137
138			return 0;
139			} /* vm_safe_init */
140
141			int
142			vm_safe_init_noswap(void)
143			{
144			int rc;
145
146			rc = vm_safe_init( 512 );
147			if ( rc )
148			return 1;
149			mem.ptr += 512;
150			return 0;
151			} /* vm_safe_init_noswap */
152
153			void
154			vm_safe_free( void )
155			{
156			memset( mem.ptr, 0, mem.mapsize );
157			mem.ptr = NULL;
158			mem.mapsize = 0;
159
160			CloseHandle( mem.mh );
161			mem.mh = NULL;
162			CloseHandle( mem.fh );
163			mem.fh = INVALID_HANDLE_VALUE;
164			} /* vm_safe_init */
165
166			void*
167			vm_safe_get( void )
168			{
169			return mem.ptr;
170			} /* vm_safe_get */
171
172			void
173			vm_safe_set_swapfile( const char *swapname )
174			{
175			if ( swapname ) {
176			strcpy( fname, swapname );
177			fname_set = 1;
178			}
179			} /* vm_safe_set_swapfile */
180
181			int
182			vm_safe_create_swapfile( const char *swapname, int size )
183			{
184			HANDLE fd;
185			char *buf = NULL;
186			DWORD nwritten;
187
188			if ( !size )
189			return 1;
190
191			fd = CreateFile( swapname, GENERIC_WRITE, FILE_SHARE_WRITE, NULL,
192			CREATE_ALWAYS, 0, NULL );
193			if ( fd == INVALID_HANDLE_VALUE )
194			return 1;
195
196			buf = new char[size+1];
197			if( !buf )
198			BUG( NULL );
199			memset( buf, 0, size );
200			WriteFile( fd, buf, size, &nwritten, NULL );
201
202			CloseHandle( fd );
203			free_if_alloc( buf );
204			return 0;
205			} /* vm_safe_create_swapfile */
206			#endif