Re: win32/memory locking (Re: Reply to EFS note on Bugtraq)

[John Wiltshire <jw () QITS NET AU>]

From: Peter W [mailto:peterw () USA NET]

> Bits _never_ get written to the disk? Guaranteed never to use 
> swap space?
>
> The GnuPG FAQ (http://www.gnupg.org/faq.html#q6.1) suggests that it is
> not possible to make a Windows program insist on physical RAM 
> the way a
> program can in Open Systems. Does EFS really use only physical RAM? If
> so, is there some win32 API that can be used by other 
> application designers
> who want to guarantee that certain blocks of allocated memory 
> are *never*
> swapped out to disk? The most likely candidate I've come across is
> VirtualLock() which, unfortunately, "does not mean that the 
> page will not be
> paged to disk" 
(http://msdn.microsoft.com/library/techart/msdn_virtmm.htm).


This is certainly possible as EFS is a kernel mode device driver and not
a Win32 application.  Non pageable memory can be easily allocated from
the non-paged pool by a device driver (and is one of the fundamental
concepts in writing a Win2000 driver).  

The EFS driver communicates with the local security authority (lsass) to
allow the use of CryptoAPI for encryption of the data, but as lsass is a
Native applciation (not Win32) then it may have access to other
(undocumented) functions, or simply pass a pointer to the non-paged
memory it has allocated for the encryption buffers.

Note that the PGP implementation uses a device driver (PGPmemlock.sys)
to lock pages into memory and prevent them from being swapped out.  I am
unsure as to the motives of the GPG team if they have not implemented a
similar feature, but smells like FUD to me.

John Wiltshire