How safe is your device namespace?
Updated: May 27, 2007
The I/O Manager can protect your device's namespace from unprivileged access if you allow it to. Setting the FILE_DEVICE_SECURE_OPEN device characteristic directs the I/O Manager to apply the security descriptor of the device object to all open requests, including file-open requests into the device's namespace. Essentially, the I/O Manager performs access checks and fails requests that don't have the privileges you established for the device object. FILE_DEVICE_SECURE_OPEN is supported on Microsoft Windows NT 4.0 SP5 and later versions of Windows.
A client usually opens a driver's named device objects ("\Device\MyDevice") in order to access the device. However, a client can also attempt to open files on a device by appending a file path to the device object name ("\Device\MyDevice\Some\Arbitrary\Path\To\A\File"). When this happens, the file object has a FileName equal to the trailing portion of the name ("\Some\Arbitrary\Path\To\A\File"). Unless the device driver watches for this case and either fails the create request or applies a security check, this can create a security hole in the system, because an unprivileged user could bypass security and obtain handles with read and write access simply by opening a file in the device's namespace.
Your driver is always responsible for managing its namespace, and using FILE_DEVICE_SECURE_OPEN makes that easier by having the I/O Manager perform security checks for your driver. Setting FILE_DEVICE_SECURE_OPEN closes potential security holes because the security descriptor for the device is applied to all open attempts, including those with trailing names, no matter how deep into the namespace they go. (To be absolutely sure of preventing a caller from opening files, make sure that IrpSp->FileObject->FileName.Length is 0 in every create IRP your driver receives).
What should you do?
For more information: