From: Peter W [mailto:peterwUSA.NET]

> Bits _never_ get written to the disk? Guaranteed never to use
> swap space?
>
> The GnuPG FAQ (http://www.gnupg.org/faq.html#q6.1) suggests that it is
> not possible to make a Windows program insist on physical RAM
> the way a
> program can in Open Systems. Does EFS really use only physical RAM? If
> so, is there some win32 API that can be used by other
> application designers
> who want to guarantee that certain blocks of allocated memory
> are *never*
> swapped out to disk? The most likely candidate I've come across is
> VirtualLock() which, unfortunately, "does not mean that the
> page will not be
> paged to disk"
(http://msdn.microsoft.com/library/techart/msdn_virtmm.htm).

This is certainly possible as EFS is a kernel mode device driver and not
a Win32 application. Non pageable memory can be easily allocated from
the non-paged pool by a device driver (and is one of the fundamental
concepts in writing a Win2000 driver).

The EFS driver communicates with the local security authority (lsass) to
allow the use of CryptoAPI for encryption of the data, but as lsass is a
Native applciation (not Win32) then it may have access to other
(undocumented) functions, or simply pass a pointer to the non-paged
memory it has allocated for the encryption buffers.

Note that the PGP implementation uses a device driver (PGPmemlock.sys)
to lock pages into memory and prevent them from being swapped out. I am
unsure as to the motives of the GPG team if they have not implemented a
similar feature, but smells like FUD to me.

John Wiltshire

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]