Computer systems typically include one or more local or networked data storage devices. A typical application program executing on such a computer system accesses such data storage devices by calling standard file system services provided by an operating system, such as services for creating, reading, and writing files on the data storage devices.
A device driver is a set of computer-implemented instructions that implements the device-specific aspects of generic input/output operations. In typical operating systems, software applications such as device drivers run in either “kernel mode” or “user mode.” A virtual device driver is a type of device driver that has direct access to an operating system kernel, such as by running in kernel mode. “Kernel mode” is a highly privileged memory access mode of the processor. “User mode” is a less privileged memory access mode of the processor. The memory access mode is a part of the hardware state of the processor. The kernel mode privilege level is also known as “Ring 0,” and the user mode privilege level is also known as “Ring 3.” Kernel mode access allows the virtual device driver to interact with system and hardware resources at a very low level.
In conventional operating systems, device drivers may be represented as layered on top of one another. The layered architecture is also sometimes referred to as a stack or a calling chain. It is the lowest-level device driver that typically controls a hardware device. If there is only a single device driver above the hardware device, the driver is called a monolithic driver. However, a plurality of drivers may be placed above the lowest-level driver. Input and output requests (“I/O requests”) to the hardware device or devices controlled by a lowest-level driver are handled first by the highest-level driver, then seriatim by any lower-level intermediate drivers, and finally by the lowest-level driver.
A file system driver is generally a highest-level driver, layered above a device driver for a data storage device such as a hard disk drive. The file system driver implements high-level aspects of I/O requests directed to the file system, such as requests to create, open, extend, and delete files and directories. A plurality of file system drivers may exist in a single computer, and file system drivers may be specific to different types of file systems, such as the FAT and NTFS file systems.
It is known in the art to monitor file I/O requests in operating systems having an installable file system manager and layered device drivers, such as the Windows 95®, Windows 98®, and Windows Me® operating systems available from Microsoft Corporation of Redmond, Wash., and collectively referred to herein as “Windows 9x”. In Windows 9x operating systems, file system monitoring may be accomplished by registering a file system applications programming interface hook with the installable file system manager. Windows 9x provides a function called IFSMGR_InstallFileSystemApiHook which is designed to be used for monitoring I/O requests to a file system. This service allows virtual device drivers to monitor all file system activity by hooking into the file system calls. By means of a call during system initialization to IFSMGR_InstallFileSystemApiHook, a virtual device driver may insert itself onto the stack of all file system requests.
A somewhat different approach has been used to monitor file systems on object-oriented operating systems, such as the Windows NT® operating system and successor operating systems such as Windows 2000®, available from Microsoft Corporation of Redmond, Wash., and collectively referred to herein as “Windows NT.” In Windows NT, I/O requests are described by data structures known as I/O Request Packets (“IRPs”), which are used for communication between software applications and drivers. All IRPs to hardware devices are handled by device drivers operating in kernel mode. High-level, intermediate, and low-level drivers exchange IRPs to complete a given I/O request. The lowest-level driver calls an NT layer known as the Hardware Access Layer (HAL) to gain direct control of the hardware. It is known on a Windows NT system to implement a file system monitor as a device driver object that creates filter device objects and attaches those objects to target file system device objects, so that the file system monitor will see all IRPs directed to the monitored data storage devices.
There is a need in the field of file systems in electronic computers to prevent unauthorized activity. Unauthorized activity includes, without limitation, the release of data from a secured file or a secured file system to an insecure file system device driver, and the malicious, unauthorized, or accidental modification or corruption of data, such as by computer viruses. Conventional file system drivers, such as file system monitors that are used to detect and monitor activity in file systems, have not typically included effective security measures to prevent unauthorized activity by a software application or device driver that is layered, or attempts to layer itself, at a higher level than the highest-level device driver above the targeted data storage device.