Impersonation in a File System Filter Driver
Another operation a file system filter driver might attempt to use is impersonation. While impersonation is a very powerful technique for handling security on behalf of other threads, it also requires appropriate care for use on behalf of any component. For a file system filter driver, it is important to identify the operations that need to be done using impersonation. Then, it is essential to ensure that other operations that are performed by the file system filter driver should not be done using impersonation. The risk with impersonation is typically that the caller has fewer privileges than the driver making the call. Thus, if a call is made with impersonation, it might fail, while it would succeed without impersonation.
Impersonation is needed for any operation that creates a new handle because the handle represents the reference to the object and is the point at which the security check has been performed. For example, impersonation is necessary when opening a file or other object (using ZwCreateSection, ZwCreateEvent, and ZwCreateFile, for example). In these calls, the filter driver calling them must ensure that the parameters being passed are valid because other operating system operations will assume that calls originating from kernel mode will have valid parameters. Thus, a filter driver cannot safely pass a user buffer address to any of these functions, even when impersonating.
In the case of ZwCreateFile, there is a corresponding I/O manager call, IoCreateFile, that should be used with impersonation because it allows the filter driver to specify IO_FORCE_ACCESS_CHECK. Absent this option, the I/O manager will not enforce proper user level access checks.