CBFS Filter File Isolation
CBFS Filter provides functionality to monitor and control file access. The library can be used to prevent unwanted access to specific files or directories, monitor access, and event modify the contents of file data on the fly.
The File Isolation functionality in CBFS Filter provides a way to present different file content to different processes. For instance one process may see decrypted data, while all other processes see encrypted data. This functionality allows for additional security controls around your data. Enable file isolation on-demand, at any time, to present different content to a specific process.
This article covers some example use cases of when you would want file isolation, along with a few basic code snippets and references to our setup guides and documentation to implement file isolation.
Encrypt and Decrypt Files On-Demand
When a user opens a file, they will typically see the same file content as any other user would see. For security, it may be desirable that the file remain encrypted on disk, yet still be available when working with specific approved processes. For instance when opening the file in a text editor only the encrypted data would be visible, but opening the file in a company approved application would allow the user to work with the decrypted file data.
File Isolation allows one process to work with decrypted data, while other processes see only the encrypted data, thus further protecting the file data itself.
View the GitHub Sample on this topic.
Example Use Cases
File Isolation allows indepenent views of the same file on disk. Different data can be provided to different processes. The use cases described below are only some of the potential uses for this functionality.
Isolate User Changes & Prevent File Conflicts
You may wish to isolate changes by users so that each user has their own, separate working copy of a file. That way, even if one user changes a file, the other users can still work with the original. File Isolation in CBFS Filter enables you to keep an unmodified version of files, no matter what users have changed.
For instance it is possibel to implement the following flow. When a user accesses (reads) a file for the first time, the original data is provided to them. If the user modifies the data, the modifications may be written to another location, and when the file is read again, the modified data are provided to the user. Once the user logs out, these modified data may be written to a central store, discarded, or simply kept in a cache.
This way, the original state of the local file is preserved, and the user does not modify the original file.
Secure Sensitive Data with Diskless Client-Server Synchronization
Many synchronization services, such as OneDrive, keep data on secured servers. However, when users access data stored in popular cloud storage solutions, they often want to download those files onto their local disk so they can work with and change them. But in scenarios such as managing sensitive data, that data would ideally never touch the disk. You can use CBFS Filter file isolation to keep empty placeholders on disk while requesting and sending data only to the server. Your users can safely access data without exposing it to the vulnerabilities of keeping it stored locally on their own disks.
Enabling File Isolation
To isolate a file for a specific process handle the BeforeCreateFile and BeforeOpenFile events, then set the Isolate parameter to true and BackendFileName parameter to a custom path where file content for that specific process is held. Inside the event check to see which process is attempting the operation. The example below simply checks the name of the process.
void BeforeCreateFile(object sender, CBFilterBeforeCreateFileEventArgs e)
{
string procName = mFilter.GetOriginatorProcessName();
if (procName == "MyAuthorizedProcess")
{
e.Isolate = true;
//redirect requests for this file to a different file on disk.
e.BackendFileName = "C:\\path\\to\\user\\cache\\mycachedfile.user";
e.ProcessRequest = true;
}
}
Isolation also supports handling requests without a separate file on disk. When BackendFileName is set to "" (empty string) the file data can be provided entirely through events instead.
Most real scenarios would require additional logic, the above simplified code is only meant to demonstrate the concept.
For more details please refer to the documentation or explore the samples hosted on GitHub.
Try File Isolation with CBFS Filter
To get started, download CBFS Filter 2024.
Download Filter 2024We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at support@callback.com.