Best practices for developing secure and reliable device drivers using WinCE

 * ****************************** Loongembedded ******* *************************

Author: loongembedded (Kandi)

Time: 2011.10.04

Category: Wince-driven development

* ****************************** Loongembedded ******* *************************

Microsoft summarized the best practices for developing safer and more reliable device drivers in wince, as shown below:

1. use the Exception Processing Structure (seh) as needed to handle exceptions. The _ Try/_ others T model is a well-known C ++ she processing model. The following is based on the wav_iocontrol () to further learn about the she processing mechanism. The _ partition t keyword is followed by a variety of expressions. In a function, there can be multiple _ Try/_ partition t statements, which can be a linear structure of a plane, it can be a layered nested structure or a mix of the two structures.

Figure 1

The execution process of the Code is as follows:

1) The monitored code is executed first.

2) If no exception occurs during the execution of the monitored code, the control flow is transferred to the end of the exception handling code module defined by _ mongot, that is, false is returned directly.

3) If an execution exception occurs in the monitored code, the control flow enters the expression after _ T, that is, the expression that is calculated first, then, the corresponding processing is made based on this value.

The following describes the knowledge in this expression.

 

1) getexceptioncode ()

The getexceptioncode () function is used to obtain the type of an exception that has occurred. This function can only be used to block Exception Handling (exception-handler block) in a filter expression or try-retry t exception handling) and its return value is the following value:

Prediction_access_violation

An exception occurs when the program that calls this function attempts to access a virtual address that does not have proper access permissions.

Prediction_array_bounds_exceeded

The program that calls this function tries to access an array element that is out of bounds and the underlying hardware supports out-of-bounds checks.

Prediction_breakpoint

Exception that occurs when a breakpoint is triggered.

Prediction_datatype_misalignment

Exceptions that occur when the program attempts to read or write data without alignment.

Prediction_flt_denormal_operand

If the value of the operand in the floating-point operation is too small to use the standard floating-point expression, an exception occurs.

Prediction_flt_divide_by_zero

An exception occurs when the program attempts to calculate the division of a floating point number by a division of 0.

Prediction_flt_inexact_result

An exception occurs when the result of a floating point operation cannot be accurately expressed as a decimal number.

Prediction_flt_invalid_operation

This exception indicates a floating point number exception that is not included in the list.

Prediction_flt_overflow

An exception occurs when the exponent of a floating point operation exceeds the maximum value.

Prediction_flt_stack_check

An exception that occurs when the floating point operation stack overflow or underflow occurs.

Prediction_flt_underflow

An exception occurs when the exponent of a floating point operation exceeds the minimum value that can be expressed.

Prediction_int_divide_by_zero

An exception occurs when the division of integers is 0.

Prediction_int_overflow

Exception caused by integer overflow.

Prediction_noncontinuable_exception

If the program continues to execute an exception that cannot be executed, this exception is thrown.

Prediction_priv_instruction

This exception is thrown when the program attempts to execute a command not supported by the current CPU mode.

Prediction_single_step

This exception is thrown when each trap trace or single command is executed during one-step debugging.

 

To call the getexceptioncode () function, you need to include the excpt. h header file. The status_access_violation = prediction_access_violation mentioned in the above Code is equivalent to the macro definition in WINBASE. h.

 

2) The valid value of excpt. h for exception handling within T () is defined as follows:

# Define exception_execute_handler 1

Indicates that the system recognizes this exception and transfers control to the exception handling code to continue execution.

# Define prediction_continue_search 0

The current _ abnormal T module is not the correct Exception Handling Module for this exception. The system will continue to find the appropriate Exception Handling Module to handle this exception.

# Define prediction_continue_execution-1

The system stops searching for exception handling and returns to the place where the exception control flow is located to continue execution. However, if this exception is an exception that cannot be continued, an exception_noncontinuable_exception will be thrown.

.

 

Exceptions are classified into system exceptions and software exceptions. The system exceptions are listed above, and software exceptions are thrown through the raiseexception () function.

3) raiseexception ()

In the called thread, you can call this function to raise an exception. The declaration of this function is as follows:

Void winapi raiseexception (

DWORD dwexceptioncode,

DWORD dwexceptionflags,

DWORD nnumberofarguments,

Const DWORD * lparguments

);

The following describes the parameters and functions.

Dwexceptioncode

An Exception Code defined by the application when an exception is thrown. You can call getexceptioncode () to filter the expressions (that is, the expressions in _ 0000t () and the exception handling blocking of the exception handler () function to obtain the Exception Code. Note that the system clears the 28th bits of the dwexceptioncode parameter before displaying information. This bits are reserved by the system and are only used by the system. For example, when calling the raiseexception () function with an exception code 0xffffffff, the system displays the Exception Code 0xefffffff.

 

Dwexceptionflags

Exception flag, which can be assigned to zero, indicates a sustainable exception, or uses the prediction_noncontinuable flag to indicate an unsustainable exception. When an unsustainable exception occurs, any attempt to continue the execution will cause an exception that triggers prediction_noncontinuable_exception.

Lparguments

Nnumberofarguments

The number of parameters in the parameter array of lparguments. The value cannot exceed prediction_maximum_parameters. If lparguments is null, this parameter is ignored.

 

Lparguments

A long pointer to an array of 32-bit parameters. This parameter can be null and can contain data defined by any application, the data needs to be passed to the filter expression of the exception handling program. You can call the getexceptioninformation () function in the filter expression to obtain the data transmitted by the application.

 

A process can call the raiseexception () function and use an exception handling structure to handle private, software-caused, or application-defined exceptions. The following describes how the scheduler finds an appropriate exception handler to handle the exception when an exception is thrown:

(1) If a debugger exists, the system will attempt to notify the process of the debugger.

(2) if the process is not debugged or the relevant debugger does not handle this exception, the system will try to locate a frame-based exception handler by searching the stack frame of the thread that raises the exception. The system first looks for the current stack frame, and then continues to look for the previous stack frame.

(3) If the frame-based exception handler is not found or the frame-based exception handler is used to handle the exception, the system will attempt to notify the debugger of the process for the second time.

(4) if the process is not debugged, or the relevant debugger cannot handle the exception, the system provides the default program based on the exception type. For most exceptions, the default action is to call the exitprocess function to exit the process.

 

2. Check the access permissions of the nested pointers in The IOCTL call ).

3. Check the access permission for nested pointers in non-streaming interface entry functions, such as the entry functions of GWES keyboard functions.

4. Use the ceddk. dll function to access the hardware. Do not use the macro definition in WDM. H. This is not only conducive to standardization, but also easier to transplant.

5. Check the return values of any function call to identify call failures or return unexpected results, so that we can perform more reasonable processing.

6. Use the debugchk macro or related macro to check some assumptions (assumptions), but handle the errors accordingly.

A debugchk macro maintenance (assert) expression. If this expression is false, the debugbreak function is called. The debugbreak function causes a breakpoint exception to the current process, in this way, the called thread can notify the debugger and force it to take action. However, if the thread that calls the debugbreak function does not have a secondary debugger, The debugbreak function will be ignored. If there are no other exceptions or the debugbreak function is called, the thread will continue to execute. Debugchk macro usage example:

Debugchk (dwcurrentnumberofitems <dwmaxnumberofitems );

If dwcurrentnumberofitems is greater than or equal to dwmaxnumberofitems, the following information will be output for the debug system.

Myprogram: debugchk failed in file c: \ wince500 \ Programs \ myprogram \. \ main. C at line 31

That is, the debug message prints out the wrong file name and number of lines.

7. When an internal thread accesses an external provided buffer, use the ceallocasynchronousbuffer function and she to sort the buffer of the caller into the virtual memory of the kernel. In wince6.0, you do not need to change the thread permission to access the buffer provided externally.

8. Verify that any application that calls the device driver and is trusted by the device driver is trusted ).

 

9. Check the trust value of the application being called. This trust value is obtained by calling the cegetcallertrust function. Then, if necessary, the flags value is devflags_trustedcalleronly (0x00010000) and the driver has the right to force only trusted callers to use it, that is to say, the driver with this flag value is only opened by the application it trusts. This is a concept relative to wince5.0 and earlier versions of the operating system, and it is somewhat different after wince6.0.

10. Use C/C ++ code analysis for programming. See the help documentation.