Thank you for sharing this great signed driver and sources with community!
I'm very concerned about safety of InpOut32 diver.
After driver installation any process can have unrestricted access to all physical memory and all ports, which is a high risk security vulnerability.
Could it be done in a more secure way and still be convenient for programming and use?
I see two options here.
- Option 1: load driver at application start, create and open device in exclusive mode, automatically unload driver after use.
pros: very safe
cons: require admin privileges for each run, only one process in system can work with driver. -
Option 2: During driver installation optionally create some kind of secret and store it as device extension. Allow access to the device only to programs/libraries that know this secret. It could be public/private keys pair in sophisticated case or just some token.
pros: trusted unpriviledged processes can access port I/O, can be made in backward compatible way for those who don't need security.
cons: more complicated in realization, third-party programs that use the library will not work out of the box with driver installed in secure mode.