Chromium Code Reviews Chromium Code Reviews
Issue 1363613004:
Implement anonymous, opt-in, collection of OS X binary integrity incidents. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright (c) 2015 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "chrome/browser/safe_browsing/signature_evaluator_mac.h" | |
| 6 | |
| 7 #include <CoreFoundation/CoreFoundation.h> | |
| 8 #include <Foundation/Foundation.h> | |
| 9 #include <Security/Security.h> | |
| 10 #include <sys/xattr.h> | |
| 11 | |
| 12 #include "base/mac/foundation_util.h" | |
| 13 #include "base/mac/mac_util.h" | |
| 14 #include "base/mac/scoped_cftyperef.h" | |
| 15 #include "base/mac/scoped_nsobject.h" | |
| 16 #include "chrome/common/safe_browsing/binary_feature_extractor.h" | |
| 17 #include "chrome/common/safe_browsing/csd.pb.h" | |
| 18 #include "chrome/common/safe_browsing/mach_o_image_reader_mac.h" | |
| 19 | |
| 20 namespace safe_browsing { | |
| 21 | |
| 22 namespace { | |
|
Mark Mentovai
2015/10/05 15:02:12
Blank line after this.
Greg K
2015/10/07 22:54:30
Done.
| |
| 23 // OS X code signing data can be stored in extended attributes as well. This is | |
| 24 // a list of the extended attributes slots currently used in Security.framework | |
| 25 // currently. | |
|
Mark Mentovai
2015/10/05 15:02:11
Provide a reference to where in Security.framework
Greg K
2015/10/07 22:54:30
Done.
| |
| 26 const char* xattrs[] = { | |
|
Mark Mentovai
2015/10/05 15:02:11
Make this more const.
Greg K
2015/10/07 22:54:29
Done.
| |
| 27 "com.apple.cs.CodeDirectory", "com.apple.cs.CodeSignature", | |
|
Mark Mentovai
2015/10/05 15:02:11
One per line. Especially when everything looks so
Greg K
2015/10/07 22:54:29
Done.
| |
| 28 "com.apple.cs.CodeRequirements", "com.apple.cs.CodeResources", | |
| 29 "com.apple.cs.CodeApplication", "com.apple.cs.CodeEntitlements", | |
| 30 }; | |
| 31 | |
| 32 // Convenience function to get the appropriate path from a variety of NSObject | |
| 33 // types. | |
| 34 bool getPathFromNSObject(NSObject* obj, std::string* output) { | |
|
Mark Mentovai
2015/10/05 15:02:11
id for a generic Objective-C object?
Mark Mentovai
2015/10/05 15:02:11
Naming: GetPath, capital G.
Greg K
2015/10/07 22:54:29
Done.
Greg K
2015/10/07 22:54:30
Done.
| |
| 35 if ([obj isKindOfClass:[NSString class]]) { | |
|
Mark Mentovai
2015/10/05 15:02:11
Seems like a job for ObjCCast.
Greg K
2015/10/07 22:54:29
Done.
| |
| 36 output->assign([static_cast<NSString*>(obj) UTF8String]); | |
| 37 return true; | |
| 38 } else if ([obj isKindOfClass:[NSURL class]]) { | |
| 39 output->assign([[static_cast<NSURL*>(obj) path] UTF8String]); | |
| 40 return true; | |
| 41 } else if ([obj isKindOfClass:[NSBundle class]]) { | |
| 42 output->assign([[static_cast<NSBundle*>(obj) bundlePath] UTF8String]); | |
| 43 return true; | |
| 44 } | |
| 45 | |
| 46 return false; | |
| 47 } | |
| 48 | |
| 49 } // namespace | |
| 50 | |
| 51 MacSignatureEvaluator::MacSignatureEvaluator( | |
| 52 const base::FilePath& signed_object_path) | |
| 53 : path_(signed_object_path), | |
| 54 has_requirement_(false), | |
| 55 code_(nullptr), | |
| 56 requirement_(nullptr) {} | |
| 57 | |
| 58 MacSignatureEvaluator::MacSignatureEvaluator( | |
| 59 const base::FilePath& signed_object_path, | |
| 60 const std::string& requirement) | |
| 61 : path_(signed_object_path), | |
| 62 requirement_str_(requirement), | |
| 63 has_requirement_(true), | |
| 64 code_(nullptr), | |
| 65 requirement_(nullptr) {} | |
| 66 | |
| 67 MacSignatureEvaluator::~MacSignatureEvaluator() {} | |
| 68 | |
| 69 void MacSignatureEvaluator::report_altered_files( | |
| 70 NSObject* detail, | |
| 71 ClientIncidentReport_IncidentData_OSXBinaryIntegrityIncident* | |
| 72 main_incident) { | |
| 73 if ([detail isKindOfClass:[NSArray class]]) { | |
|
Mark Mentovai
2015/10/05 15:02:11
ObjCCast
Greg K
2015/10/07 22:54:29
Done.
| |
| 74 NSArray* arr = static_cast<NSArray*>(detail); | |
| 75 for (id obj in arr) | |
| 76 report_altered_files(obj, main_incident); | |
| 77 } else { | |
| 78 std::string path_str; | |
| 79 if (!getPathFromNSObject(detail, &path_str)) | |
| 80 return; | |
| 81 | |
| 82 base::FilePath path(path_str); | |
| 83 ClientIncidentReport_IncidentData_BinaryIntegrityIncident* sub_incident = | |
| 84 main_incident->add_sub_incident(); | |
| 85 sub_incident->set_file_basename(path.BaseName().AsUTF8Unsafe()); | |
| 86 scoped_refptr<BinaryFeatureExtractor> bfe = new BinaryFeatureExtractor(); | |
| 87 // TODO(kerrnel): if Chrome ever opts into the OS X "kill" semantics, this | |
| 88 // call has to change. `ExtractImageFeatures` maps the file, which will | |
|
Mark Mentovai
2015/10/05 15:02:11
What if it maps it without making the pages execut
Greg K
2015/10/07 22:54:29
Sadly, it turns out not to matter. CS_KILL seems t
| |
| 89 // cause Chrome to be killed before it can report on the invalid file. | |
| 90 // This call will need to read(2) the binary into a buffer. | |
| 91 if (!bfe->ExtractImageFeatures( | |
| 92 path, BinaryFeatureExtractor::kDefaultOptions, | |
| 93 sub_incident->mutable_image_headers(), | |
| 94 sub_incident->mutable_signature()->mutable_signed_data())) { | |
| 95 // If this is not a mach-o file, search inside the extended attributes. | |
| 96 for (const char* attr : xattrs) { | |
| 97 ssize_t rc = getxattr(path.value().c_str(), attr, NULL, 0, 0, 0); | |
|
Mark Mentovai
2015/10/05 15:02:11
nullptr
Greg K
2015/10/07 22:54:30
Done.
| |
| 98 if (rc >= 0) { | |
| 99 std::vector<uint8_t> xattr_data(rc); | |
| 100 if (getxattr(path.value().c_str(), attr, &xattr_data[0], | |
| 101 xattr_data.size(), 0, 0) >= 0) { | |
| 102 ClientDownloadRequest_ExtendedAttr* xattr_msg = | |
| 103 sub_incident->mutable_signature()->add_xattr(); | |
| 104 xattr_msg->set_key(attr); | |
| 105 xattr_msg->set_value(xattr_data.data(), xattr_data.size()); | |
| 106 } | |
| 107 } | |
| 108 } | |
| 109 } | |
| 110 } | |
| 111 } | |
| 112 | |
| 113 bool MacSignatureEvaluator::Initialize() { | |
| 114 base::scoped_nsobject<NSString> url_str([[NSString alloc] | |
|
Mark Mentovai
2015/10/05 15:02:11
SysUTF8ToNSString()? Elsewhere too.
Greg K
2015/10/07 22:54:29
Done.
| |
| 115 initWithCString:path_.value().c_str() | |
| 116 encoding:NSUTF8StringEncoding]); | |
| 117 | |
| 118 base::scoped_nsobject<NSURL> code_url( | |
| 119 [[NSURL alloc] initFileURLWithPath:url_str]); | |
| 120 if (!code_url) | |
| 121 return false; | |
| 122 | |
| 123 if (SecStaticCodeCreateWithPath(base::mac::NSToCFCast(code_url.get()), | |
| 124 kSecCSDefaultFlags, | |
| 125 code_.InitializeInto()) != errSecSuccess) | |
| 126 return false; | |
| 127 | |
| 128 if (has_requirement_) { | |
| 129 base::scoped_nsobject<NSString> req_str([[NSString alloc] | |
| 130 initWithCString:requirement_str_.c_str() | |
| 131 encoding:NSUTF8StringEncoding]); | |
| 132 if (!req_str) | |
| 133 return false; | |
| 134 if (SecRequirementCreateWithString( | |
| 135 base::mac::NSToCFCast(req_str.get()), kSecCSDefaultFlags, | |
| 136 requirement_.InitializeInto()) != errSecSuccess) | |
| 137 return false; | |
| 138 } | |
| 139 | |
| 140 return true; | |
| 141 } | |
| 142 | |
| 143 bool MacSignatureEvaluator::PerformEvaluation( | |
| 144 ClientIncidentReport_IncidentData_OSXBinaryIntegrityIncident* incident) { | |
| 145 base::ScopedCFTypeRef<CFErrorRef> errors(nullptr); | |
| 146 OSStatus err = SecStaticCodeCheckValidityWithErrors( | |
| 147 code_, kSecCSCheckAllArchitectures, requirement_, | |
| 148 errors.InitializeInto()); | |
| 149 if (err != errSecSuccess) { | |
| 150 incident->set_file_basename(path_.BaseName().value()); | |
| 151 incident->set_sec_error(err); | |
| 152 // This adds the signature of the main binary to the sub incidents list. | |
| 153 base::scoped_nsobject<NSString> code_str([[NSString alloc] | |
| 154 initWithCString:path_.value().c_str() | |
| 155 encoding:NSUTF8StringEncoding]); | |
| 156 if (code_str) | |
| 157 report_altered_files(code_str, incident); | |
| 158 if (errors) { | |
|
Mark Mentovai
2015/10/05 15:02:11
Is there a more specific return value from SecStat
Greg K
2015/10/07 22:54:30
We report back all error code in the set_sec_error
| |
| 159 NSDictionary* info = [base::mac::CFToNSCast(errors.get()) userInfo]; | |
| 160 if (id detail = [info | |
| 161 objectForKey:base::mac::CFToNSCast(kSecCFErrorResourceAltered)]) | |
| 162 report_altered_files(detail, incident); | |
|
Mark Mentovai
2015/10/05 15:02:11
{} since the condition got long and wrapped weirdl
Greg K
2015/10/07 22:54:29
Done.
| |
| 163 if (id detail = [info | |
|
Mark Mentovai
2015/10/05 15:02:11
Loop over a list of interesting keys?
Greg K
2015/10/07 22:54:30
Done.
| |
| 164 objectForKey:base::mac::CFToNSCast(kSecCFErrorResourceMissing)]) | |
| 165 report_altered_files(detail, incident); | |
| 166 } | |
| 167 } | |
| 168 return err == errSecSuccess; | |
|
Mark Mentovai
2015/10/05 15:02:12
You can get rid of a level of indentation for the
Greg K
2015/10/07 22:54:29
Done.
| |
| 169 } | |
| 170 | |
| 171 } // namespace safe_browsing | |
| OLD | NEW |
