chrome/browser/safe_browsing/incident_reporting/binary_integrity_analyzer_mac.cc - Issue 1363613004: Implement anonymous, opt-in, collection of OS X binary integrity incidents.

Side by Side Diff: chrome/browser/safe_browsing/incident_reporting/binary_integrity_analyzer_mac.cc

Issue 1363613004: Implement anonymous, opt-in, collection of OS X binary integrity incidents. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Created 5 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« chrome/browser/safe_browsing/incident_reporting/binary_integrity_analyzer.h ('K') | « chrome/browser/safe_browsing/incident_reporting/binary_integrity_analyzer.cc ('k') | chrome/browser/safe_browsing/incident_reporting/binary_integrity_analyzer_mac_unittest.cc » ('j') | chrome/browser/safe_browsing/signature_evaluator_mac.mm » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 // Copyright 2015 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "chrome/browser/safe_browsing/incident_reporting/binary_integrity_analy zer.h"

	6

	7 #include "base/base_paths.h"

	8 #include "base/files/file_util.h"

	9 #include "base/path_service.h"

	10 #include "chrome/browser/safe_browsing/incident_reporting/binary_integrity_incid ent.h"

	11 #include "chrome/browser/safe_browsing/incident_reporting/incident_receiver.h"

	12 #include "chrome/browser/safe_browsing/signature_evaluator_mac.h"

	13 #include "chrome/common/safe_browsing/csd.pb.h"

	14

	15 #define DEVELOPER_ID_APPLICATION_OID "field.1.2.840.113635.100.6.1.13"

	16 #define DEVELOPER_ID_INTERMEDIATE_OID "field.1.2.840.113635.100.6.2.6"

	17

	18 namespace safe_browsing {

	19

	20 namespace {

	21

	22 void VerifyBinaryIntegrityHelper(IncidentReceiver* incident_receiver,

	23 const base::FilePath& path,

	24 const std::string& requirement) {

	25 base::FilePath binary_path(path);

	26 if (!base::PathExists(binary_path))

	27 return;

	28

	29 MacSignatureEvaluator evaluator(binary_path, requirement);

	30 if (!evaluator.Initialize()) {

	31 LOG(ERROR) << "Could not initialize mac signature evaluator";

	32 return;

	33 }

	34

	35 std::vector<ClientIncidentReport_IncidentData_BinaryIntegrityIncident>

	36 results;

	37 if (!evaluator.PerformEvaluation(&results)) {

	38 VLOG(1) << "Signature verification failed: " << path.value();

	39 for (const auto& incident : results) {

	40 scoped_ptr<ClientIncidentReport_IncidentData_BinaryIntegrityIncident>

	41 incident_copy(

	42 new ClientIncidentReport_IncidentData_BinaryIntegrityIncident(inci dent));
	Robert Sesek 2015/10/15 00:11:20 nit: 80 cols nit: 80 cols Greg K 2015/10/16 19:17:58 Done. Show quoted text On 2015/10/15 00:11:20, Robert Sesek wrote: > nit: 80 cols Done. Mark Mentovai 2015/10/16 22:46:40 Greg Kerr wrote: Greg Kerr wrote: Show quoted text > On 2015/10/15 00:11:20, Robert Sesek wrote: > > nit: 80 cols > > Done. Can you re-upload?
	43 incident_receiver->AddIncidentForProcess(

	44 make_scoped_ptr(new BinaryIntegrityIncident(incident_copy.Pass())));

	45 }

	46 }

	47 }

	48

	49 } // namespace

	50

	51 std::vector<std::pair<base::FilePath, std::string>>

	52 GetCriticalPathsAndRequirements() {

	53 // Get the path to the main executable.

	54 std::vector<std::pair<base::FilePath, std::string>> critical_binaries;

	55 base::FilePath main_exe;

	56 if (!PathService::Get(base::FILE_EXE, &main_exe)) {

	57 NOTREACHED();

	58 return critical_binaries;

	59 }

	60

	61 // This requirement describes a developer ID signed application,

	62 // with Google's team identifier, and the com.Google.Chrome[.canary]

	63 // identifier.

	64 std::string requirement =

	65 "anchor apple generic and certificate 1[" DEVELOPER_ID_INTERMEDIATE_OID

	66 "] exists and certificate leaf[" DEVELOPER_ID_APPLICATION_OID

	67 "] exists and certificate leaf[subject.OU]=\"EQHXZ8M8AV\" and "

	68 "(identifier=\"com.google.Chrome\" or "

	69 "identifier=\"com.google.Chrome.canary\")";

	70 critical_binaries.push_back(std::make_pair(main_exe, requirement));

	71 // TODO(kerrnel): eventually add Adobe Flash Player to this list.

	72 return critical_binaries;

	73 }

	74

	75 void VerifyBinaryIntegrityForTesting(IncidentReceiver* incident_receiver,

	76 const base::FilePath& path,

	77 const std::string& requirement) {

	78 VerifyBinaryIntegrityHelper(incident_receiver, path, requirement);

	79 }

	80

	81 void VerifyBinaryIntegrity(scoped_ptr<IncidentReceiver> incident_receiver) {

	82 std::vector<std::pair<base::FilePath, std::string>> bundles_and_requirements =

	83 GetCriticalPathsAndRequirements();

	84 int i = 0;
	Robert Sesek 2015/10/15 00:11:20 size_t size_t Greg K 2015/10/16 19:17:58 Done. Show quoted text On 2015/10/15 00:11:20, Robert Sesek wrote: > size_t Done.
	85 for (const auto& p : bundles_and_requirements) {

	86 const base::FilePath& path = p.first;

	87 const std::string& requirement = p.second;

	88 base::TimeTicks time_before = base::TimeTicks::Now();

	89 VerifyBinaryIntegrityHelper(incident_receiver.get(), path, requirement);

	90 RecordSignatureVerificationTime(i++, base::TimeTicks::Now() - time_before);

	91 }

	92 }

	93

	94 } // namespac

OLD	NEW