Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(2061)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: chrome/browser/safe_browsing/incident_reporting/binary_integrity_analyzer_mac.cc

Issue 1363613004: Implement anonymous, opt-in, collection of OS X binary integrity incidents. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« chrome/browser/safe_browsing/incident_reporting/binary_integrity_analyzer.cc ('K') | « chrome/browser/safe_browsing/incident_reporting/binary_integrity_analyzer.cc ('k') | chrome/browser/safe_browsing/incident_reporting/binary_integrity_analyzer_mac_unittest.cc » ('j') | chrome/browser/safe_browsing/signature_evaluator_mac.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: chrome/browser/safe_browsing/incident_reporting/binary_integrity_analyzer_mac.cc
diff --git a/chrome/browser/safe_browsing/incident_reporting/binary_integrity_analyzer_mac.cc b/chrome/browser/safe_browsing/incident_reporting/binary_integrity_analyzer_mac.cc
new file mode 100644
index 0000000000000000000000000000000000000000..965380e9a176c2fa04c4ceaaa901e0d52d9288b4
--- /dev/null
+++ b/chrome/browser/safe_browsing/incident_reporting/binary_integrity_analyzer_mac.cc
@@ -0,0 +1,92 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/safe_browsing/incident_reporting/binary_integrity_analyzer.h"
+
+#include "base/base_paths.h"
+#include "base/files/file_util.h"
+#include "base/path_service.h"
+#include "chrome/browser/safe_browsing/incident_reporting/binary_integrity_incident.h"
+#include "chrome/browser/safe_browsing/incident_reporting/incident_receiver.h"
+#include "chrome/browser/safe_browsing/signature_evaluator_mac.h"
+#include "chrome/common/safe_browsing/csd.pb.h"
+
+#define DEVELOPER_ID_APPLICATION_OID "field.1.2.840.113635.100.6.1.13"
+#define DEVELOPER_ID_INTERMEDIATE_OID "field.1.2.840.113635.100.6.2.6"
+
+namespace safe_browsing {
+
+namespace {
+
+void VerifyBinaryIntegrityHelper(IncidentReceiver* incident_receiver,
+ const base::FilePath& path,
+ const std::string& requirement) {
+ base::FilePath binary_path(path);
+ if (!base::PathExists(binary_path))
+ return;
+
+ MacSignatureEvaluator evaluator(binary_path, requirement);
+ if (!evaluator.Initialize()) {
+ LOG(ERROR) << "Could not initialize mac signature evaluator";
+ return;
+ }
+
+ std::vector<ClientIncidentReport_IncidentData_BinaryIntegrityIncident>
+ results;
+ if (!evaluator.PerformEvaluation(&results)) {
+ VLOG(1) << "Signature verification failed: " << path.value();
+ for (const auto& incident : results) {
+ scoped_ptr<ClientIncidentReport_IncidentData_BinaryIntegrityIncident>
+ incident_copy(
+ new ClientIncidentReport_IncidentData_BinaryIntegrityIncident(
+ incident));
+ incident_receiver->AddIncidentForProcess(
+ make_scoped_ptr(new BinaryIntegrityIncident(incident_copy.Pass())));
+ }
+ }
+}
+
+} // namespace
+
+std::vector<PathAndRequirement> GetCriticalPathsAndRequirements() {
+ // Get the path to the main executable.
+ std::vector<PathAndRequirement> critical_binaries;
+ base::FilePath main_exe;
+ if (!PathService::Get(base::FILE_EXE, &main_exe)) {
+ NOTREACHED();
+ return critical_binaries;
+ }
+
+ // This requirement describes a developer ID signed application,
+ // with Google's team identifier, and the com.Google.Chrome[.canary]
+ // identifier.
+ std::string requirement =
+ "anchor apple generic and certificate 1[" DEVELOPER_ID_INTERMEDIATE_OID
+ "] exists and certificate leaf[" DEVELOPER_ID_APPLICATION_OID
+ "] exists and certificate leaf[subject.OU]=\"EQHXZ8M8AV\" and "
+ "(identifier=\"com.google.Chrome\" or "
+ "identifier=\"com.google.Chrome.canary\")";
+ critical_binaries.push_back(PathAndRequirement(main_exe, requirement));
+ // TODO(kerrnel): eventually add Adobe Flash Player to this list.
+ return critical_binaries;
+}
+
+void VerifyBinaryIntegrityForTesting(IncidentReceiver* incident_receiver,
+ const base::FilePath& path,
+ const std::string& requirement) {
+ VerifyBinaryIntegrityHelper(incident_receiver, path, requirement);
+}
+
+void VerifyBinaryIntegrity(scoped_ptr<IncidentReceiver> incident_receiver) {
+ size_t i = 0;
+ for (const auto& p : GetCriticalPathsAndRequirements()) {
+ base::TimeTicks time_before = base::TimeTicks::Now();
+ VerifyBinaryIntegrityHelper(incident_receiver.get(),
+ p.path,
+ p.requirement);
+ RecordSignatureVerificationTime(i++, base::TimeTicks::Now() - time_before);
+ }
+}
+
+} // namespac
« chrome/browser/safe_browsing/incident_reporting/binary_integrity_analyzer.cc ('K') | « chrome/browser/safe_browsing/incident_reporting/binary_integrity_analyzer.cc ('k') | chrome/browser/safe_browsing/incident_reporting/binary_integrity_analyzer_mac_unittest.cc » ('j') | chrome/browser/safe_browsing/signature_evaluator_mac.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698