Chromium Code Reviews Chromium Code Reviews
Issue 1643573002:
Add a ModuleLoadAnalyzer which checks modules against a whitelist (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "chrome/browser/safe_browsing/incident_reporting/module_load_analyzer.h " | |
| 6 | |
| 7 #include "base/file_version_info.h" | |
| 8 #include "base/files/file_path.h" | |
| 9 #include "base/logging.h" | |
| 10 #include "base/metrics/histogram.h" | |
| 11 #include "base/strings/string_number_conversions.h" | |
| 12 #include "base/strings/string_util.h" | |
| 13 #include "base/strings/utf_string_conversions.h" | |
| 14 #include "chrome/browser/browser_process.h" | |
| 15 #include "chrome/browser/install_verification/win/module_info.h" | |
| 16 #include "chrome/browser/install_verification/win/module_verification_common.h" | |
| 17 #include "chrome/browser/safe_browsing/incident_reporting/incident_receiver.h" | |
| 18 #include "chrome/browser/safe_browsing/incident_reporting/suspicious_module_inci dent.h" | |
| 19 #include "chrome/browser/safe_browsing/path_sanitizer.h" | |
| 20 #include "chrome/browser/safe_browsing/safe_browsing_service.h" | |
| 21 #include "chrome/common/safe_browsing/binary_feature_extractor.h" | |
| 22 #include "chrome/common/safe_browsing/csd.pb.h" | |
| 23 #include "crypto/sha2.h" | |
| 24 | |
| 25 #if defined(SAFE_BROWSING_DB_LOCAL) | |
| 26 #include "chrome/browser/safe_browsing/local_database_manager.h" | |
| 27 #elif defined(SAFE_BROWSING_DB_REMOTE) | |
| 28 #include "chrome/browser/safe_browsing/remote_database_manager.h" | |
| 29 #endif | |
| 30 | |
| 31 namespace safe_browsing { | |
| 32 | |
| 33 // Enables incident reporting when non-whitelisted modules are found. | |
| 34 const base::Feature kIncidentReportingModuleLoadAnalysis{ | |
| 35 "IncidentReportingModuleLoadAnalysis", base::FEATURE_DISABLED_BY_DEFAULT}; | |
| 36 | |
| 37 void ModuleLoadAnalyzer::Initialize() { | |
| 38 DCHECK(database_manager_); | |
| 39 #if defined(OS_WIN) | |
| 40 if (base::FeatureList::IsEnabled(kIncidentReportingModuleLoadAnalysis)) { | |
| 41 scoped_refptr<SafeBrowsingService> safe_browsing_service( | |
| 42 g_browser_process->safe_browsing_service()); | |
| 43 | |
| 44 if (safe_browsing_service) { | |
| 45 safe_browsing_service | |
| 46 ->RegisterExtendedReportingOnlyDelayedAnalysisCallback( | |
| 47 base::Bind(&ModuleLoadAnalyzer::VerifyModuleLoadState, | |
| 48 base::Unretained(this))); | |
| 49 } | |
| 50 } | |
| 51 #endif // defined(OS_WIN) | |
| 52 } | |
| 53 | |
| 54 // Retrieves the set of suspicious modules that are loaded in the process. | |
| 55 void ModuleLoadAnalyzer::GetLoadedSuspiciousModulesOnIOThread() { | |
| 56 std::set<ModuleInfo> module_info_set; | |
| 57 base::TimeTicks start_time = base::TimeTicks::Now(); | |
| 58 scoped_ptr<std::set<base::string16>> suspicious_names( | |
| 59 new std::set<base::string16>); | |
| 60 | |
| 61 if (!GetLoadedModules(&module_info_set)) | |
| 62 return; | |
| 63 | |
| 64 std::set<ModuleInfo>::const_iterator module_iter(module_info_set.begin()); | |
| 65 for (; module_iter != module_info_set.end(); ++module_iter) { | |
| 66 base::string16 module_file_name(base::ToLowerASCII( | |
| 67 base::FilePath(module_iter->name).BaseName().value())); | |
| 68 | |
| 69 // If not whitelisted. | |
| 70 if (!database_manager_->MatchModuleWhitelistString( | |
| 71 base::UTF16ToUTF8(module_file_name))) | |
| 72 suspicious_names->insert(module_iter->name); | |
| 73 } | |
| 74 | |
| 75 UMA_HISTOGRAM_TIMES("SBIRS.SuspiciousModuleDetectionTime", | |
| 76 base::TimeTicks::Now() - start_time); | |
| 77 | |
| 78 if (!suspicious_names->empty()) { | |
| 79 scoped_refptr<base::TaskRunner> task_runner = | |
| 80 content::BrowserThread::GetBlockingPool() | |
| 81 ->GetTaskRunnerWithShutdownBehavior( | |
| 82 base::SequencedWorkerPool::SKIP_ON_SHUTDOWN); | |
| 83 | |
| 84 task_runner->PostTask( | |
| 85 FROM_HERE, | |
| 86 base::Bind(&ModuleLoadAnalyzer::ReportIncidentsForSuspiciousModules, | |
| 87 base::Unretained(this), | |
| 88 base::Passed(std::move(suspicious_names)))); | |
| 89 } | |
| 90 } | |
| 91 | |
| 92 void ModuleLoadAnalyzer::ReportIncidentsForSuspiciousModules( | |
| 93 scoped_ptr<std::set<base::string16>> module_names) { | |
| 94 PathSanitizer path_sanitizer; | |
| 95 scoped_ptr<IncidentReceiver> incident_receiver = | |
| 96 std::move(incident_receiver_); | |
| 97 base::TimeTicks start_time = base::TimeTicks::Now(); | |
| 98 | |
| 99 UMA_HISTOGRAM_COUNTS("SBIRS.SuspiciousModuleReportCount", | |
| 100 module_names->size()); | |
| 101 | |
| 102 for (const auto& module_name : *module_names) { | |
| 103 if (abort_reporting_) | |
|
robertshield
2016/02/08 16:22:02
As discussed, if this is true, then this method is
proberge
2016/02/08 21:43:47
Done.
| |
| 104 return; | |
| 105 | |
| 106 // TODO(proberge): Skip over modules that have already been reported. | |
| 107 | |
| 108 scoped_ptr<ClientIncidentReport_IncidentData_SuspiciousModuleIncident> | |
| 109 suspicious_module( | |
| 110 new ClientIncidentReport_IncidentData_SuspiciousModuleIncident()); | |
| 111 | |
| 112 const base::FilePath module_path(module_name); | |
| 113 | |
| 114 // Sanitized path. | |
| 115 base::FilePath sanitized_path(module_path); | |
| 116 path_sanitizer.StripHomeDirectory(&sanitized_path); | |
| 117 suspicious_module->set_path(base::WideToUTF8(sanitized_path.value())); | |
| 118 | |
| 119 // Digest. | |
| 120 scoped_refptr<BinaryFeatureExtractor> binary_feature_extractor( | |
| 121 new BinaryFeatureExtractor()); | |
| 122 | |
| 123 binary_feature_extractor->ExtractDigest( | |
| 124 module_path, suspicious_module->mutable_digest()); | |
| 125 | |
| 126 // Version. | |
| 127 scoped_ptr<FileVersionInfo> version_info( | |
| 128 FileVersionInfo::CreateFileVersionInfo(module_path)); | |
| 129 if (version_info) { | |
| 130 std::wstring file_version = version_info->file_version(); | |
| 131 if (!file_version.empty()) | |
| 132 suspicious_module->set_version(base::WideToUTF8(file_version)); | |
| 133 } | |
| 134 | |
| 135 // Signature. | |
| 136 binary_feature_extractor->CheckSignature( | |
| 137 module_path, suspicious_module->mutable_signature()); | |
| 138 | |
| 139 // Image headers. | |
| 140 if (!binary_feature_extractor->ExtractImageFeatures( | |
| 141 module_path, BinaryFeatureExtractor::kDefaultOptions, | |
| 142 suspicious_module->mutable_image_headers(), | |
| 143 nullptr /* signed_data */)) { | |
| 144 suspicious_module->clear_image_headers(); | |
| 145 } | |
| 146 | |
| 147 // Send the report. | |
| 148 incident_receiver->AddIncidentForProcess(make_scoped_ptr( | |
| 149 new SuspiciousModuleIncident(std::move(suspicious_module)))); | |
| 150 } | |
| 151 | |
| 152 UMA_HISTOGRAM_TIMES("SBIRS.SuspiciousModuleReportingTime", | |
| 153 base::TimeTicks::Now() - start_time); | |
| 154 } | |
| 155 | |
| 156 void ModuleLoadAnalyzer::VerifyModuleLoadState( | |
| 157 scoped_ptr<IncidentReceiver> incident_receiver) { | |
| 158 // Shouldn't be called more than once. | |
| 159 DCHECK(!incident_receiver_); | |
| 160 incident_receiver_ = std::move(incident_receiver); | |
| 161 | |
| 162 // PostTaskAndReply doesn't work here because we're in a sequenced blocking | |
| 163 // thread pool. | |
| 164 content::BrowserThread::PostTask( | |
| 165 content::BrowserThread::IO, FROM_HERE, | |
| 166 base::Bind(&ModuleLoadAnalyzer::GetLoadedSuspiciousModulesOnIOThread, | |
| 167 base::Unretained(this))); | |
| 168 } | |
| 169 | |
| 170 } // namespace safe_browsing | |
| OLD | NEW |
