Add UMA stats to record when DLLs are successfully blocked in the Browser.

chrome/browser/chrome_elf_init_win.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include "base/bind.h"
+#include "base/md5.h"
 #include "base/metrics/field_trial.h"
 #include "base/metrics/histogram.h"
+#include "base/metrics/sparse_histogram.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/win/registry.h"
 #include "chrome/browser/chrome_elf_init_win.h"
 #include "chrome_elf/blacklist/blacklist.h"
+#include "content/public/browser/browser_thread.h"
 #include "version.h"  // NOLINT
 
 namespace {
 
 const char kBrowserBlacklistTrialName[] = "BrowserBlacklist";
 const char kBrowserBlacklistTrialEnabledGroupName[] = "Enabled";
 
+// How long to wait, in seconds, before reporting for the second (and last
+// time), what dlls were blocked from the browser process.
+const int kBlacklistReportingDelaySec = 600;
+
 // This enum is used to define the buckets for an enumerated UMA histogram.
 // Hence,
 //   (a) existing enumerated constants should never be deleted or reordered, and
 //   (b) new constants should only be appended in front of
 //       BLACKLIST_SETUP_EVENT_MAX.
 enum BlacklistSetupEventType {
   // The blacklist beacon has placed to enable the browser blacklisting.
   BLACKLIST_SETUP_ENABLED = 0,
 
   // The blacklist was successfully enabled.
@@ skipping 11 matching lines @@
   // Always keep this at the end.
   BLACKLIST_SETUP_EVENT_MAX,
 };
 
 void RecordBlacklistSetupEvent(BlacklistSetupEventType blacklist_setup_event) {
   UMA_HISTOGRAM_ENUMERATION("Blacklist.Setup",
                             blacklist_setup_event,
                             BLACKLIST_SETUP_EVENT_MAX);
 }
 
+// Report which DLLs were prevented from being loaded.
+void ReportSuccessfulBlocks() {
+  typedef void (*SuccessfullyBlockedPtr)(const wchar_t**, int*);
+  SuccessfullyBlockedPtr successfully_blocked =
+      reinterpret_cast<SuccessfullyBlockedPtr>(GetProcAddress(
+          GetModuleHandle(L"chrome_elf.dll"), "SuccessfullyBlocked"));
+
+  if (!successfully_blocked)
+    return;
+
+  // Figure out how many dlls were blocked.
+  int num_blocked_dlls = 0;
+  successfully_blocked(NULL, &num_blocked_dlls);
+
+  if (num_blocked_dlls == 0)
+    return;
+
+  // Now retrieve the list of blocked dlls.
+  std::vector<const wchar_t*> blocked_dlls(num_blocked_dlls);
+  successfully_blocked(&blocked_dlls[0], &num_blocked_dlls);
+
+  // Send up the hashes of the blocked dlls via UMA.
+  for (size_t i = 0; i < blocked_dlls.size(); ++i) {
+    base::MD5Digest hash;

[csharp, 2014/02/25 15:20:50]

asvitkine@, any hints/tips on a better hash to use? I think this approach work,
but it doesn't seem as clean as I would like.

[Alexei Svitkine (slow), 2014/02/25 15:51:54]

Another histogram uses this one, which is indeed cleaner:

https://code.google.com/p/chromium/codesearch#chromium/src/ppapi/proxy/interf...

+    base::MD5Sum(blocked_dlls[i], wcslen(blocked_dlls[i]), &hash);
+
+    // Convert the md5 hash to an integer. Strip off the signed bit because
+    // UMA doesn't support negative values, but takes a signed int as input.
+    uint32 uma_hash =
+        static_cast<int>(hash.a[0] + (hash.a[1] << 8) + (hash.a[2] << 12) +
+                         ((hash.a[3] * 0x7f) << 16));
+
+    UMA_HISTOGRAM_SPARSE_SLOWLY("Blacklist.Blocked", uma_hash);
+  }
+}
+
 }  // namespace
 
 void InitializeChromeElf() {
   if (base::FieldTrialList::FindFullName(kBrowserBlacklistTrialName) ==
       kBrowserBlacklistTrialEnabledGroupName) {
     BrowserBlacklistBeaconSetup();
   } else {
     // Disable the blacklist for all future runs by removing the beacon.
     base::win::RegKey blacklist_registry_key(HKEY_CURRENT_USER);
     blacklist_registry_key.DeleteKey(blacklist::kRegistryBeaconPath);
   }
+
+  // Report all successful blacklist interceptions.
+  ReportSuccessfulBlocks();
+
+  // Schedule another task to report all sucessful interceptions later.
+  // This time delay should be long enough to catch any dlls that attempt to
+  // inject after Chrome has started up.
+  content::BrowserThread::PostDelayedTask(
+      content::BrowserThread::UI,
+      FROM_HERE,
+      base::Bind(&ReportSuccessfulBlocks),
+      base::TimeDelta::FromSeconds(kBlacklistReportingDelaySec));
 }
 
 void BrowserBlacklistBeaconSetup() {
   base::win::RegKey blacklist_registry_key(HKEY_CURRENT_USER,
                                            blacklist::kRegistryBeaconPath,
                                            KEY_QUERY_VALUE | KEY_SET_VALUE);
 
   // Find the last recorded blacklist version.
   base::string16 blacklist_version;
   blacklist_registry_key.ReadValue(blacklist::kBeaconVersion,
@@ skipping 42 matching lines @@
 
       // Since some part of the blacklist failed, ensure it is now disabled
       // for this version.
       if (blacklist_state != blacklist::BLACKLIST_DISABLED) {
         blacklist_registry_key.WriteValue(blacklist::kBeaconState,
                                           blacklist::BLACKLIST_DISABLED);
       }
     }
   }
 }