Chrome Participated Tamper Detect

components/data_reduction_proxy/browser/data_reduction_proxy_tamper_detection.h

+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// This file implements the tamper detection logic, which detects whether
+// there are middleboxes and whether they are tampering with the response
+// which may break correct communication and data transfer between the Chromium
+// client and the data reduction proxy.
+//
+// At a high level, the tamper detection process works in two steps:
+// 1. The data reduction proxy selects a fraction of responses to analyze,
+//    generates a series of fingerprints for each, and appends them to the
+//    Chrome-Proxy response headers;
+// 2. The client re-generate the fingerprints using the same method as the
+//    proxy, compares them to the fingerprints in the response, and generates
+//    UMA. A response is considered to have been tampered with if the
+//    fingerprints do not match.
+//
+// Four fingerprints are generated by the data reduction proxy:
+// 1. Fingerprint of the Chrome-Proxy header, which is designed to check
+//    whether the Chrome-Proxy header has been modified or not;
+// 2. Fingerprint of the Via header, which is designed to check whether there
+//    are middleboxes between the Chromium client and the data reduction proxy;
+// 3. Fingerprint of a list of headers, which is designed to check whether the
+//    values of a list of headers (list is defined by the data reduction proxy)
+//    have been modified or deleted;
+// 4. Fingerprint of the Content-Length header, which is designed to check
+//    whether the response body has been modified or not (the code assumes that
+//    different Content-Length values indicate different response bodies).
+//
+// On the client side, the fingerprint of the Chrome-Proxy header will be
+// checked first. If the fingerprint indicates that the Chrome-Proxy header has
+// not been modified, then the other fingerprints will be considered to be
+// reliable and will be checked next; if not, then it's possible that the other
+// fingerprints have been tampered with and thus they will not be checked.
+// If middlebox removes all the fingerprints then such tampering will not be
+// detected.
+//
+// Detected tampering information will be reported to UMA. In general, for each
+// fingerprint, the client reports the number of responses that have been
+// tampered with for different carriers. For the fingerprint of the
+// Content-Length header, which indicates whether the response body has been
+// modified or not, the reports of tampering are separated by MIME type of the
+// response body.
+
+#ifndef COMPONENTS_DATA_REDUCTION_PROXY_BROWSER_DATA_REDUCTION_PROXY_TAMPER_DETECTION_H_
+#define COMPONENTS_DATA_REDUCTION_PROXY_BROWSER_DATA_REDUCTION_PROXY_TAMPER_DETECTION_H_
+
+#include <map>
+#include <string>
+#include <vector>
+
+#include "net/proxy/proxy_service.h"
+
+namespace net {
+class HttpResponseHeaders;
+}
+
+namespace data_reduction_proxy {
+
+// Detects if the response sent by the data reduction proxy has been modified
+// by intermediaries on the Web.
+class DataReductionProxyTamperDetection {
+ public:
+  // Checks if the response contains tamper detection fingerprints added by the
+  // data reduction proxy, and determines if the response had been tampered
+  // with if so. Results are reported to UMA. HTTP and HTTPS traffic are
+  // reported separately, specified by |scheme_is_https|. Returns true if
+  // the response has been tampered with.
+  static bool DetectAndReport(const net::HttpResponseHeaders* headers,
+                              bool scheme_is_https);
+
+  // Tamper detection checks |response_headers|. Histogram events are reported
+  // by |carrier_id|; |scheme_is_https| determines which histogram to report
+  // (HTTP and HTTPS are reported separately).
+  DataReductionProxyTamperDetection(
+      const net::HttpResponseHeaders* response_headers,
+      bool scheme_is_https,
+      unsigned carrier_id);
+
+  virtual ~DataReductionProxyTamperDetection();
+
+ private:
+  FRIEND_TEST_ALL_PREFIXES(DataReductionProxyTamperDetectionTest,
+                           TestFingerprintCommon);
+  FRIEND_TEST_ALL_PREFIXES(DataReductionProxyTamperDetectionTest,
+                           ChromeProxy);
+  FRIEND_TEST_ALL_PREFIXES(DataReductionProxyTamperDetectionTest,
+                           Via);
+  FRIEND_TEST_ALL_PREFIXES(DataReductionProxyTamperDetectionTest,
+                           OtherHeaders);
+  FRIEND_TEST_ALL_PREFIXES(DataReductionProxyTamperDetectionTest,
+                           ContentLength);
+  FRIEND_TEST_ALL_PREFIXES(DataReductionProxyTamperDetectionTest,
+                           HeaderRemoving);
+  FRIEND_TEST_ALL_PREFIXES(DataReductionProxyTamperDetectionTest,
+                           ValuesToSortedString);
+  FRIEND_TEST_ALL_PREFIXES(DataReductionProxyTamperDetectionTest,
+                           GetHeaderValues);
+  FRIEND_TEST_ALL_PREFIXES(DataReductionProxyTamperDetectionTest,
+                           DetectAndReport);
+
+  // Returns the result of validating Chrome-Proxy header.
+  bool ValidateChromeProxyHeader(const std::string& fingerprint) const;
+
+  // Reports UMA for tampering of the Chrome-Proxy header.
+  void ReportUMAforChromeProxyHeaderValidation() const;
+
+  // Returns the result of validating the Via header. |has_chrome_proxy|
+  // indicates that the data reduction proxy's Via header occurs or not.
+  bool ValidateViaHeader(const std::string& fingerprint,
+                         bool* has_chrome_proxy_via_header) const;
+
+  // Reports UMA for tampering of the Via header.
+  void ReportUMAforViaHeaderValidation(bool has_chrome_proxy_via_header) const;
+
+  // Returns the result of validating a list of headers.
+  bool ValidateOtherHeaders(const std::string& fingerprint) const;
+
+  // Reports UMA for tampering of values of the list of headers.
+  void ReportUMAforOtherHeadersValidation() const;
+
+  // Returns the result of validating the Content-Length header.
+  bool ValidateContentLengthHeader(const std::string& fingerprint) const;
+
+  // Reports UMA for tampering of the Content-Length header.
+  void ReportUMAforContentLengthHeaderValidation() const;
+
+  // Returns a string representation of |values|.
+  static std::string ValuesToSortedString(std::vector<std::string>* values);
+
+  // Returns raw MD5 hash value for a given string |input|. It is different to
+  // base::MD5String which is base16 encoded.
+  static void GetMD5(const std::string& input, std::string* output);
+
+  // Returns all the values of |header_name| of the response |headers| as a
+  // vector. This function is used for values that need to be sorted later.
+  static std::vector<std::string> GetHeaderValues(
+      const net::HttpResponseHeaders* headers,
+      const std::string& header_name);
+
+  // Pointer to response headers.
+  const net::HttpResponseHeaders* response_headers_;
+
+  // If true, the connection to the data reduction proxy is over HTTPS;
+  const bool scheme_is_https_;
+
+  // Carrier ID: the numeric name of the current registered operator.
+  const unsigned carrier_id_;
+
+  DISALLOW_COPY_AND_ASSIGN(DataReductionProxyTamperDetection);
+};
+
+}  // namespace data_reduction_proxy
+#endif  // COMPONENTS_DATA_REDUCTION_PROXY_BROWSER_DATA_REDUCTION_PROXY_TAMPER_DETECTION_H_