chrome/browser/safe_browsing/signature_evaluator_mac_unittest.cc - Issue 1363613004: Implement anonymous, opt-in, collection of OS X binary integrity incidents.

Side by Side Diff: chrome/browser/safe_browsing/signature_evaluator_mac_unittest.cc

Issue 1363613004: Implement anonymous, opt-in, collection of OS X binary integrity incidents. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Created 5 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« chrome/browser/safe_browsing/signature_evaluator_mac.mm ('K') | « chrome/browser/safe_browsing/signature_evaluator_mac.mm ('k') | chrome/chrome_browser.gypi » ('j') | chrome/test/data/safe_browsing/mach_o/Makefile » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 // Copyright 2015 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "chrome/browser/safe_browsing/signature_evaluator_mac.h"

	6

	7 #include <CoreFoundation/CoreFoundation.h>

	8 #include <string>
	Mark Mentovai 2015/10/05 15:02:12 Separate C from C++ system headers. Separate C from C++ system headers. Greg K 2015/10/07 22:54:30 Done. Show quoted text On 2015/10/05 15:02:12, Mark Mentovai wrote: > Separate C from C++ system headers. Done.
	9 #include <sys/xattr.h>

	10 #include <vector>

	11

	12 #include "base/files/file_path.h"

	13 #include "base/files/file_util.h"

	14 #include "base/files/scoped_temp_dir.h"

	15 #include "base/mac/mac_util.h"

	16 #include "base/mac/scoped_cftyperef.h"

	17 #include "base/path_service.h"

	18 #include "base/test/scoped_path_override.h"

	19 #include "chrome/common/chrome_paths.h"

	20 #include "chrome/common/safe_browsing/csd.pb.h"

	21 #include "testing/gmock/include/gmock/gmock-matchers.h"

	22 #include "testing/gtest/include/gtest/gtest.h"

	23

	24 namespace {

	25 const char* xattrs[] = {
	Mark Mentovai 2015/10/05 15:02:12 It’s unfortunate that this isn’t sharing with the It’s unfortunate that this isn’t sharing with the identical list in the other file. Greg K 2015/10/07 22:54:30 I actually made these two separate lists on purpos Show quoted text On 2015/10/05 15:02:12, Mark Mentovai wrote: > It’s unfortunate that this isn’t sharing with the identical list in the other > file. I actually made these two separate lists on purpose because if someone messes up the list in the other file, the test becomes bogus. This is the "control case." But maybe that doesn't matter?
	26 "com.apple.cs.CodeDirectory", "com.apple.cs.CodeSignature",

	27 "com.apple.cs.CodeRequirements", "com.apple.cs.CodeResources",

	28 "com.apple.cs.CodeApplication", "com.apple.cs.CodeEntitlements",

	29 };

	30 }
	Mark Mentovai 2015/10/05 15:02:12 // namespace // namespace Greg K 2015/10/07 22:54:30 Done. Show quoted text On 2015/10/05 15:02:12, Mark Mentovai wrote: > // namespace Done.
	31

	32 class MacSignatureEvaluatorTest : public testing::Test {

	33 protected:

	34 void SetUp() override {

	35 base::FilePath source_path;

	36 ASSERT_TRUE(PathService::Get(chrome::DIR_TEST_DATA, &source_path));

	37 testdata_path_ =

	38 source_path.AppendASCII("safe_browsing").AppendASCII("mach_o");

	39

	40 base::FilePath dir_exe;

	41 ASSERT_TRUE(PathService::Get(base::DIR_EXE, &dir_exe));

	42 base::FilePath file_exe;

	43 ASSERT_TRUE(PathService::Get(base::FILE_EXE, &file_exe));

	44

	45 CHECK(temp_dir_.CreateUniqueTempDir());
	Robert Sesek 2015/10/05 22:19:07 No CHECK No CHECK Greg K 2015/10/07 22:54:30 Done. Show quoted text On 2015/10/05 22:19:07, Robert Sesek wrote: > No CHECK Done.
	46 }

	47

	48 bool GetExecPath(const base::FilePath& bundle_url, base::FilePath* result) {

	49 base::ScopedCFTypeRef<CFStringRef> path_str(CFStringCreateWithCString(

	50 kCFAllocatorDefault, bundle_url.value().c_str(),

	51 kCFStringEncodingUTF8));

	52 if (!path_str.get())

	53 return false;

	54 base::ScopedCFTypeRef<CFURLRef> path_url(CFURLCreateWithFileSystemPath(

	55 kCFAllocatorDefault, path_str, kCFURLPOSIXPathStyle, false));

	56 if (!path_url.get())

	57 return false;

	58 base::ScopedCFTypeRef<CFBundleRef> bundle(

	59 CFBundleCreate(kCFAllocatorDefault, path_url));

	60 if (!bundle.get())

	61 return false;

	62

	63 base::ScopedCFTypeRef<CFURLRef> exec_url(CFBundleCopyExecutableURL(bundle));

	64 UInt8 path_buf[PATH_MAX];

	65 if (!CFURLGetFileSystemRepresentation(exec_url, true, path_buf,

	66 sizeof(path_buf)))

	67 return false;

	68

	69 result = base::FilePath(reinterpret_cast<const char>(path_buf));

	70 return true;

	71 }

	72

	73 bool SetupXattrs(const base::FilePath& path) {

	74 char sentinel = 'A';

	75 for (const auto& xattr : xattrs) {

	76 std::vector<uint8_t> buf(10);

	77 memset(&buf[0], sentinel++, buf.size());

	78 if (setxattr(path.value().c_str(), xattr, &buf[0], buf.size(), 0, 0) != 0)

	79 return false;

	80 }

	81 return true;

	82 }

	83

	84 base::FilePath testdata_path_;

	85 base::ScopedTempDir temp_dir_;

	86 };

	87

	88 TEST_F(MacSignatureEvaluatorTest, SimpleTest) {

	89 // This is a simple test that checks the validity of a signed executable.

	90 // There is no designated requirement: we only check the embedded signature.

	91 base::FilePath path = testdata_path_.AppendASCII("signedexecutablefat");

	92 safe_browsing::MacSignatureEvaluator evaluator(path);

	93 ASSERT_TRUE(evaluator.Initialize());

	94

	95 safe_browsing::ClientIncidentReport_IncidentData_OSXBinaryIntegrityIncident

	96 result;

	97 ASSERT_TRUE(evaluator.PerformEvaluation(&result));

	98 ASSERT_EQ(0, result.sub_incident_size());

	99 ASSERT_FALSE(result.has_sec_error());

	100 ASSERT_FALSE(result.has_file_basename());

	101 }

	102

	103 TEST_F(MacSignatureEvaluatorTest, SimpleTestWithDR) {

	104 // This test checks the signer against a designated requirement description.

	105 base::FilePath path = testdata_path_.AppendASCII("signedexecutablefat");

	106 std::string requirement(

	107 "certificate leaf[subject.CN]=\"untrusted@goat.local\"");

	108 safe_browsing::MacSignatureEvaluator evaluator(path, requirement);

	109 ASSERT_TRUE(evaluator.Initialize());

	110

	111 safe_browsing::ClientIncidentReport_IncidentData_OSXBinaryIntegrityIncident

	112 result;

	113 ASSERT_TRUE(evaluator.PerformEvaluation(&result));

	114 ASSERT_EQ(0, result.sub_incident_size());

	115 ASSERT_FALSE(result.has_sec_error());

	116 ASSERT_FALSE(result.has_file_basename());

	117 }

	118

	119 TEST_F(MacSignatureEvaluatorTest, SimpleTestWithBadDR) {

	120 // Now test with a designated requirement that does not describe the signer.

	121 base::FilePath path = testdata_path_.AppendASCII("signedexecutablefat");

	122 safe_browsing::MacSignatureEvaluator evaluator(path, "anchor apple");

	123 ASSERT_TRUE(evaluator.Initialize());

	124

	125 safe_browsing::ClientIncidentReport_IncidentData_OSXBinaryIntegrityIncident

	126 result;

	127 ASSERT_FALSE(evaluator.PerformEvaluation(&result));

	128 ASSERT_EQ(1, result.sub_incident_size());

	129 ASSERT_EQ(-67050, result.sec_error());

	130

	131 const safe_browsing::

	132 ClientIncidentReport_IncidentData_BinaryIntegrityIncident& incident =

	133 result.sub_incident(0);

	134 ASSERT_TRUE(incident.has_file_basename());

	135 ASSERT_EQ("signedexecutablefat", incident.file_basename());

	136 ASSERT_TRUE(incident.has_signature());

	137 }

	138

	139 TEST_F(MacSignatureEvaluatorTest, SimpleBundleTest) {

	140 // Now test a simple, validly signed bundle.

	141 base::FilePath path = testdata_path_.AppendASCII("test-bundle.app");

	142 base::FilePath exec_path;

	143 ASSERT_TRUE(GetExecPath(path, &exec_path));

	144

	145 std::string requirement(

	146 "certificate leaf[subject.CN]=\"untrusted@goat.local\"");

	147 safe_browsing::MacSignatureEvaluator evaluator(exec_path, requirement);

	148 ASSERT_TRUE(evaluator.Initialize());

	149

	150 safe_browsing::ClientIncidentReport_IncidentData_OSXBinaryIntegrityIncident

	151 result;

	152 ASSERT_TRUE(evaluator.PerformEvaluation(&result));

	153 ASSERT_EQ(0, result.sub_incident_size());

	154 ASSERT_FALSE(result.has_sec_error());

	155 ASSERT_FALSE(result.has_file_basename());

	156 }

	157

	158 TEST_F(MacSignatureEvaluatorTest, ModifiedMainExecTest32) {

	159 // Now to a test modified, signed bundle.

	160 base::FilePath path = testdata_path_.AppendASCII("modified-main-exec32.app");

	161 base::FilePath exec_path;

	162 ASSERT_TRUE(GetExecPath(path, &exec_path));

	163

	164 std::string requirement(

	165 "certificate leaf[subject.CN]=\"untrusted@goat.local\"");

	166 safe_browsing::MacSignatureEvaluator evaluator(exec_path, requirement);

	167 ASSERT_TRUE(evaluator.Initialize());

	168

	169 safe_browsing::ClientIncidentReport_IncidentData_OSXBinaryIntegrityIncident

	170 incident;

	171 ASSERT_FALSE(evaluator.PerformEvaluation(&incident));

	172 ASSERT_EQ(1, incident.sub_incident_size());

	173 ASSERT_EQ(-67061, incident.sec_error());

	174

	175 ASSERT_EQ(exec_path.BaseName().value(), incident.file_basename());

	176 }

	177

	178 TEST_F(MacSignatureEvaluatorTest, ModifiedMainExecTest64) {

	179 // Snow Leopard does not know about the 64-bit slice so this test is

	180 // irrelevant.

	181 if (base::mac::IsOSLionOrLater()) {

	182 // Now to a test modified, signed bundle.

	183 base::FilePath path =

	184 testdata_path_.AppendASCII("modified-main-exec64.app");

	185 base::FilePath exec_path;

	186 ASSERT_TRUE(GetExecPath(path, &exec_path));

	187

	188 std::string requirement(

	189 "certificate leaf[subject.CN]=\"untrusted@goat.local\"");

	190 safe_browsing::MacSignatureEvaluator evaluator(exec_path, requirement);

	191 ASSERT_TRUE(evaluator.Initialize());

	192

	193 safe_browsing::ClientIncidentReport_IncidentData_OSXBinaryIntegrityIncident

	194 incident;

	195 ASSERT_FALSE(evaluator.PerformEvaluation(&incident));

	196 ASSERT_EQ(1, incident.sub_incident_size());

	197 ASSERT_EQ(-67061, incident.sec_error());

	198

	199 ASSERT_EQ(exec_path.BaseName().value(), incident.file_basename());

	200 }

	201 }

	202

	203 TEST_F(MacSignatureEvaluatorTest, ModifiedBundleAndExecTest) {

	204 // Now test a modified, signed bundle with resources added and the main

	205 // executable modified.

	206 base::FilePath path =

	207 testdata_path_.AppendASCII("modified-bundle-and-exec.app");

	208 base::FilePath exec_path;

	209 ASSERT_TRUE(GetExecPath(path, &exec_path));

	210

	211 std::string requirement(

	212 "certificate leaf[subject.CN]=\"untrusted@goat.local\"");

	213 safe_browsing::MacSignatureEvaluator evaluator(exec_path, requirement);

	214 ASSERT_TRUE(evaluator.Initialize());

	215

	216 safe_browsing::ClientIncidentReport_IncidentData_OSXBinaryIntegrityIncident

	217 result;

	218 ASSERT_FALSE(evaluator.PerformEvaluation(&result));

	219 ASSERT_EQ(-67061, result.sec_error());

	220

	221 ASSERT_EQ(exec_path.BaseName().value(), result.file_basename());

	222 ASSERT_EQ(1, result.sub_incident_size());

	223

	224 const safe_browsing::

	225 ClientIncidentReport_IncidentData_BinaryIntegrityIncident& sub_incident =

	226 result.sub_incident(0);

	227 ASSERT_TRUE(sub_incident.has_file_basename());

	228 ASSERT_EQ(sub_incident.file_basename(), exec_path.BaseName().value());

	229 ASSERT_TRUE(sub_incident.has_signature());

	230 }

	231

	232 TEST_F(MacSignatureEvaluatorTest, ModifiedBundleTest) {

	233 // Now test a modified, signed bundle. This bundle has

	234 // the following problems:

	235 // 1) A file was added (This should not be reported)

	236 // 2) libsigned64.dylib was modified

	237 // 3) executable32 was modified

	238

	239 base::FilePath orig_path = testdata_path_.AppendASCII("modified-bundle.app");

	240 base::FilePath copied_path =

	241 temp_dir_.path().AppendASCII("modified-bundle.app");

	242 CHECK(base::CopyDirectory(orig_path, copied_path, true));

	243

	244 base::FilePath exec_path;

	245 ASSERT_TRUE(GetExecPath(copied_path, &exec_path));

	246

	247 // Setup the extended attributes, which don't persist in the git repo.

	248 ASSERT_TRUE(SetupXattrs(

	249 copied_path.AppendASCII("Contents/Resources/Base.lproj/MainMenu.nib")));

	250

	251 std::string requirement(

	252 "certificate leaf[subject.CN]=\"untrusted@goat.local\"");

	253 safe_browsing::MacSignatureEvaluator evaluator(exec_path, requirement);

	254 ASSERT_TRUE(evaluator.Initialize());

	255

	256 safe_browsing::ClientIncidentReport_IncidentData_OSXBinaryIntegrityIncident

	257 result;

	258 ASSERT_FALSE(evaluator.PerformEvaluation(&result));

	259 ASSERT_EQ(-67054, result.sec_error());

	260 ASSERT_EQ(exec_path.BaseName().value(), result.file_basename());

	261 ASSERT_EQ(4, result.sub_incident_size());

	262

	263 const google::protobuf::RepeatedPtrField<

	264 safe_browsing::ClientIncidentReport_IncidentData_BinaryIntegrityIncident>&

	265 incidents = result.sub_incident();

	266 const safe_browsing::

	267 ClientIncidentReport_IncidentData_BinaryIntegrityIncident* main_exec =

	268 nullptr;

	269 const safe_browsing::

	270 ClientIncidentReport_IncidentData_BinaryIntegrityIncident* libsigned64 =

	271 nullptr;

	272 const safe_browsing::

	273 ClientIncidentReport_IncidentData_BinaryIntegrityIncident* executable32 =

	274 nullptr;

	275 const safe_browsing::

	276 ClientIncidentReport_IncidentData_BinaryIntegrityIncident* mainmenunib =

	277 nullptr;

	278 const safe_browsing::

	279 ClientIncidentReport_IncidentData_BinaryIntegrityIncident* codesign_cfg =

	280 nullptr;

	281

	282 for (const auto& incident : incidents) {

	283 if (incident.file_basename() == exec_path.BaseName().value())

	284 main_exec = &incident;

	285 else if (incident.file_basename() == "libsigned64.dylib")

	286 libsigned64 = &incident;

	287 else if (incident.file_basename() == "executable32")

	288 executable32 = &incident;

	289 else if (incident.file_basename() == "MainMenu.nib")

	290 mainmenunib = &incident;

	291 else if (incident.file_basename() == "codesign.cfg")

	292 codesign_cfg = &incident;

	293 }

	294 ASSERT_NE(main_exec, nullptr);

	295 ASSERT_NE(libsigned64, nullptr);

	296 ASSERT_NE(executable32, nullptr);

	297 // This is important. Do not collect information on extra files added.

	298 ASSERT_EQ(codesign_cfg, nullptr);

	299

	300 ASSERT_TRUE(main_exec->has_file_basename());

	301 ASSERT_EQ(exec_path.BaseName().value(), main_exec->file_basename());

	302 ASSERT_TRUE(main_exec->has_signature());

	303

	304 ASSERT_TRUE(libsigned64->has_file_basename());

	305 ASSERT_EQ("libsigned64.dylib", libsigned64->file_basename());

	306 ASSERT_TRUE(libsigned64->has_signature());

	307

	308 ASSERT_TRUE(executable32->has_file_basename());

	309 ASSERT_EQ("executable32", executable32->file_basename());

	310 ASSERT_TRUE(executable32->has_signature());

	311

	312 ASSERT_TRUE(mainmenunib->has_file_basename());

	313 ASSERT_EQ("MainMenu.nib", mainmenunib->file_basename());

	314 ASSERT_TRUE(mainmenunib->has_signature());

	315 ASSERT_EQ(6, mainmenunib->signature().xattr_size());

	316 // Manually convert the global xattrs array to a vector

	317 std::vector<std::string> xattrs_known;

	318 for (const auto& xattr : xattrs)

	319 xattrs_known.push_back(xattr);

	320

	321 std::vector<std::string> xattrs_seen;

	322 for (const auto& xattr : mainmenunib->signature().xattr()) {

	323 ASSERT_TRUE(xattr.has_key());

	324 ASSERT_TRUE(xattr.has_value());

	325 xattrs_seen.push_back(xattr.key());

	326 }

	327 ASSERT_THAT(xattrs_known, ::testing::ContainerEq(xattrs_seen));

	328 }

OLD	NEW