Security/Features/Application Reputation Design Doc: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Created page with "== Goal == Document application reputation implementation decisions so that other people than the author can debug it. == Background == Google has offered an application repu...")
 
Line 21: Line 21:


== Metadata extraction ==
== Metadata extraction ==
In Firefox, SHA-256 hash computation is performed in BackgroundFileSaver via DigestOutputStream as the temporary file is written to disk [http://mxr.mozilla.org/mozilla-central/source/netwerk/base/src/BackgroundFileSaver.cpp]. After the download is complete, BackgroundFileSaver computes the signature verification of the downloaded file in ExtractSignatureInfo on Windows only [http://mxr.mozilla.org/mozilla-central/ident?i=ExtractSignatureInfo]. Both of these operations happen on a worker thread.
Extraction of the redirect chain will hopefully happen via exposing mRedirectedCacheKeys from HttpBaseChannel.


== Local lists ==
== Local lists ==

Revision as of 18:39, 18 February 2014

Goal

Document application reputation implementation decisions so that other people than the author can debug it.

Background

Google has offered an application reputation feature to detect malicious downloads as part of Google Safe Browsing since 2012 [1]. Although this part of the Safe Browsing API is not documented, they have offered it to us for use in Firefox. Malicious download detection is separate from detection of phishing and malware pages, though both features use some of the same mechanisms.

This document attempts to document all of the things that Google Chrome does, so that even in the absence of official API documentation from Google, we collectively have a better chance of implementing this feature correctly.

High-level overview

The user-agent performs local lookups whenever a binary file is downloaded. If a local result is not found, the user-agent may perform a remote-lookup on Windows only. The bulk of Chrome's implementation is found in DownloadProtectionService [2].

When a binary file is downloaded, the user-agent extracts several pieces of metadata about the file, including:

  1. The target URL from which the file was downloaded, its referrer URL and any URLs in the redirect chain.
  2. The SHA-256 hash of the contents of the file.
  3. Any certificate verification information obtained through the Windows Authenticode APIs.
  4. The length of the file in bytes.
  5. The suggested filename for the download.

Using this metadata, the user-agent performs a local lookups against a blocklist, then an allowlist. If the binary is signed, then the code signing information is checked against the allowlist. If any blocklist matches are found, the user-agent must not save the file to disk. If any allowlist matches are found, the user-agent may treat the binary as trusted and skip the remote lookup.

Metadata extraction

In Firefox, SHA-256 hash computation is performed in BackgroundFileSaver via DigestOutputStream as the temporary file is written to disk [3]. After the download is complete, BackgroundFileSaver computes the signature verification of the downloaded file in ExtractSignatureInfo on Windows only [4]. Both of these operations happen on a worker thread.

Extraction of the redirect chain will hopefully happen via exposing mRedirectedCacheKeys from HttpBaseChannel.

Local lists

Local lookups

Remote lookup

Retrieved from "https://wiki.allizom.org/index.php?title=Security/Features/Application_Reputation_Design_Doc&oldid=931683"