Security/Features/Application Reputation Design Doc
Goal
Document application reputation implementation decisions so that other people than the author can debug it.
Background
Google has offered an application reputation feature to detect malicious downloads as part of Google Safe Browsing since 2012 [1]. Although this part of the Safe Browsing API is not documented, they have offered it to us for use in Firefox. Malicious download detection is separate from detection of phishing and malware pages, though both features use some of the same mechanisms.
This document attempts to document all of the things that Google Chrome does, so that even in the absence of official API documentation from Google, we collectively have a better chance of implementing this feature correctly.
High-level overview
The user-agent performs local lookups whenever a binary file is downloaded. If a local result is not found, the user-agent may perform a remote-lookup on Windows only. The bulk of Chrome's implementation is found in DownloadProtectionService [2].
When a binary file is downloaded, the user-agent extracts several pieces of metadata about the file, including:
- The target URL from which the file was downloaded, its referrer URL and any URLs in the redirect chain.
- The SHA-256 hash of the contents of the file.
- Any certificate verification information obtained through the Windows Authenticode APIs.
- The length of the file in bytes.
- The suggested filename for the download.
Using this metadata, the user-agent performs a local lookups against a blocklist, then an allowlist. If the binary is signed, then the code signing information is checked against the allowlist. If any blocklist matches are found, the user-agent must not save the file to disk. If any allowlist matches are found, the user-agent may treat the binary as trusted and skip the remote lookup.