1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CHROME_BROWSER_SAFE_BROWSING_SAFE_BROWSING_DATABASE_H_ 6 #define CHROME_BROWSER_SAFE_BROWSING_SAFE_BROWSING_DATABASE_H_ 7 8 #include <map> 9 #include <set> 10 #include <string> 11 #include <vector> 12 13 #include "base/containers/hash_tables.h" 14 #include "base/files/file_path.h" 15 #include "base/gtest_prod_util.h" 16 #include "base/memory/scoped_ptr.h" 17 #include "base/memory/weak_ptr.h" 18 #include "base/synchronization/lock.h" 19 #include "base/time/time.h" 20 #include "chrome/browser/safe_browsing/safe_browsing_store.h" 21 22 namespace base { 23 class MessageLoop; 24 } 25 26 namespace safe_browsing { 27 class PrefixSet; 28 } 29 30 class GURL; 31 class SafeBrowsingDatabase; 32 33 // Factory for creating SafeBrowsingDatabase. Tests implement this factory 34 // to create fake Databases for testing. 35 class SafeBrowsingDatabaseFactory { 36 public: SafeBrowsingDatabaseFactory()37 SafeBrowsingDatabaseFactory() { } ~SafeBrowsingDatabaseFactory()38 virtual ~SafeBrowsingDatabaseFactory() { } 39 virtual SafeBrowsingDatabase* CreateSafeBrowsingDatabase( 40 bool enable_download_protection, 41 bool enable_client_side_whitelist, 42 bool enable_download_whitelist, 43 bool enable_extension_blacklist, 44 bool enable_side_effect_free_whitelist, 45 bool enable_ip_blacklist) = 0; 46 private: 47 DISALLOW_COPY_AND_ASSIGN(SafeBrowsingDatabaseFactory); 48 }; 49 50 // Encapsulates on-disk databases that for safebrowsing. There are 51 // four databases: browse, download, download whitelist and 52 // client-side detection (csd) whitelist databases. The browse database contains 53 // information about phishing and malware urls. The download database contains 54 // URLs for bad binaries (e.g: those containing virus) and hash of 55 // these downloaded contents. The download whitelist contains whitelisted 56 // download hosting sites as well as whitelisted binary signing certificates 57 // etc. The csd whitelist database contains URLs that will never be considered 58 // as phishing by the client-side phishing detection. These on-disk databases 59 // are shared among all profiles, as it doesn't contain user-specific data. This 60 // object is not thread-safe, i.e. all its methods should be used on the same 61 // thread that it was created on. 62 class SafeBrowsingDatabase { 63 public: 64 // Factory method for obtaining a SafeBrowsingDatabase implementation. 65 // It is not thread safe. 66 // |enable_download_protection| is used to control the download database 67 // feature. 68 // |enable_client_side_whitelist| is used to control the csd whitelist 69 // database feature. 70 // |enable_download_whitelist| is used to control the download whitelist 71 // database feature. 72 // |enable_ip_blacklist| is used to control the csd malware IP blacklist 73 // database feature. 74 static SafeBrowsingDatabase* Create(bool enable_download_protection, 75 bool enable_client_side_whitelist, 76 bool enable_download_whitelist, 77 bool enable_extension_blacklist, 78 bool side_effect_free_whitelist, 79 bool enable_ip_blacklist); 80 81 // Makes the passed |factory| the factory used to instantiate 82 // a SafeBrowsingDatabase. This is used for tests. RegisterFactory(SafeBrowsingDatabaseFactory * factory)83 static void RegisterFactory(SafeBrowsingDatabaseFactory* factory) { 84 factory_ = factory; 85 } 86 87 virtual ~SafeBrowsingDatabase(); 88 89 // Initializes the database with the given filename. 90 virtual void Init(const base::FilePath& filename) = 0; 91 92 // Deletes the current database and creates a new one. 93 virtual bool ResetDatabase() = 0; 94 95 // Returns false if |url| is not in the browse database or already was cached 96 // as a miss. If it returns true, |prefix_hits| contains matching hash 97 // prefixes which had no cached results and |cache_hits| contains any matching 98 // cached gethash results. This function is safe to call from any thread. 99 virtual bool ContainsBrowseUrl( 100 const GURL& url, 101 std::vector<SBPrefix>* prefix_hits, 102 std::vector<SBFullHashResult>* cache_hits) = 0; 103 104 // Returns false if none of |urls| are in Download database. If it returns 105 // true, |prefix_hits| should contain the prefixes for the URLs that were in 106 // the database. This function could ONLY be accessed from creation thread. 107 virtual bool ContainsDownloadUrl(const std::vector<GURL>& urls, 108 std::vector<SBPrefix>* prefix_hits) = 0; 109 110 // Returns false if |url| is not on the client-side phishing detection 111 // whitelist. Otherwise, this function returns true. Note: the whitelist 112 // only contains full-length hashes so we don't return any prefix hit. 113 // This function should only be called from the IO thread. 114 virtual bool ContainsCsdWhitelistedUrl(const GURL& url) = 0; 115 116 // The download whitelist is used for two purposes: a white-domain list of 117 // sites that are considered to host only harmless binaries as well as a 118 // whitelist of arbitrary strings such as hashed certificate authorities that 119 // are considered to be trusted. The two methods below let you lookup 120 // the whitelist either for a URL or an arbitrary string. These methods will 121 // return false if no match is found and true otherwise. 122 // This function could ONLY be accessed from the IO thread. 123 virtual bool ContainsDownloadWhitelistedUrl(const GURL& url) = 0; 124 virtual bool ContainsDownloadWhitelistedString(const std::string& str) = 0; 125 126 // Populates |prefix_hits| with any prefixes in |prefixes| that have matches 127 // in the database. 128 // 129 // This function can ONLY be accessed from the creation thread. 130 virtual bool ContainsExtensionPrefixes( 131 const std::vector<SBPrefix>& prefixes, 132 std::vector<SBPrefix>* prefix_hits) = 0; 133 134 // Returns false unless the hash of |url| is on the side-effect free 135 // whitelist. 136 virtual bool ContainsSideEffectFreeWhitelistUrl(const GURL& url) = 0; 137 138 // Returns true iff the given IP is currently on the csd malware IP blacklist. 139 virtual bool ContainsMalwareIP(const std::string& ip_address) = 0; 140 141 // A database transaction should look like: 142 // 143 // std::vector<SBListChunkRanges> lists; 144 // if (db.UpdateStarted(&lists)) { 145 // // Do something with |lists|. 146 // 147 // // Process add/sub commands. 148 // db.InsertChunks(list_name, chunks); 149 // 150 // // Process adddel/subdel commands. 151 // db.DeleteChunks(chunks_deletes); 152 // 153 // // If passed true, processes the collected chunk info and 154 // // rebuilds the filter. If passed false, rolls everything 155 // // back. 156 // db.UpdateFinished(success); 157 // } 158 // 159 // If UpdateStarted() returns true, the caller MUST eventually call 160 // UpdateFinished(). If it returns false, the caller MUST NOT call 161 // the other functions. 162 virtual bool UpdateStarted(std::vector<SBListChunkRanges>* lists) = 0; 163 virtual void InsertChunks(const std::string& list_name, 164 const std::vector<SBChunkData*>& chunks) = 0; 165 virtual void DeleteChunks( 166 const std::vector<SBChunkDelete>& chunk_deletes) = 0; 167 virtual void UpdateFinished(bool update_succeeded) = 0; 168 169 // Store the results of a GetHash response. In the case of empty results, we 170 // cache the prefixes until the next update so that we don't have to issue 171 // further GetHash requests we know will be empty. 172 virtual void CacheHashResults( 173 const std::vector<SBPrefix>& prefixes, 174 const std::vector<SBFullHashResult>& full_hits, 175 const base::TimeDelta& cache_lifetime) = 0; 176 177 // Returns true if the malware IP blacklisting killswitch URL is present 178 // in the csd whitelist. 179 virtual bool IsMalwareIPMatchKillSwitchOn() = 0; 180 181 // Returns true if the whitelist killswitch URL is present in the csd 182 // whitelist. 183 virtual bool IsCsdWhitelistKillSwitchOn() = 0; 184 185 // The name of the bloom-filter file for the given database file. 186 // NOTE(shess): OBSOLETE. Present for deleting stale files. 187 static base::FilePath BloomFilterForFilename( 188 const base::FilePath& db_filename); 189 190 // The name of the prefix set file for the given database file. 191 static base::FilePath PrefixSetForFilename(const base::FilePath& db_filename); 192 193 // Filename for malware and phishing URL database. 194 static base::FilePath BrowseDBFilename( 195 const base::FilePath& db_base_filename); 196 197 // Filename for download URL and download binary hash database. 198 static base::FilePath DownloadDBFilename( 199 const base::FilePath& db_base_filename); 200 201 // Filename for client-side phishing detection whitelist databsae. 202 static base::FilePath CsdWhitelistDBFilename( 203 const base::FilePath& csd_whitelist_base_filename); 204 205 // Filename for download whitelist databsae. 206 static base::FilePath DownloadWhitelistDBFilename( 207 const base::FilePath& download_whitelist_base_filename); 208 209 // Filename for extension blacklist database. 210 static base::FilePath ExtensionBlacklistDBFilename( 211 const base::FilePath& extension_blacklist_base_filename); 212 213 // Filename for side-effect free whitelist database. 214 static base::FilePath SideEffectFreeWhitelistDBFilename( 215 const base::FilePath& side_effect_free_whitelist_base_filename); 216 217 // Filename for the csd malware IP blacklist database. 218 static base::FilePath IpBlacklistDBFilename( 219 const base::FilePath& ip_blacklist_base_filename); 220 221 // Enumerate failures for histogramming purposes. DO NOT CHANGE THE 222 // ORDERING OF THESE VALUES. 223 enum FailureType { 224 FAILURE_DATABASE_CORRUPT, 225 FAILURE_DATABASE_CORRUPT_HANDLER, 226 FAILURE_BROWSE_DATABASE_UPDATE_BEGIN, 227 FAILURE_BROWSE_DATABASE_UPDATE_FINISH, 228 FAILURE_DATABASE_FILTER_MISSING_OBSOLETE, 229 FAILURE_DATABASE_FILTER_READ_OBSOLETE, 230 FAILURE_DATABASE_FILTER_WRITE_OBSOLETE, 231 FAILURE_DATABASE_FILTER_DELETE, 232 FAILURE_DATABASE_STORE_MISSING, 233 FAILURE_DATABASE_STORE_DELETE, 234 FAILURE_DOWNLOAD_DATABASE_UPDATE_BEGIN, 235 FAILURE_DOWNLOAD_DATABASE_UPDATE_FINISH, 236 FAILURE_WHITELIST_DATABASE_UPDATE_BEGIN, 237 FAILURE_WHITELIST_DATABASE_UPDATE_FINISH, 238 FAILURE_BROWSE_PREFIX_SET_MISSING, 239 FAILURE_BROWSE_PREFIX_SET_READ, 240 FAILURE_BROWSE_PREFIX_SET_WRITE, 241 FAILURE_BROWSE_PREFIX_SET_DELETE, 242 FAILURE_EXTENSION_BLACKLIST_UPDATE_BEGIN, 243 FAILURE_EXTENSION_BLACKLIST_UPDATE_FINISH, 244 FAILURE_EXTENSION_BLACKLIST_DELETE, 245 FAILURE_SIDE_EFFECT_FREE_WHITELIST_UPDATE_BEGIN, 246 FAILURE_SIDE_EFFECT_FREE_WHITELIST_UPDATE_FINISH, 247 FAILURE_SIDE_EFFECT_FREE_WHITELIST_DELETE, 248 FAILURE_SIDE_EFFECT_FREE_WHITELIST_PREFIX_SET_READ, 249 FAILURE_SIDE_EFFECT_FREE_WHITELIST_PREFIX_SET_WRITE, 250 FAILURE_SIDE_EFFECT_FREE_WHITELIST_PREFIX_SET_DELETE, 251 FAILURE_IP_BLACKLIST_UPDATE_BEGIN, 252 FAILURE_IP_BLACKLIST_UPDATE_FINISH, 253 FAILURE_IP_BLACKLIST_UPDATE_INVALID, 254 FAILURE_IP_BLACKLIST_DELETE, 255 256 // Memory space for histograms is determined by the max. ALWAYS 257 // ADD NEW VALUES BEFORE THIS ONE. 258 FAILURE_DATABASE_MAX 259 }; 260 261 static void RecordFailure(FailureType failure_type); 262 263 private: 264 // The factory used to instantiate a SafeBrowsingDatabase object. 265 // Useful for tests, so they can provide their own implementation of 266 // SafeBrowsingDatabase. 267 static SafeBrowsingDatabaseFactory* factory_; 268 }; 269 270 class SafeBrowsingDatabaseNew : public SafeBrowsingDatabase { 271 public: 272 // Create a database with a browse, download, download whitelist and 273 // csd whitelist store objects. Takes ownership of all the store objects. 274 // When |download_store| is NULL, the database will ignore any operations 275 // related download (url hashes and binary hashes). The same is true for 276 // the |csd_whitelist_store|, |download_whitelist_store| and 277 // |ip_blacklist_store|. 278 SafeBrowsingDatabaseNew(SafeBrowsingStore* browse_store, 279 SafeBrowsingStore* download_store, 280 SafeBrowsingStore* csd_whitelist_store, 281 SafeBrowsingStore* download_whitelist_store, 282 SafeBrowsingStore* extension_blacklist_store, 283 SafeBrowsingStore* side_effect_free_whitelist_store, 284 SafeBrowsingStore* ip_blacklist_store); 285 286 // Create a database with a browse store. This is a legacy interface that 287 // useds Sqlite. 288 SafeBrowsingDatabaseNew(); 289 290 virtual ~SafeBrowsingDatabaseNew(); 291 292 // Implement SafeBrowsingDatabase interface. 293 virtual void Init(const base::FilePath& filename) OVERRIDE; 294 virtual bool ResetDatabase() OVERRIDE; 295 virtual bool ContainsBrowseUrl( 296 const GURL& url, 297 std::vector<SBPrefix>* prefix_hits, 298 std::vector<SBFullHashResult>* cache_hits) OVERRIDE; 299 virtual bool ContainsDownloadUrl(const std::vector<GURL>& urls, 300 std::vector<SBPrefix>* prefix_hits) OVERRIDE; 301 virtual bool ContainsCsdWhitelistedUrl(const GURL& url) OVERRIDE; 302 virtual bool ContainsDownloadWhitelistedUrl(const GURL& url) OVERRIDE; 303 virtual bool ContainsDownloadWhitelistedString( 304 const std::string& str) OVERRIDE; 305 virtual bool ContainsExtensionPrefixes( 306 const std::vector<SBPrefix>& prefixes, 307 std::vector<SBPrefix>* prefix_hits) OVERRIDE; 308 virtual bool ContainsSideEffectFreeWhitelistUrl(const GURL& url) OVERRIDE; 309 virtual bool ContainsMalwareIP(const std::string& ip_address) OVERRIDE; 310 virtual bool UpdateStarted(std::vector<SBListChunkRanges>* lists) OVERRIDE; 311 virtual void InsertChunks(const std::string& list_name, 312 const std::vector<SBChunkData*>& chunks) OVERRIDE; 313 virtual void DeleteChunks( 314 const std::vector<SBChunkDelete>& chunk_deletes) OVERRIDE; 315 virtual void UpdateFinished(bool update_succeeded) OVERRIDE; 316 virtual void CacheHashResults( 317 const std::vector<SBPrefix>& prefixes, 318 const std::vector<SBFullHashResult>& full_hits, 319 const base::TimeDelta& cache_lifetime) OVERRIDE; 320 321 // Returns the value of malware_kill_switch_; 322 virtual bool IsMalwareIPMatchKillSwitchOn() OVERRIDE; 323 324 // Returns true if the CSD whitelist has everything whitelisted. 325 virtual bool IsCsdWhitelistKillSwitchOn() OVERRIDE; 326 327 private: 328 friend class SafeBrowsingDatabaseTest; 329 FRIEND_TEST_ALL_PREFIXES(SafeBrowsingDatabaseTest, HashCaching); 330 FRIEND_TEST_ALL_PREFIXES(SafeBrowsingDatabaseTest, CachedFullMiss); 331 FRIEND_TEST_ALL_PREFIXES(SafeBrowsingDatabaseTest, CachedPrefixHitFullMiss); 332 FRIEND_TEST_ALL_PREFIXES(SafeBrowsingDatabaseTest, BrowseFullHashMatching); 333 FRIEND_TEST_ALL_PREFIXES(SafeBrowsingDatabaseTest, 334 BrowseFullHashAndPrefixMatching); 335 336 // A SafeBrowsing whitelist contains a list of whitelisted full-hashes (stored 337 // in a sorted vector) as well as a boolean flag indicating whether all 338 // lookups in the whitelist should be considered matches for safety. 339 typedef std::pair<std::vector<SBFullHash>, bool> SBWhitelist; 340 341 // This map holds a csd malware IP blacklist which maps a prefix mask 342 // to a set of hashed blacklisted IP prefixes. Each IP prefix is a hashed 343 // IPv6 IP prefix using SHA-1. 344 typedef std::map<std::string, base::hash_set<std::string> > IPBlacklist; 345 346 // Helper for ContainsBrowseUrl, exposed for testing. 347 bool ContainsBrowseUrlHashes(const std::vector<SBFullHash>& full_hashes, 348 std::vector<SBPrefix>* prefix_hits, 349 std::vector<SBFullHashResult>* cache_hits); 350 351 // Returns true if the whitelist is disabled or if any of the given hashes 352 // matches the whitelist. 353 bool ContainsWhitelistedHashes(const SBWhitelist& whitelist, 354 const std::vector<SBFullHash>& hashes); 355 356 // Return the browse_store_, download_store_, download_whitelist_store or 357 // csd_whitelist_store_ based on list_id. 358 SafeBrowsingStore* GetStore(int list_id); 359 360 // Deletes the files on disk. 361 bool Delete(); 362 363 // Load the prefix set off disk, if available. 364 void LoadPrefixSet(); 365 366 // Writes the current prefix set to disk. 367 void WritePrefixSet(); 368 369 // Loads the given full-length hashes to the given whitelist. If the number 370 // of hashes is too large or if the kill switch URL is on the whitelist 371 // we will whitelist everything. 372 void LoadWhitelist(const std::vector<SBAddFullHash>& full_hashes, 373 SBWhitelist* whitelist); 374 375 // Call this method if an error occured with the given whitelist. This will 376 // result in all lookups to the whitelist to return true. 377 void WhitelistEverything(SBWhitelist* whitelist); 378 379 // Parses the IP blacklist from the given full-length hashes. 380 void LoadIpBlacklist(const std::vector<SBAddFullHash>& full_hashes); 381 382 // Helpers for handling database corruption. 383 // |OnHandleCorruptDatabase()| runs |ResetDatabase()| and sets 384 // |corruption_detected_|, |HandleCorruptDatabase()| posts 385 // |OnHandleCorruptDatabase()| to the current thread, to be run 386 // after the current task completes. 387 // TODO(shess): Wire things up to entirely abort the update 388 // transaction when this happens. 389 void HandleCorruptDatabase(); 390 void OnHandleCorruptDatabase(); 391 392 // Helpers for InsertChunks(). 393 void InsertAddChunk(SafeBrowsingStore* store, 394 safe_browsing_util::ListType list_id, 395 const SBChunkData& chunk); 396 void InsertSubChunk(SafeBrowsingStore* store, 397 safe_browsing_util::ListType list_id, 398 const SBChunkData& chunk); 399 400 // Returns the size in bytes of the store after the update. 401 int64 UpdateHashPrefixStore(const base::FilePath& store_filename, 402 SafeBrowsingStore* store, 403 FailureType failure_type); 404 void UpdateBrowseStore(); 405 void UpdateSideEffectFreeWhitelistStore(); 406 void UpdateWhitelistStore(const base::FilePath& store_filename, 407 SafeBrowsingStore* store, 408 SBWhitelist* whitelist); 409 void UpdateIpBlacklistStore(); 410 411 // Used to verify that various calls are made from the thread the 412 // object was created on. 413 base::MessageLoop* creation_loop_; 414 415 // Lock for protecting access to variables that may be used on the IO thread. 416 // This includes |prefix_set_|, |browse_gethash_cache_|, |csd_whitelist_|. 417 base::Lock lookup_lock_; 418 419 // The base filename passed to Init(), used to generate the store and prefix 420 // set filenames used to store data on disk. 421 base::FilePath filename_base_; 422 423 // Underlying persistent store for chunk data. 424 // For browsing related (phishing and malware URLs) chunks and prefixes. 425 scoped_ptr<SafeBrowsingStore> browse_store_; 426 427 // For download related (download URL and binary hash) chunks and prefixes. 428 scoped_ptr<SafeBrowsingStore> download_store_; 429 430 // For the client-side phishing detection whitelist chunks and full-length 431 // hashes. This list only contains 256 bit hashes. 432 scoped_ptr<SafeBrowsingStore> csd_whitelist_store_; 433 434 // For the download whitelist chunks and full-length hashes. This list only 435 // contains 256 bit hashes. 436 scoped_ptr<SafeBrowsingStore> download_whitelist_store_; 437 438 // For extension IDs. 439 scoped_ptr<SafeBrowsingStore> extension_blacklist_store_; 440 441 // For side-effect free whitelist. 442 scoped_ptr<SafeBrowsingStore> side_effect_free_whitelist_store_; 443 444 // For IP blacklist. 445 scoped_ptr<SafeBrowsingStore> ip_blacklist_store_; 446 447 SBWhitelist csd_whitelist_; 448 SBWhitelist download_whitelist_; 449 SBWhitelist extension_blacklist_; 450 451 // The IP blacklist should be small. At most a couple hundred IPs. 452 IPBlacklist ip_blacklist_; 453 454 // Cache of gethash results for browse store. Entries should not be used if 455 // they are older than their expire_after field. Cached misses will have 456 // empty full_hashes field. Cleared on each update. 457 std::map<SBPrefix, SBCachedFullHashResult> browse_gethash_cache_; 458 459 // Set if corruption is detected during the course of an update. 460 // Causes the update functions to fail with no side effects, until 461 // the next call to |UpdateStarted()|. 462 bool corruption_detected_; 463 464 // Set to true if any chunks are added or deleted during an update. 465 // Used to optimize away database update. 466 bool change_detected_; 467 468 // Used to check if a prefix was in the browse database. 469 scoped_ptr<safe_browsing::PrefixSet> browse_prefix_set_; 470 471 // Used to check if a prefix was in the browse database. 472 scoped_ptr<safe_browsing::PrefixSet> side_effect_free_whitelist_prefix_set_; 473 474 // Used to schedule resetting the database because of corruption. 475 base::WeakPtrFactory<SafeBrowsingDatabaseNew> reset_factory_; 476 }; 477 478 #endif // CHROME_BROWSER_SAFE_BROWSING_SAFE_BROWSING_DATABASE_H_ 479