1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
|
// Copyright 2015 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome/browser/safe_browsing/safe_browsing_api_handler_util.h"
#include <stddef.h>
#include <string>
#include "base/json/json_reader.h"
#include "base/memory/scoped_ptr.h"
#include "base/metrics/histogram_macros.h"
#include "base/strings/string_number_conversions.h"
#include "base/values.h"
#include "chrome/browser/safe_browsing/metadata.pb.h"
#include "chrome/browser/safe_browsing/safe_browsing_util.h"
namespace safe_browsing {
namespace {
// JSON metatdata keys. These are are fixed in the Java-side API.
const char kJsonKeyMatches[] = "matches";
const char kJsonKeyThreatType[] = "threat_type";
// Do not reorder or delete. Make sure changes are reflected in
// SB2RemoteCallThreatSubType.
enum UmaThreatSubType {
UMA_THREAT_SUB_TYPE_NOT_SET = 0,
UMA_THREAT_SUB_TYPE_LANDING = 1,
UMA_THREAT_SUB_TYPE_DISTRIBUTION = 2,
UMA_THREAT_SUB_TYPE_UNKNOWN = 3,
UMA_THREAT_SUB_TYPE_MAX_VALUE
};
void ReportUmaThreatSubType(SBThreatType threat_type,
UmaThreatSubType sub_type) {
if (threat_type == SB_THREAT_TYPE_URL_MALWARE) {
UMA_HISTOGRAM_ENUMERATION(
"SB2.RemoteCall.ThreatSubType.PotentiallyHarmfulApp", sub_type,
UMA_THREAT_SUB_TYPE_MAX_VALUE);
} else {
UMA_HISTOGRAM_ENUMERATION(
"SB2.RemoteCall.ThreatSubType.SocialEngineering", sub_type,
UMA_THREAT_SUB_TYPE_MAX_VALUE);
}
}
// Parse the extra key/value pair(s) added by Safe Browsing backend. To make
// it binary compatible with the Pver3 metadata that UIManager expects to
// deserialize, we convert it to a MalwarePatternType.
//
// TODO(nparker): When chrome desktop is converted to use Pver4, convert this
// to the new proto instead.
const std::string ParseExtraMetadataToPB(const base::DictionaryValue* match,
SBThreatType threat_type) {
std::string pattern_key;
if (threat_type == SB_THREAT_TYPE_URL_MALWARE) {
pattern_key = "pha_pattern_type";
} else {
DCHECK(threat_type == SB_THREAT_TYPE_URL_PHISHING);
pattern_key = "se_pattern_type";
}
std::string pattern_type;
if (!match->GetString(pattern_key, &pattern_type)) {
ReportUmaThreatSubType(threat_type, UMA_THREAT_SUB_TYPE_NOT_SET);
return std::string();
}
MalwarePatternType pb;
if (pattern_type == "LANDING") {
pb.set_pattern_type(MalwarePatternType::LANDING);
ReportUmaThreatSubType(threat_type, UMA_THREAT_SUB_TYPE_LANDING);
} else if (pattern_type == "DISTRIBUTION") {
pb.set_pattern_type(MalwarePatternType::DISTRIBUTION);
ReportUmaThreatSubType(threat_type, UMA_THREAT_SUB_TYPE_DISTRIBUTION);
} else {
ReportUmaThreatSubType(threat_type, UMA_THREAT_SUB_TYPE_UNKNOWN);
return std::string();
}
return pb.SerializeAsString();
}
int GetThreatSeverity(int java_threat_num) {
// Assign higher numbers to more severe threats.
switch (java_threat_num) {
case JAVA_THREAT_TYPE_POTENTIALLY_HARMFUL_APPLICATION:
return 2;
case JAVA_THREAT_TYPE_SOCIAL_ENGINEERING:
return 1;
default:
// Unknown threat type
return -1;
}
}
SBThreatType JavaToSBThreatType(int java_threat_num) {
switch (java_threat_num) {
case JAVA_THREAT_TYPE_POTENTIALLY_HARMFUL_APPLICATION:
return SB_THREAT_TYPE_URL_MALWARE;
case JAVA_THREAT_TYPE_SOCIAL_ENGINEERING:
return SB_THREAT_TYPE_URL_PHISHING;
default:
// Unknown threat type
return SB_THREAT_TYPE_SAFE;
}
}
} // namespace
// Valid examples:
// {"matches":[{"threat_type":"5"}]}
// or
// {"matches":[{"threat_type":"4"},
// {"threat_type":"5", "se_pattern_type":"LANDING"}]}
UmaRemoteCallResult ParseJsonToThreatAndPB(const std::string& metadata_str,
SBThreatType* worst_threat,
std::string* metadata_pb_str) {
*worst_threat = SB_THREAT_TYPE_SAFE; // Default to safe.
*metadata_pb_str = std::string();
if (metadata_str.empty())
return UMA_STATUS_JSON_EMPTY;
// Pick out the "matches" list.
scoped_ptr<base::Value> value = base::JSONReader::Read(metadata_str);
const base::ListValue* matches;
if (!value.get() || !value->IsType(base::Value::TYPE_DICTIONARY) ||
!(static_cast<base::DictionaryValue*>(value.get()))
->GetList(kJsonKeyMatches, &matches)) {
return UMA_STATUS_JSON_FAILED_TO_PARSE;
}
// Go through each matched threat type and pick the most severe.
int worst_threat_num = -1;
const base::DictionaryValue* worst_match = nullptr;
for (size_t i = 0; i < matches->GetSize(); i++) {
// Get the threat number
const base::DictionaryValue* match;
std::string threat_num_str;
int java_threat_num = -1;
if (!matches->GetDictionary(i, &match) ||
!match->GetString(kJsonKeyThreatType, &threat_num_str) ||
!base::StringToInt(threat_num_str, &java_threat_num)) {
continue; // Skip malformed list entries
}
if (GetThreatSeverity(java_threat_num) >
GetThreatSeverity(worst_threat_num)) {
worst_threat_num = java_threat_num;
worst_match = match;
}
}
*worst_threat = JavaToSBThreatType(worst_threat_num);
if (*worst_threat == SB_THREAT_TYPE_SAFE || !worst_match)
return UMA_STATUS_JSON_UNKNOWN_THREAT;
*metadata_pb_str = ParseExtraMetadataToPB(worst_match, *worst_threat);
return UMA_STATUS_UNSAFE; // success
}
} // namespace safe_browsing
|
