forked from chromium/chromium
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Tracing to diagnose ContentScriptTracker-related bad message reports.
This CL adds new TRACE_EVENT directives that should help with diagnosing ContentScriptTracker-related bad message reports tracked in https://crbug.com/1212918. To allow correlating events associated with the same extension, the traced events contain pseudonymized extension id. This is calculated using simple //content/public/common/pseudonymization_util.h introduced by this CL. For more details, see the document below (Google-internal because parts of the Chrometto pipeline and privacy-review process are not public): https://docs.google.com/document/d/10SCwawcuURNo_D45lltM26hoCJ2V5f5cZwBMXKSBjPk/edit?usp=sharing This Chromium CL is related to the internal cl/389753453 which replicates the new pseudonymized_extension_id field into internal protos. Chrometto config is contained in the internal cl/387445308. Bug: 1212918 Change-Id: I4eb2340eba6f7a8b3dd978b616010c1d534ddddd Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3057922 Reviewed-by: Christian Dullweber <dullweber@chromium.org> Reviewed-by: Karan Bhatia <karandeepb@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Reviewed-by: ssid <ssid@chromium.org> Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Cr-Commit-Position: refs/heads/main@{#913192}
- Loading branch information
1 parent
44b1cef
commit 2b8b862
Showing
33 changed files
with
530 additions
and
28 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
// Copyright 2021 The Chromium Authors. All rights reserved. | ||
// Use of this source code is governed by a BSD-style license that can be | ||
// found in the LICENSE file. | ||
|
||
#include "content/common/pseudonymization_salt.h" | ||
|
||
#include <atomic> | ||
|
||
#include "base/check_op.h" | ||
#include "base/dcheck_is_on.h" | ||
#include "base/rand_util.h" | ||
|
||
#if DCHECK_IS_ON() | ||
#include "sandbox/policy/sandbox.h" | ||
#endif | ||
|
||
namespace content { | ||
|
||
namespace { | ||
|
||
std::atomic<uint32_t> g_salt(0); | ||
|
||
uint32_t InitializeSalt() { | ||
uint32_t salt; | ||
do { | ||
salt = base::RandUint64(); | ||
} while (salt == 0); | ||
|
||
// If `g_salt` is still uninitialized (has a value of 0), then put `salt` into | ||
// `g_salt`. Otherwise, use the current `value` of `g_salt`. | ||
uint32_t value = 0; | ||
if (!g_salt.compare_exchange_strong(value, salt)) | ||
salt = value; | ||
|
||
return salt; | ||
} | ||
|
||
} // namespace | ||
|
||
uint32_t GetPseudonymizationSalt() { | ||
uint32_t salt = g_salt.load(); | ||
|
||
if (salt == 0) { | ||
#if DCHECK_IS_ON() | ||
// Only the Browser process needs to initialize the `salt` on demand. | ||
// Other processes (identified via the IsProcessSandboxed heuristic) should | ||
// receive the salt from their parent processes. | ||
DCHECK(!sandbox::policy::Sandbox::IsProcessSandboxed()); | ||
#endif | ||
salt = InitializeSalt(); | ||
} | ||
|
||
return salt; | ||
} | ||
|
||
void SetPseudonymizationSalt(uint32_t salt) { | ||
DCHECK_NE(0u, salt); | ||
|
||
// TODO(lukasza): Ideally we would DCHECK that `g_salt` is not set twice (e.g. | ||
// that DCHECK_EQ(0u, g_salt.load(std::memory_order_acquire))), but this is | ||
// made rather difficult by tests that run in single-process-mode, or | ||
// construct ChildProcessHostImpl directly (e.g. RenderThreadImplBrowserTest). | ||
|
||
g_salt.store(salt); | ||
} | ||
|
||
} // namespace content |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
// Copyright 2021 The Chromium Authors. All rights reserved. | ||
// Use of this source code is governed by a BSD-style license that can be | ||
// found in the LICENSE file. | ||
|
||
#ifndef CONTENT_COMMON_PSEUDONYMIZATION_SALT_H_ | ||
#define CONTENT_COMMON_PSEUDONYMIZATION_SALT_H_ | ||
|
||
#include <stdint.h> | ||
|
||
namespace content { | ||
|
||
// Gets the pseudonymization salt. | ||
// | ||
// Note that this function returns the same salt in all Chromium processes (e.g. | ||
// in the Browser process, the Renderer processes and other child processes), | ||
// because the propagation taking place via callers of SetPseudonymizationSalt | ||
// below. This behavior ensures that the | ||
// content::PseudonymizationUtil::PseudonymizeString method produces the same | ||
// results across all processes. | ||
// | ||
// This function is thread-safe - it can be called on any thread. | ||
// | ||
// PRIVACY NOTE: It is important that the returned value is never persisted | ||
// anywhere or sent to a server. Whoever has access to the salt can | ||
// de-anonymize results of the content::PseudonymizationUtil::PseudonymizeString | ||
// method. | ||
uint32_t GetPseudonymizationSalt(); | ||
|
||
// Called in child processes, for setting the pseudonymization `salt` received | ||
// in an IPC from a parent process. | ||
// | ||
// This function is thread-safe - it can be called on any thread. | ||
void SetPseudonymizationSalt(uint32_t salt); | ||
|
||
} // namespace content | ||
|
||
#endif // CONTENT_COMMON_PSEUDONYMIZATION_SALT_H_ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
// Copyright 2021 The Chromium Authors. All rights reserved. | ||
// Use of this source code is governed by a BSD-style license that can be | ||
// found in the LICENSE file. | ||
|
||
#include "content/public/common/pseudonymization_util.h" | ||
|
||
#include <string.h> | ||
|
||
#include "base/hash/sha1.h" | ||
#include "base/strings/string_piece.h" | ||
#include "content/common/pseudonymization_salt.h" | ||
|
||
namespace content { | ||
|
||
// static | ||
uint32_t PseudonymizationUtil::PseudonymizeString(base::StringPiece string) { | ||
// Include `string` in the SHA1 hash. | ||
base::SHA1Context sha1_context; | ||
base::SHA1Init(sha1_context); | ||
base::SHA1Update(string, sha1_context); | ||
|
||
// When `string` comes from a small set of possible strings (or when it is | ||
// possible to compare a hash with results of hashing the 100 most common | ||
// input strings), then its hash can be deanonymized. To protect against this | ||
// threat, we include a random `salt` in the SHA1 hash (the salt is never | ||
// retained or sent anywhere). | ||
uint32_t salt = GetPseudonymizationSalt(); | ||
base::SHA1Update( | ||
base::StringPiece(reinterpret_cast<const char*>(&salt), sizeof(salt)), | ||
sha1_context); | ||
|
||
// Compute the SHA1 hash. | ||
base::SHA1Digest sha1_hash_bytes; | ||
base::SHA1Final(sha1_context, sha1_hash_bytes); | ||
|
||
// Taking just the first 4 bytes is okay, because SHA1 should uniformly | ||
// distribute all possible results over all of the `sha1_hash_bytes`. | ||
uint32_t hash; | ||
static_assert( | ||
sizeof(hash) < | ||
sizeof(base::SHA1Digest::value_type) * sha1_hash_bytes.size(), | ||
"Is `memcpy` safely within the bounds of `hash` and `sha1_hash_bytes`?"); | ||
memcpy(&hash, sha1_hash_bytes.data(), sizeof(hash)); | ||
|
||
return hash; | ||
} | ||
|
||
} // namespace content |
Oops, something went wrong.