-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy patharchitecture.html
104 lines (99 loc) · 10.9 KB
/
architecture.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="chrome=1">
<title>Blockade by 9b+</title>
<link rel="stylesheet" href="/assets/css/style.css?v=22de4d21d950689343a7ad9ace7bc40371f32b2c">
<meta name="viewport" content="width=device-width">
<!--[if lt IE 9]>
<script src="//html5shiv.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->
<link rel="shortcut icon" type="image/png" href="/assets/img/favicon.png">
<script async defer src="https://buttons.github.io/buttons.js"></script>
<script>
(function(i, s, o, g, r, a, m) {
i['GoogleAnalyticsObject'] = r;
i[r] = i[r] || function() {
(i[r].q = i[r].q || []).push(arguments)
}, i[r].l = 1 * new Date();
a = s.createElement(o),
m = s.getElementsByTagName(o)[0];
a.async = 1;
a.src = g;
m.parentNode.insertBefore(a, m)
})(window, document, 'script', 'https://www.google-analytics.com/analytics.js', 'ga');
ga('create', 'UA-89853823-1', 'auto');
ga('send', 'pageview');
</script>
</head>
<body>
<a href="https://github.com/blockadeio/chrome_extension"><img style="position: absolute; top: 0; right: 0; border: 0;" src="https://camo.githubusercontent.com/38ef81f8aca64bb9a64448d0d70f1308ef5341ab/68747470733a2f2f73332e616d617a6f6e6177732e636f6d2f6769746875622f726962626f6e732f666f726b6d655f72696768745f6461726b626c75655f3132313632312e706e67" alt="Fork me on GitHub" data-canonical-src="https://s3.amazonaws.com/github/ribbons/forkme_right_darkblue_121621.png"></a>
<div class="wrapper">
<header>
<a href="/"><img src="/assets/img/blockade.png" width="25%"></a>
<p></p>
<h1>Blockade</h1>
<p>Blockade brings antivirus-like capabilities to users who run <a href="https://github.com/blockadeio/chrome_extension">Chrome</a> and <a href="https://github.com/blockadeio/firefox_extension">Firefox</a> browsers. Built as an extension, Blockade blocks malicious resources from being viewed or loaded inside of the browser.</p>
<a class="github-button" href="https://github.com/blockadeio/chrome_extension/archive/master.zip" data-icon="octicon-cloud-download" data-style="mega" aria-label="Download 9b/blockade on GitHub">Download</a>
<a class="github-button" href="https://github.com/blockadeio/chrome_extension" data-icon="octicon-star" data-style="mega" data-count-href="/9b/blockade/stargazers" data-count-api="/repos/9b/blockade#stargazers_count" data-count-aria-label="# stargazers on GitHub" aria-label="Star 9b/blockade on GitHub">Star</a>
<a class="github-button" href="https://github.com/blockadeio/chrome_extension/fork" data-icon="octicon-repo-forked" data-style="mega" data-count-href="/9b/blockade/network" data-count-api="/repos/9b/blockade#forks_count" data-count-aria-label="# forks on GitHub" aria-label="Fork 9b/blockade on GitHub">Fork</a>
<p></p>
<h2>Blockade Suite</h2>
<p>The <strong><a href="https://github.com/blockadeio/cloud_node">Blockade Cloud Node</a></strong> lets you or anyone else host their own indicator source.</p>
<p>The <strong><a href="https://github.com/blockadeio/analyst_toolbench">Blockade Analyst Toolbench</a></strong> is a simple command line tool to speed up indicator submissions Blockade cloud nodes.</p>
<h2>Support</h2>
<p>For bugs and other problems, please file a message in the repositories <a href="https://github.com/blockadeio/chrome_extension/issues">issues</a> area. For private questions or comments, contact Brandon at [email protected] or find us on social media.</p>
<a href="https://blockade-io.slack.com" target="_blank"><img src="https://simpleicons.org/icons/slack.svg" width="25"></a>
<a href="https://plus.google.com/110664280382964770977" target="_blank"><img src="https://simpleicons.org/icons/googleplus.svg" width="25"></a>
<a href="https://www.facebook.com/blockade.io/" target="_blank"><img src="https://simpleicons.org/icons/facebook.svg" width="25"></a>
<a href="https://twitter.com/blockadeio" target="_blank"><img src="https://simpleicons.org/icons/twitter.svg" width="25"></a>
</header>
<section>
<h1 id="overviewoverview"><a href="#overview"></a>Overview</h1>
<p>
<a href="https://raw.githubusercontent.com/blockadeio/chrome_extension/master/screenshots/blockade-architecture.png"><img src="https://raw.githubusercontent.com/blockadeio/chrome_extension/master/screenshots/blockade-architecture.png" /></a>
</p>
<p>Blockade is split into two pieces, cloud infrastructure and the local Extension. Intelligence is passed from the cloud infrastructure directly into the browser’s local storage. Using special APIs available to extensions, Blockade will look for any web request matching a known indicator and block it from being loaded. Malicious events from Blockade are passed to the cloud infrastructure where analysts can review the findings and surface more attacks.</p>
<h1 id="cloud-nodecloud-node"><a href="#cloud-node"></a>Cloud Node</h1>
<p>
<a href="https://raw.githubusercontent.com/blockadeio/chrome_extension/master/screenshots/aws-architecture.png"><img src="https://raw.githubusercontent.com/blockadeio/chrome_extension/master/screenshots/aws-architecture.png" /></a>
</p>
<p>Blockade makes use of a <a href="https://aws.amazon.com/lambda/serverless-architectures-learn-more/">“severless architecture”</a> provided by Amazone Web Services. In order to power the Extension, the cloud node exposes two endpoints, one for getting intelligence and the other for processing events generated from malicious content. Each of these APIs map to a stateless function that either reads or writes to a NoSQL database. For events in particular, a copy of the content is also sent to S3 for long-term storage.</p>
<h2 id="indicator-formatindicator-format"><a href="#indicator-format"></a>Indicator Format</h2>
<p>Data sent to each end-user browser is in a simple array format of hashed details and uses the following structure.</p>
<h2 id="event-formatevent-format"><a href="#event-format"></a>Event Format</h2>
<p>For analysts, it’s important to understand as much as possible about a given attack. Blockade events retain the web request context generated by the browser and include some additional properties about the environment. This data allows analysts to potentially surface more intelligence that can then be sent back to Blockade.</p>
<div class="language-json highlighter-rouge"><pre class="highlight"><code><span class="p">{</span><span class="w">
</span><span class="nt">"analysisTime"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2016-12-29T19:24:30.414Z"</span><span class="p">,</span><span class="w">
</span><span class="nt">"event"</span><span class="p">:</span><span class="w"> </span><span class="s2">"e37d427c5b29b9af9dd3d762f4342307da61837fe9f946e20219c2a2af7c1196"</span><span class="p">,</span><span class="w">
</span><span class="nt">"indicatorMatch"</span><span class="p">:</span><span class="w"> </span><span class="s2">"evil.com"</span><span class="p">,</span><span class="w">
</span><span class="nt">"metadata"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="nt">"frameId"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w">
</span><span class="nt">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"GET"</span><span class="p">,</span><span class="w">
</span><span class="nt">"parentFrameId"</span><span class="p">:</span><span class="w"> </span><span class="mi">-1</span><span class="p">,</span><span class="w">
</span><span class="nt">"requestId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"238024"</span><span class="p">,</span><span class="w">
</span><span class="nt">"tabId"</span><span class="p">:</span><span class="w"> </span><span class="mi">3613</span><span class="p">,</span><span class="w">
</span><span class="nt">"timeStamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.48303947041e+12"</span><span class="p">,</span><span class="w">
</span><span class="nt">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"main_frame"</span><span class="p">,</span><span class="w">
</span><span class="nt">"url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://www.evil.com/install.html"</span><span class="w">
</span><span class="p">},</span><span class="w">
</span><span class="nt">"sourceIp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"108.56.78.203"</span><span class="p">,</span><span class="w">
</span><span class="nt">"userAgent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"</span><span class="w">
</span><span class="p">}</span><span class="w">
</span></code></pre>
</div>
<h1 id="chrome-extensionchrome-extension"><a href="#chrome-extension"></a>Browser Extension</h1>
<p>Blockade uses a browser Extension in order to perform blocking inside of the browser. Hashed intelligence* from the cloud node is sent down to the browser and stored inside of local storage. In order to inspect web traffic, Blockade uses the <a href="https://developer.chrome.com/extensions/webRequest"><code class="highlighter-rouge">browser.webRequest</code></a> APIs and places a hook on <a href="https://developer.chrome.com/extensions/webRequest#event-onBeforeRequest"><code class="highlighter-rouge">onBeforeRequest</code></a>, so that all web requests are analyzed prior to leaving the browser.</p>
<p>If Blockade identifies a malicious web request, an event will be generated and stored inside of a <code class="highlighter-rouge">events</code> section within local storage. Events contain all the details of the request with some additional properties about the browser itself. On a regular schedule, events will get synced to the cloud node in order for analysts to process the events.</p>
<p><sub>
<em>* Indicators are hashed using MD5. While not secure, this algorithm greatly reduces the key size and allows us to store well over a million indicators inside of local storage.</em>
</sub></p>
</section>
<footer>
<p>This project is maintained by <a href="https://github.com/9b">9b</a></p>
</footer>
</div>
<script src="/assets/js/scale.fix.js"></script>
</body>
</html>