Selfrando: Securing the Tor Browser against De-anonymization Exploits

Mauro Conti; Stephen Crane; Tommaso Frassetto; Andrei Homescu; Georg Koppen; Per Larsen; Christopher Liebchen; Mike Perry; Ahmad-Reza Sadeghi

Selfrando: Securing the Tor Browser against De-anonymization Exploits

Authors: Mauro Conti (Università degli Studi di Padova), Stephen Crane (Immunant, Inc.), Tommaso Frassetto (CASED/Technische Universität Darmstadt, Germany), Andrei Homescu (Immunant, Inc.), Georg Koppen (The Tor Project), Per Larsen (Immunant, Inc.), Christopher Liebchen (CASED/Technische Universität Darmstadt, Germany), Mike Perry (The Tor Project), Ahmad-Reza Sadeghi (CASED/Technische Universität Darmstadt, Germany)

Volume: 2016
Issue: 4
Pages: 454–469
DOI: https://doi.org/10.1515/popets-2016-0050

Download PDF

Abstract: Tor is a well-known anonymous communication system used by millions of users, including journalists and civil rights activists all over the world. The Tor Browser gives non-technical users an easy way to access the Tor Network. However, many government organizations are actively trying to compromise Tor not only in regions with repressive regimes but also in the free world, as the recent FBI incidents clearly demonstrate. Exploiting software vulnerabilities in general, and browser vulnerabilities in particular, constitutes a clear and present threat to the Tor software. The Tor Browser shares a large part of its attack surface with the Firefox browser. Therefore, Firefox vulnerabilities (even patched ones) are highly valuable to attackers trying to monitor users of the Tor Browser. In this paper, we present selfrando—an enhanced and practical load-time randomization technique for the Tor Browser that defends against exploits, such as the one FBI allegedly used against Tor users. Our solution significantly improves security over standard address space layout randomization (ASLR) techniques currently used by Firefox and other mainstream browsers. Moreover, we collaborated closely with the Tor Project to ensure that selfrando is fully compatible with AddressSanitizer (ASan), a compiler feature to detect memory corruption. ASan is used in a hardened version of Tor Browser for test purposes. The Tor Project decided to include our solution in the hardened releases of the Tor Browser, which is currently undergoing field testing.

Keywords: De-anonymization exploits, coderandomization, privacy-oriented software, Tor Browser.

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 license.