Jump to ContentJump to Main Navigation
Show Summary Details
More options …

Proceedings on Privacy Enhancing Technologies

4 Issues per year

Open Access
Online
ISSN
2299-0984
See all formats and pricing
More options …

Selfrando: Securing the Tor Browser against De-anonymization Exploits

Mauro Conti / Stephen Crane / Tommaso Frassetto / Andrei Homescu / Georg Koppen / Per Larsen / Christopher Liebchen / Mike Perry / Ahmad-Reza Sadeghi
Published Online: 2016-07-14 | DOI: https://doi.org/10.1515/popets-2016-0050

Abstract

Tor is a well-known anonymous communication system used by millions of users, including journalists and civil rights activists all over the world. The Tor Browser gives non-technical users an easy way to access the Tor Network. However, many government organizations are actively trying to compromise Tor not only in regions with repressive regimes but also in the free world, as the recent FBI incidents clearly demonstrate. Exploiting software vulnerabilities in general, and browser vulnerabilities in particular, constitutes a clear and present threat to the Tor software. The Tor Browser shares a large part of its attack surface with the Firefox browser. Therefore, Firefox vulnerabilities (even patched ones) are highly valuable to attackers trying to monitor users of the Tor Browser.

In this paper, we present selfrando-an enhanced and practical load-time randomization technique for the Tor Browser that defends against exploits, such as the one FBI allegedly used against Tor users. Our solution significantly improves security over standard address space layout randomization (ASLR) techniques currently used by Firefox and other mainstream browsers. Moreover, we collaborated closely with the Tor Project to ensure that selfrando is fully compatible with AddressSanitizer (ASan), a compiler feature to detect memory corruption. ASan is used in a hardened version of Tor Browser for test purposes. The Tor Project decided to include our solution in the hardened releases of the Tor Browser, which is currently undergoing field testing.

Keywords: De-anonymization exploits; code-randomization; privacy-oriented software; Tor Browser

References

  • [1] Jetstream 1.1. http://browserbench.org/JetStream/.Google Scholar

  • [2] Massive: the asm.js benchmark. https://kripken.github.io/Massive/.Google Scholar

  • [3] Octane 2.0. http://chromium.github.io/octane/.Google Scholar

  • [4] M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Controlflow integrity. In ACM SIGSAC Conference on Computer and Communications Security, 2005.Google Scholar

  • [5] M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Controlflow integrity principles, implementations, and applications. ACM Transactions on Information System Security, 13, 2009.Google Scholar

  • [6] Aleph One. Smashing the stack for fun and profit. Phrack Magazine, 49, 2000.Google Scholar

  • [7] M. Backes, T. Holz, B. Kollenda, P. Koppe, S. Nürnberger, and J. Pewny. You can run but you can’t read: Preventing disclosure exploits in executable code. In ACM SIGSAC Conference on Computer and Communications Security, 2014.Google Scholar

  • [8] A. Bittau, A. Belay, A. J. Mashtizadeh, D. Mazières, and D. Boneh. Hacking blind. In 35th IEEE Symposium on Security and Privacy, 2014.Google Scholar

  • [9] Black Duck Software, Inc. Chromium project on Open Hub. https://www.openhub.net/p/chrome, 2014.Google Scholar

  • [10] T. K. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. Jumporiented programming: a new class of code-reuse attack. In 6th ACM Symposium on Information, Computer and Communications Security, 2011.Google Scholar

  • [11] E. Bosman and H. Bos. Framing signals-a return to portable shellcode. In 35th IEEE Symposium on Security and Privacy, 2014.Google Scholar

  • [12] K. Braden, S. Crane, L. Davi, M. Franz, P. Larsen, C. Liebchen, and A.-R. Sadeghi. Leakage-resilient layout randomization for mobile devices. In 23rd Annual Network and Distributed System Security Symposium, 2016.Google Scholar

  • [13] N. Carlini and D.Wagner. ROP is still dangerous: Breaking modern defenses. In 23rd USENIX Security Symposium, 2014.Google Scholar

  • [14] N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross. Control-flow bending: On the effectiveness of control-flow integrity. In 24th USENIX Security Symposium, 2015.Google Scholar

  • [15] S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In ACM SIGSAC Conference on Computer and Communications Security, 2010.Google Scholar

  • [16] X. Chen. ASLR bypass apocalypse in recent zero-day exploits. http://www.fireeye.com/blog/technical/cyberexploits/2013/10/aslr-bypass-apocalypse-in-lately-zeroday-exploits.html, 2013.Google Scholar

  • [17] F. B. Cohen. Operating system protection through program evolution. Computers & Security, 12, 1993.Google Scholar

  • [18] C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In 8th USENIX Security Symposium, 1998.Google Scholar

  • [19] J. Cox. Confirmed: Carnegie Mellon University attacked Tor, was subpoenaed by Feds. http://motherboard.vice.com/read/carnegie-mellon-university-attacked-tor-wassubpoenaed-by-feds, 2016.Google Scholar

  • [20] S. Crane, C. Liebchen, A. Homescu, L. Davi, P. Larsen, A.-R. Sadeghi, S. Brunthaler, and M. Franz. Readactor: Practical code randomization resilient to memory disclosure. In 36th IEEE Symposium on Security and Privacy, 2015.Google Scholar

  • [21] S. Crane, S. Volckaert, F. Schuster, C. Liebchen, P. Larsen, L. Davi, A.-R. Sadeghi, T. Holz, B. D. Sutter, and M. Franz. It’s a TRaP: Table randomization and protection against function-reuse attacks. In ACM SIGSAC Conference on Computer and Communications Security, 2015.Google Scholar

  • [22] L. Davi, A. Dmitrienko, S. Nürnberger, and A. Sadeghi. Gadge me if you can: secure and efficient ad-hoc instruction-level randomization for x86 and ARM. In 8th ACM Symposium on Information, Computer and Communications Security, 2013.Google Scholar

  • [23] L. Davi, A. Sadeghi, D. Lehmann, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In 23rd USENIX Security Symposium, 2014.Google Scholar

  • [24] L. Davi, C. Liebchen, A.-R. Sadeghi, K. Z. Snow, and F. Monrose. Isomeron: Code randomization resilient to (Just-In-Time) return-oriented programming. In 22nd Annual Network and Distributed System Security Symposium, 2015.Google Scholar

  • [25] T. de Raadt. openbsd-tech - Anti-ROP mechanism in libc. https://marc.info/?l=openbsd-tech&m=146159002802803&w=2, 2016.Google Scholar

  • [26] R. Dingledine. Tor security advisory: "relay early" traffic confirmation attack. https://blog.torproject.org/blog/torsecurity-advisory-relay-early-traffic-confirmation-attack/.Google Scholar

  • [27] R. Dingledine. Tor security advisory: Old tor browser bundles vulnerable. https://lists.torproject.org/pipermail/torannounce/2013-August/000089.html, 2013.Google Scholar

  • [28] I. Evans, S. Fingeret, J. Gonzalez, U. Otgonbaatar, T. Tang, H. Shrobe, S. Sidiroglou-Douskos, M. Rinard, and H. Okhravi. Missing the point(er): On the effectiveness of code pointer integrity. In 36th IEEE Symposium on Security and Privacy, 2015.Google Scholar

  • [29] I. Evans, F. Long, U. Otgonbaatar, H. Shrobe, M. Rinard, H. Okhravi, and S. Sidiroglou-Douskos. Control jujutsu: On the weaknesses of fine-grained control flow integrity. In ACM SIGSAC Conference on Computer and Communications Security, 2015.Google Scholar

  • [30] S. Forrest, A. Somayaji, and D. H. Ackley. Building diverse computer systems. In 6th Workshop on Hot Topics in Operating Systems, 1997.Google Scholar

  • [31] F. S. Foundation. Gcc manual - § 3.10, options that control optimization. https://gcc.gnu.org/onlinedocs/gcc-5.2.0/gcc/Optimize-Options.html#index-ffunction-sections-1103, 2015.Google Scholar

  • [32] M. Franz. E unibus pluram: Massive-scale software diversity as a defense mechanism. In Proceedings of the 2010 Workshop on New Security Paradigms, NSPW ’10, 2010.Google Scholar

  • [33] G. Fresi Roglia, L. Martignoni, R. Paleari, and D. Bruschi. Surgically returning to randomized lib(c). In 25th Annual Computer Security Applications Conference, 2009.Google Scholar

  • [34] J. Gionta, W. Enck, and P. Ning. HideM: Protecting the contents of userspace memory in the face of disclosure vulnerabilities. In 5th ACM Conference on Data and Application Security and Privacy, 2015.Google Scholar

  • [35] C. Giuffrida, A. Kuijsten, and A. S. Tanenbaum. Enhanced operating system security through efficient and fine-grained address space randomization. In 21st USENIX Security Symposium, 2012.Google Scholar

  • [36] E. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In 35th IEEE Symposium on Security and Privacy, 2014.Google Scholar

  • [37] E. Göktas, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis. Size does matter: Why using gadgetchain length to prevent code-reuse attacks is hard. In 23rd USENIX Security Symposium, 2014.Google Scholar

  • [38] A. Gupta, S. Kerr, M. S. Kirkpatrick, and E. Bertino. Marlin: A fine grained randomization approach to defend against ROP attacks. In Network and System Security. 2013.Google Scholar

  • [39] D. Herrmann, R.Wendolsky, and H. Federrath. Website fingerprinting: Attacking popular privacy enhancing technologies with the multinomial naïve-bayes classifier. In ACM Workshop on Cloud Computing Security, 2009.Google Scholar

  • [40] J. Hiser, A. Nguyen, M. Co, M. Hall, and J. Davidson. ILR: Where’d my gadgets go. In 33rd IEEE Symposium on Security and Privacy, 2012.Google Scholar

  • [41] A. Homescu, S. Neisius, P. Larsen, S. Brunthaler, and M. Franz. Profile-guided automatic software diversity. In IEEE/ACM International Symposium on Code Generation and Optimization, 2013.Google Scholar

  • [42] A. Homescu, T. Jackson, S. Crane, S. Brunthaler, P. Larsen, and M. Franz. Large-scale automated software diversity-program evolution redux. Dependable and Secure Computing, IEEE Transactions on, 2015.Google Scholar

  • [43] Itanium informal industry coalition. Itanium C++ ABI: Member pointers. https://mentorembedded.github.io/cxxabi/abi.html#member-pointers, 1999-2015.Google Scholar

  • [44] C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning. Address space layout permutation (ASLP): towards fine-grained randomization of commodity software. In 22nd Annual Computer Security Applications Conference, 2006.Google Scholar

  • [45] G. Koppen. Include selfrando patches into our hardened builds. https://trac.torproject.org/projects/tor/ticket/17406, 2015.Google Scholar

  • [46] P. Larsen, A. Homescu, S. Brunthaler, and M. Franz. SoK: Automated software diversity. In 35th IEEE Symposium on Security and Privacy, 2014.Google Scholar

  • [47] C. Lattner and V. S. Adve. LLVM: A compilation framework for lifelong program analysis & transformation. In IEEE/ACM International Symposium on Code Generation and Optimization, 2004.Google Scholar

  • [48] C. Liebchen, M. Negro, P. Larsen, L. Davi, A.-R. Sadeghi, S. Crane, M. Qunaibit, M. Franz, and M. Conti. Losing control: On the effectiveness of control-flow integrity under stack attacks. In ACM SIGSAC Conference on Computer and Communications Security, 2015.Google Scholar

  • [49] Microsoft. Data execution prevention (DEP). http://support.microsoft.com/kb/875352/EN-US/, 2006.Google Scholar

  • [50] Microsoft. Exploitation Trends. Microsoft Security Intelligence Report, 16, 2013. Google Scholar

  • [51] S. Nagy. Address sanitizer local root. http://seclists.org/oss-sec/2016/q1/363, 2016.Google Scholar

  • [52] Nergal. The advanced return-into-lib(c) exploits: PaX case study. Phrack Magazine, 11, 2001.Google Scholar

  • [53] G. Owenson. Analysis of the FBI Tor malware. http://blog.owenson.me/analysis-of-the-fbi-tor-malware/, 2013.Google Scholar

  • [54] PaX Team. Homepage of The PaX Team, 2001. http://pax.grsecurity.net.Google Scholar

  • [55] M. Perry. Deterministic builds part one: Cyberwar and global compromise. https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-globalcompromise, 2013.Google Scholar

  • [56] M. Perry. iSEC partners conducts Tor Browser hardening study. https://blog.torproject.org/blog/isec-partnersconducts-tor-browser-hardening-study, 2014.Google Scholar

  • [57] K. Poulsen. FBI admits it controlled Tor servers behind mass malware attack. https://www.wired.com/2013/09/freedom-hosting-fbi/, 2013.Google Scholar

  • [58] T. Ritter and A. Grant. iSEC Partners Final Report - Tor Project Tor Browser Bundle. https://github.com/iSECPartners/publications/tree/master/reports/Tor%20Browser%20Bundle, 2014.Google Scholar

  • [59] F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in C++ applications. In 36th IEEE Symposium on Security and Privacy, 2015.Google Scholar

  • [60] J. Seibert, H. Okhravi, and E. Söderström. Information leaks without memory disclosures: Remote side channel attacks on diversified code. In ACM SIGSAC Conference on Computer and Communications Security, 2014.Google Scholar

  • [61] K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. AddressSanitizer: A fast address sanity checker. In USENIX Annual Technical Conference, 2012.Google Scholar

  • [62] F. J. Serna. The info leak era on software exploitation. In Blackhat USA, 2012.Google Scholar

  • [63] H. Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In ACM SIGSAC Conference on Computer and Communications Security, 2007.Google Scholar

  • [64] H. Shacham, M. Page, B. Pfaff, E. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In ACM SIGSAC Conference on Computer and Communications Security, 2004.Google Scholar

  • [65] sinn3r. Here’s that FBI Firefox exploit for you (cve-2013-1690). https://community.rapid7.com/community/metasploit/blog/2013/08/07/heres-that-fbi-firefox-exploit-for-you-cve-2013-1690, 2013.Google Scholar

  • [66] K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In 34th IEEE Symposium on Security and Privacy, 2013.Google Scholar

  • [67] A. Sotirov. Heap Feng Shui in JavaScript. In Blackhat Europe, 2007.Google Scholar

  • [68] R. Strackx, Y. Younan, P. Philippaerts, F. Piessens, S. Lachmund, and T. Walter. Breaking the memory secrecy assumption. In 2nd European Workshop on System Security, 2009.Google Scholar

  • [69] L. Szekeres, M. Payer, T. Wei, and D. Song. SoK: Eternal war in memory. In 34th IEEE Symposium on Security and Privacy, 2013.Google Scholar

  • [70] The Clang Team. Clang 3.8 documentation SafeStack. http://clang.llvm.org/docs/SafeStack.html, 2015.Google Scholar

  • [71] The Firefox Developers. Mozilla foundation security advisory 2013-53: Execution of unmapped memory through on ready state change event. https://www.mozilla.org/en-US/security/advisories/mfsa2013-53/, 2013.Google Scholar

  • [72] The Gitian developers. Gitian: a secure software distribution method. https://gitian.org/.Google Scholar

  • [73] The Tor Project. The tor browser. https://www.torproject.org/projects/torbrowser.html.Google Scholar

  • [74] The Washington Post. Meet the woman in charge of the FBI’s most controversial high-tech tools. http://wapo.st/1m7UMBQ, 2015.Google Scholar

  • [75] C. Tice. Improving function pointer security for virtual method dispathes. https://gcc.gnu.org/wiki/cauldron2012?action=AttachFile&do=get&target=cmtice.pdf, 2012.Google Scholar

  • [76] M. Tran, M. Etheridge, T. Bletsch, X. Jiang, V. W. Freeh, and P. Ning. On the expressiveness of return-into-libc attacks. In 14th International Symposium on Research in Attacks, Intrusions and Defenses, 2011.Google Scholar

  • [77] R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In ACM SIGSAC Conference on Computer and Communications Security, 2012.Google Scholar

  • [78] D. Williams, W. Hu, J. W. Davidson, J. D. Hiser, J. C. Knight, and A. Nguyen-Tuong. Security through diversity: Leveraging virtual machine technology. IEEE Security Privacy, 2009.Google Scholar

  • [79] Zerodium. Our exploit acquisition platform. https://www.zerodium.com/program.html, 2015.Google Scholar

About the article

Received: 2016-02-29

Revised: 2016-06-02

Accepted: 2016-06-02

Published Online: 2016-07-14

Published in Print: 2016-10-01


Citation Information: Proceedings on Privacy Enhancing Technologies, ISSN (Online) 2299-0984, DOI: https://doi.org/10.1515/popets-2016-0050.

Export Citation

© 2016. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. BY-NC-ND 4.0

Comments (0)

Please log in or register to comment.
Log in