The tool, called Selfrando, is specifically aimed at protecting the customised browser provided as an easy way to access the Tor network, which anonymises traffic passing between a computer and an Internet server,
FBI infiltration
In a paper presenting the project they pointed out that the Tor Browser is targeted not only by governments seeking to crack down on activists, but also by law enforcement agencies such as the US FBI.
“Exploiting software vulnerabilities in general, and browser vulnerabilities in particular, constitutes a clear and present threat to the Tor software,” they wrote.
The network and browser are widely used by journalists and civil rights activists, the researchers pointed out.
Attacking the browser is a relatively easy way of bypassing the Tor network’s anonymisation techniques, they said. In 2013 the FBI used malware placed on a number of Tor servers to exploit a bug in the Firefox browser upon which the Tor Browser is based and install a program that collected the details of users’ systems, they said.
“The attacker then knew the public IP address, MAC address and host name of every user that visited the booby- trapped page,” the researchers wrote.
Next-generation security
It’s next to impossible to ensure that there are no security flaws in a complex program such as Firefox, and as a result most operating systems now use a technique called address space layout randomisation (ASLR) to make it more difficult for malware to execute malicious programs, even if it successfully attacks a system through vulnerable software, the researchers said. The FBI’s attack demonstrated ASLR’s limits, however, they pointed out.
Selfrando is designed to use a technique similar to ASLR but much more complex, making it that much more difficult for attacks such as those reportedly used by the FBI to succeed, the researchers said.
“Our solution significantly improves security over standard ASLR techniques currently used by Firefox and other mainstream browsers,” they wrote, adding that it is compatible with other security techniques, including one called AddressSanitiser used by the Tor project.
Randomisation
ASLR works by causing programs and their various components to load into different locations in memory each time they run, but is limited by the fact that there are relatively few different possible memory locations, making it possible for an attacker to guess the location of the component needed.
Selfrando is more fine-grained, randomising the order of all the individual machine code functions in the protected program every time it loads and thus making it much harder for attackers to predict where the code fragments will be, the researchers said.
ASLR is like changing the order of the books on a shelf once a month or so, but Selfrando is “more like reordering the individual chapters in every book, every time you open it to read it”, said Sophos security expert Paul Ducklin in an advisory.
“Of course, if you shuffle around the pages in a book, there’s a lot of additional housekeeping you need to do as well, such as updating the table of contents and the index, as well as adding a note at the end of each chapter to say where to go next, and so forth,” he wrote.
Low overhead
The researchers said they have successfully used Selfrando with the Tor Browser as well as a range of other programs including the GNU Bash command shell, Google’s Chromium browser and the popular Nginx web server.
The tool has a low overhead while running, causes little delay when programs open and doesn’t require changes in order to protect the Tor Browser, they said.
“Selfrando can be combined with integrity techniques such as execute-only memory to further secure the Tor Browser and virtually any other C/C++ application,” they wrote.
Mauro Conti of the Università degli Studi di Padova, Tommaso Frassetto, Christopher Liebchen and Ahmad-Reza Sadeghi of the Technische Universität Darmstadt, Stephen Crane, Andrei Homescu and Per Larsen of Immunant and Georg Koppen and Mike Perry of the Tor Project contributed to the research, which is to be presented at the Privacy Enhancing Technologies Symposium in Darmstadt next month.
Comments