The FBI’s apparent capability to unmask users of the Tor Network has caused hand-wringing among those concerned with privacy and civil liberties, many of whom are busy trying to win legal battles to get law enforcement to confess as to how they’re doing it.
A team of academics and researchers, however, have come up with a technique called selfrando they believe defends against such attacks.
The technique will be presented next month at the Privacy Enhancing Technologies Symposium (PETS) in Darmstadt, Germany, but according to the researchers, the Tor Project is already conducting field tests in hardened versions of the Tor Browser used for testing purposes.
The team of nine includes; Mauro Conti of the University of Padua, Stephen Crane and Andrei Homescu of Immunant, Tommaso Frassetto, Christopher Liebchen and Ahmad-Reza Sadeghi of the Technische Universität Darmstadt, Mike Perry and Georg Koppen of The Tor Project, and Per Larsen of the University of California, Irvine. They have already published a paper explaining their work titled “Selfrando: Securing the Tor Browser against De-anonymization Exploits.”
Selfrando is intended to work alongside existing mitigations in the Tor Browser that protect against memory-corruption attacks. Technologies such as Address Space Layout Randomization (ASLR), however, are getting long in the tooth. Numerous exploits exist that bypass ASLR, which the researchers said was implemented more for its compatibility with compilers and operating systems than security. ASLR randomizes where executables will loaded into memory, in theory making it difficult for attackers determine where to point attacks.
Selfrando, the researchers wrote, is a load-time randomization technique that makes it impossible for attackers to observe binaries during download or after they’re on the disk. It improves security in comparison to ASLR while preserving the same features that make ASLR attractive as a mitigation, the researchers wrote.
“While technically challenging, our use of load-time function layout permutation ensures that the attack surface changes from one run to another,” the researchers describe. “Load-time randomization also ensures compatibility with code signing and distribution mechanisms that use caching to efficiently serve millions of users.”
The selfrando framework can be applied to software such as Tor without requiring changes to the Tor Browser source code, for example. The researchers wrote that an implementation would not require a reworking of binaries or the need for a custom compiler. They also point out that it increases entropy relative to ASLR, making it resilient to guessing attacks.
“Our main objective is to substantially raise the costs for attackers to exploit memory-corruption vulnerabilities,” the researchers wrote.
In a section of the paper describing the security afforded by selfrando, the researchers compare its resistance to brute-force attacks against ASLR. The introduction of more entropy into selfrando lessens the chances that existing bypass mitigations against ASLR would work against selfrando.
“Selfrando, on the other hand, applies more fine-grained function permutation,” the researchers wrote. “This means the randomization entropy does not depend on the size of the address space, as it is the case for ASLR, but on the number of functions in the randomized binary.”
The researchers also studied real-world attacks against the Tor Browser, most of which attempt exploits against vulnerable heaps or buffers, resulting in code execution, information leakage or mitigation bypasses. The paper goes into detail how selfrando denies attackers the ability to disclose an entire heap. For example, this leads the team to conclude that selfrando can defend against the FBI’s attack, unless an attacker can successfully disclose the complete heap and data section.
The FBI’s attack was at the center of a court case in Seattle where a Vancouver teacher was facing child pornography possession charges. The FBI refused to share details about what it calls a network investigative technique used to de-anonymize Tor Browser users visiting a dark web child porn site. The judge in the case was forced to exclude evidence gathered by the FBI’s exploit from the trial.
The defense argued that without an understanding of how the FBI’s exploit works, it would be impossible to determine whether the illegal images found on the defendant’s computer were put there by him. The exploit, court documents show, bypassed the Tor Browser’s anonymity protections and gathered IP and MAC addresses and other system data from visitors to the site over a 13-day period.
Mozilla had previously filed a motion related to the case asking the FBI to share its exploit with the company so that the vulnerability being exploited could be patched in the Firefox browser. The Tor Browser is partially built on Firefox code.