Tor Browser Hardening Features Under Scrutiny

An iSEC Partners report examining hardening features of the Tor Browser recommends moving off Firefox to Chrome, but budget and feature constraints make that unlikely.

Tor is a target like never before. The NSA has made no bones about its disdain for the anonymity network, and someone, allegedly researchers from Carnegie Mellon University, were recently on the network trying to de-anonymize users of its hidden services.

All of this has prompted the keepers of Tor to commission a study testing the defenses and viability of their Firefox-based browser as a privacy tool. The news is a bit eye-opening since the report’s recommendations don’t favor Firefox as a baseline for Tor, rather Google Chrome. But Tor’s handlers concede that budget constraints and Chrome’s limitations on proxy support make a switch or a fork impossible.

“Unfortunately, our budget for the browser project is still very constrained compared to the amount of work that is required to provide the privacy properties we feel are important, and Firefox remains a far more cost-effective platform for us for several reasons,” wrote Mike Perry, lead developer of the Tor Browser. “In particular, Firefox’s flexible extension system, fully scriptable UI, solid proxy support, and its long Extended Support Release cycle all allow us to accomplish far more with fewer resources than we could with any other web browser.”

The Open Technology Fund, which funds all Tor Browser development, commissioned iSEC Partners to look at hardening options for the Tor Browser and provide recommendations for an upcoming feature called the Security Slider.

Six areas of concern were levied by report authors Tom Ritter and Andy Grant, principal security engineers with iSEC Partners. First, the report points out that key memory corruption mitigations such as Address Space Layout Randomization (ASLR) are disabled on Windows and Mac OS X versions of the Tor Browser. A Windows fix is in development, but the lack of ASLR in Mac OS X was a revelation and likely requires development of 64-bit versions of the Tor Browser in order to support ASLR, Perry wrote.

The report recommends closely following the developments and advancements in Chrome and considering those for the Tor Browser. Specifically, the report suggests replacing the Firefox memory allocator with ctmalloc/PartitionAlloc, a mitigation tool native to Chrome that fends off heap-based vulnerabilities and deploys other memory-based defenses currently missing in the Firefox allocator.

Furthermore, the report recommends making use of advanced PartitionAlloc features that reduce the risk of use-after-free vulnerabilities. The report’s findings also were built upon a historical dissection of vulnerabilities in Firefox that determined most were use-after-free memory bugs, in addition to heap-based overflows.

“In order to mitigate these vulnerabilities, we would need to make use of the heap partitioning features of PartitionAlloc to actually ensure that allocations are partitioned (for example, by using the existing tags from Firefox’s about:memory),” Perry wrote. “We will also investigate enabling assertions in limited areas of the codebase, such as the refcounting system, the JIT and the Javascript engine.”

iSEC also suggested Tor Browser test Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) for Windows systems, as well as find a sponsor and start a Pwn2Own reward at the 2015 contest held simultaneously with the CanSecWest event in Vancouver.

As for the Security Slider, a new UI for the Tor Browser, there will be four settings of rising severity in which different security features will be enabled by default. At its lowest level are the current default Tor Browser settings, all the way to its highest which disables JavaScript fully, as well as blocking remote fonts via NoScript, and disabling all media codecs, Perry said.

Perry added that it will be looking at adding hardening features to the Tor Browser until Firefox is ready with its multiprocess sandbox architecture, similar to what Chrome currently provides. Mozilla assigned a 10-engineer team to this task in the spring.

“It is no secret that in many ways, both we and Mozilla are playing catch-up to reach the level of code execution security provided by Google Chrome, and in fact closely following the Google Chrome security team was one of the recommendations of the iSEC report,” Perry wrote. However, citing budget constraints and several technological impediments around proxy support and certificate validation happening outside the browser, it’s likely Tor will stay on the Firefox road map for the time being.

“Unless either our funding situation or Google’s attitude towards the features we require changes, Mozilla Firefox will remain the best platform for us to demonstrate that it is in fact possible to provide true privacy by design for the web for those who want it,” Perry wrote. “It is very distressing that this means playing catch-up and forcing our users to make usability tradeoffs in exchange for improved browser security, but we will continue to do what we can to improve that situation, both with Mozilla and with our own independent efforts.”

Suggested articles