Upcoming hardened releases of the Tor Browser will use a new technique aimed at preventing deanonymization efforts by anyone who might want to mount them.
Created by a group of researchers from the University of California, Irvine, and dubbed “selfrando,” the technique allows for enhanced and practical load-time randomization.
Selfrando is significantly more effective than standard address space layout randomization (ASLR) techniques currently used by Firefox and other mainstream browsers, the researchers say.
The technique is meant to prevent code reuse attacks, i.e. attacks that use code that already exists in the app (browser, in this case). This type of attack can be executed only if the attacker can locate the needed functions, and selfrando randomizes their location (ASLR just randomizes the location of code libraries that contain the functions).
It makes it more difficult for attackers to exploit memory-corruption vulnerabilities to hijack control flow and achieve remote code execution.
Here is how an app runs without and with selfrando:
“A linker wrapper intercepts calls to the linker and calls selfrando to gather information on the executable file (1). Then, it embeds TRaP (Translation and Protection) information and a load-time randomization library, RandoLib, into the binary file (2),” the researchers explained the flow.
“When the loader loads the application, it will invoke RandoLib instead of the entry point of the application. RandoLib will randomize the order of the functions in memory and then transfer control to the original program entry point.”
“Attackers can only succeed in rare cases where they can disclose the complete heap and data section,” they noted.
In the hardened version of the Tor Browser, selfrando works in conjunction with AddressSanitizer (ASan), a compiler feature that detects memory corruption bugs.
According to the researchers, this defense technique is just one of several that the Tor project is trying out, and could ultimately end up being implemented in the non-hardened version of the browser.
Selfrando can be integrated in other real-world applications.