The Tor Project is working with researchers to harden the anonymising Tor network and prevent law enforcement or cyberattackers from being able to snoop on users.
The Tor network, also known as the onion router, is used by the privacy-conscious as well as activists, journalists and those seeking to avoid censorship restrictions worldwide. The network operates through nodes and relays which disguise the true IP addresses of users, and is one of the most stable ways out there to hide your digital footprint.
However, no solution is foolproof — as US law enforcement showed when the FBI was able to compromise the network in order to track down Silk Road marketplace operators and users (despite evidence being thrown out of court for refusing to reveal how).
In order to prevent such a scenario happening again and maintaining the privacy of users, Tor is working with researchers from the University of California, Irvine, to create a hardened version of the Tor browser, used to access the onion router network.
In the paper “Securing the Tor Browser against De-anonymization Exploits” (.PDF), the team notes that “Selfrando” acts as an alternative to address space layout randomization (ASLR).
As noted by IBM’s Security Intelligence, ASLR takes code and shifts the memory location to limit user exposure, but Selfrando improves on this system by increasing the granularity of code execution by separating each function and then randomizing the memory address.
This could potentially ramp up Tor’s security dramatically and make it that much harder to break Tor. If cyberattackers and spies cannot predict where code will execute in memory, then memory corruption bugs — which could compromise the network — are rendered useless.
Selfrando’s GitHub page states:
“Software written in C and C++ is exposed to exploitation of memory corruption. Inspired by biodiversity in nature and existing randomizing defenses, Selfrando varies the attack surface, i.e., the code layout, by randomizing each function separately.
This makes exploit writing harder and increases resilience to information leakage relative to traditional address space layout randomization (ASLR) techniques.”
The latest alpha release of the Tor browser, 6.5a1, has been released with hardened elements and a range of fixes and improvements.