Software engineers create new defense to protect Tor users

June 24, 2016, Technische Universitat Darmstadt
Common ASLR moves the whole code of the application as a single block to a different region of memory. Selfrando randomly rearranges the code in a fine-grained fashion every time the application is launched. Credit: Technische Universitat Darmstadt

Researchers from TU Darmstadt developed successfully in collaboration with the University of California Irvine a new protection for Tor users. "Selfrando" strengthens the Tor Browser against attempts to hack and de-anonymize Tor users.

CYSEC researchers Tommaso Frassetto, Christopher Liebchen and Ahmad-Reza Sadeghi have collaborated with Immunant, Inc., University of California Irvine, and the Tor Project to integrate new software security research into the hardened version of the Tor Browser. Their defense, called "selfrando," strengthens the Tor Browser against attempts to hack and de-anonymize Tor users.

Tor users, such as activists, journalists, and whistleblowers, use the Tor Browser to preserve their anonymity online. Obviously the Tor Browser is an enticing target for hackers, including nation-states, attempting to de-anonymize and track Tor users. In the hardened Tor Browser series, the Tor Project is testing new defenses to proactively protect Tor users from attacks on their browser.

Randomizing the internals of the software

The most powerful attacks against browsers such as the Tor Browser aim to remotely exploit a victim using state-of-the-art techniques known as "code reuse". Essentially, an attacker pieces together bits of the target program into malware that controls the victim's computer meaning that the attacker does not need to inject code to the victim's machine at first place.

Selfrando defends modern software against this class of exploits by randomizing the internals of the software. Without knowing these randomized details, an attacker has a much harder time constructing a reliable (code-reuse) attack.

Selfrando significantly increases security without sacrificing performance or compatibility. It does not require changes to build tools or processes and adds less than 1% performance overhead. In practice, selfrando is completely unnoticeable to users while significantly increasing .

Explore further: Computer scientists present guarantees for online anonymity

More information: Advance copy of the research paper is available online: … ando-Tor-Browser.pdf

Selfrando is available for use in other open-source projects at GitHub:

Related Stories

Computer scientists present guarantees for online anonymity

March 11, 2015

Anonymity on the Internet is possible only up to a certain degree. Therefore, it is possible that others may see who is visiting an online advice site on sexual abuse, or who frequently looks up information about a certain ...

Judge's ruling confirms CMU engineers hacked TOR network

February 26, 2016

A recent ruling by U.S. District Court Judge Richard Jones reveals what many in the Internet business have known for some time—namely that the U.S. Department of Defense paid researchers at Carnegie Mellon University's ...

Tor and Bitcoin promise online stealth

October 2, 2013

The Silk Road website that was shut down by US authorities, who branded it a black market for drugs and other illicit wares, relied on Tor and Bitcoins to protect the anonymity of users.

Instant messaging will get Tor treatment in TIMB

March 3, 2014

The Tor Foundation which has made it possible for privacy-bent Tor users to anonymously browse the web is now turning to enabling people to autonomously do instant messaging with a Tor-enabled service, dubbed Tor Instant ...

What is the dark web?

August 13, 2015

The "dark web" is a part of the world wide web that requires special software to access. Once inside, web sites and other services can be accessed through a browser in much the same way as the normal web.

Facebook has URL for users running Tor-enabled browsers

November 1, 2014

A reassuring message on Friday from Facebook: "It's important to us at Facebook to provide methods for people to use our site securely." That is why Facebook implemented HTTPS across the service and Perfect Forward Secrecy, ...

Recommended for you

Technology near for real-time TV political fact checks

January 18, 2019

A Duke University team expects to have a product available for election year that will allow television networks to offer real-time fact checks onscreen when a politician makes a questionable claim during a speech or debate.

Privacy becomes a selling point at tech show

January 7, 2019

Apple is not among the exhibitors at the 2019 Consumer Electronics Show, but that didn't prevent the iPhone maker from sending a message to attendees on a large billboard.

China's Huawei unveils chip for global big data market

January 7, 2019

Huawei Technologies Ltd. showed off a new processor chip for data centers and cloud computing Monday, expanding into new and growing markets despite Western warnings the company might be a security risk.


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.