Tor’s Selfrando pioneers load-time security protection
Fri 24 Jun 2016
A new technology is being trialled to bring more robust protection against compromise for what is by now one of the most famous pieces of software in the world – the Tor (‘The Onion Router’) browser.
Selfrando, presented in a paper led by Mauro Conti and Stephen Crane, is a load-time randomisation technique designed to port the benefits of address space layout randomisation (ASLR) to software with code-bases too large to partake practically in ASLR approaches.
The fundamental principle of Selfrando is to create a unique code layout for each new session of the Tor browser, so that attackers looking for patterns to exploit cannot employ guess-attacks on the memory space of the program at runtime.
The authors suggest that later and more mature implementation of the system could be applicable as a technique to other programs, particularly those with significant and complex code-bases, such as open source projects which may have global teams of rolling developers contributing to nightlies.
Selfrando is an injection-based technique, since ease of implementation was pivotal to its efficacy and portability across platforms (Selfrando is currently being tested only in 64-bit Linux environments, but has also been partially ported – not without difficulty – to Chromium):
‘For practicality reasons, we choose to support complex C/C++ programs (e.g., a browser) without modifying their source code. Further, we retain full compatibility with current build systems, i.e., we should avoid any modification to compilers, linkers, and other operating system components. To be applicable for privacy-preserving open-source tools, we must not rely on any third-party proprietary software. Finally, our solution should not substantially increase the size of the program in memory or on disk.’
The paper notes how the locus of interest for hackers and would-be intercedents (such as the FBI) has shifted from the substantially-closed loopholes of code injection towards code re-use, where legitimate code is undermined towards the same goal.
Speaking of when Selfrando might enter the mainstream Tor release flow, Tor developer Georg Koppen comments:
‘I think that Tor browser version 6.5 might be a bit too early for a stable release. However, if user testing shows this is okay, Selfrando will make it in. A more conservative approach is pointing to Tor browser version 7.0.’
The current version of Tor, at the time of writing, is 6.0.2.
ASLR uses several similar techniques to randomise code location in memory, but they are too sweeping to be practically applicable to very large programs such as the Firefox code-base which underpins Tor. The paper notes that ASLR approaches risk creating unacceptable program performance, perform unsafe binary rewriting techniques that are not scalable to larger codebases, and randomise code at compile time.
To prevent potential attackers from attempting to undermine Tor by recompiling it in its original environment with backdoors, the developers of Selfrando are using the Gitian framework, which consists of a virtual machine and build scripts which insulate the compiling process from the external environment, allowing multiple contributors to develop the project whilst maintaining build integrity.
‘As we have previously mentioned, any tactic that allows de-anonymization of Tor network users is likely to be attempted by law enforcement, intelligence agencies, and other resourceful adversaries. The ability to surreptitiously insert backdoors into the TB would be a particularly powerful attack.’
The reproducible build environment is essential for Selfrando’s trust-factor, but until May of this year the team was forced to use a virtual machine based on Ubuntu 10.04, employing various compatibility workarounds. They have since switched to Debian 7.
Tor was developed by the U.S. military in the 1990s to provide anonymity for intelligence services around the world, and even though several branches of the U.S. government – such as the FBI and the CIA – have a continuing vested interest in breaking it, the Selfrando project is based on work partially supported by DARPA.