Tor is a well-known anonymous communication system used by millions of users, including journalists and civil rights activists all over the world. The Tor Browser gives non-technical users an easy way to access the Tor Network. However, many government organizations are actively trying to compromise Tor not only in regions with repressive regimes but also in the free world, as the recent FBI incidents clearly demonstrate. Exploiting software vulnerabilities in general, and browser vulnerabilities in particular, constitutes a clear and present threat to the Tor software. The Tor Browser shares a large part of its attack surface with the Firefox browser. Therefore, Firefox vulnerabilities (even patched ones) are highly valuable to attackers trying to monitor users of the Tor Browser.
In this paper, we present selfrando-an enhanced and practical load-time randomization technique for the Tor Browser that defends against exploits, such as the one FBI allegedly used against Tor users. Our solution significantly improves security over standard address space layout randomization (ASLR) techniques currently used by Firefox and other mainstream browsers. Moreover, we collaborated closely with the Tor Project to ensure that selfrando is fully compatible with AddressSanitizer (ASan), a compiler feature to detect memory corruption. ASan is used in a hardened version of Tor Browser for test purposes. The Tor Project decided to include our solution in the hardened releases of the Tor Browser, which is currently undergoing field testing.
 M. Abadi M. Budiu Ú. Erlingsson and J. Ligatti. Controlflow integrity. In ACM SIGSAC Conference on Computer and Communications Security 2005.
 M. Abadi M. Budiu Ú. Erlingsson and J. Ligatti. Controlflow integrity principles implementations and applications. ACM Transactions on Information System Security 13 2009.
 Aleph One. Smashing the stack for fun and profit. Phrack Magazine 49 2000.
 M. Backes T. Holz B. Kollenda P. Koppe S. Nürnberger and J. Pewny. You can run but you can’t read: Preventing disclosure exploits in executable code. In ACM SIGSAC Conference on Computer and Communications Security 2014.
 A. Bittau A. Belay A. J. Mashtizadeh D. Mazières and D. Boneh. Hacking blind. In 35th IEEE Symposium on Security and Privacy 2014.
 Black Duck Software Inc. Chromium project on Open Hub. https://www.openhub.net/p/chrome 2014.
 T. K. Bletsch X. Jiang V. W. Freeh and Z. Liang. Jumporiented programming: a new class of code-reuse attack. In 6th ACM Symposium on Information Computer and Communications Security 2011.
 E. Bosman and H. Bos. Framing signals-a return to portable shellcode. In 35th IEEE Symposium on Security and Privacy 2014.
 K. Braden S. Crane L. Davi M. Franz P. Larsen C. Liebchen and A.-R. Sadeghi. Leakage-resilient layout randomization for mobile devices. In 23rd Annual Network and Distributed System Security Symposium 2016.
 N. Carlini and D.Wagner. ROP is still dangerous: Breaking modern defenses. In 23rd USENIX Security Symposium 2014.
 N. Carlini A. Barresi M. Payer D. Wagner and T. R. Gross. Control-flow bending: On the effectiveness of control-flow integrity. In 24th USENIX Security Symposium 2015.
 S. Checkoway L. Davi A. Dmitrienko A. Sadeghi H. Shacham and M. Winandy. Return-oriented programming without returns. In ACM SIGSAC Conference on Computer and Communications Security 2010.
 F. B. Cohen. Operating system protection through program evolution. Computers & Security 12 1993.
 C. Cowan C. Pu D. Maier H. Hintony J. Walpole P. Bakke S. Beattie A. Grier P. Wagle and Q. Zhang. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In 8th USENIX Security Symposium 1998.
 J. Cox. Confirmed: Carnegie Mellon University attacked Tor was subpoenaed by Feds. http://motherboard.vice.com/read/carnegie-mellon-university-attacked-tor-wassubpoenaed-by-feds 2016.
 S. Crane C. Liebchen A. Homescu L. Davi P. Larsen A.-R. Sadeghi S. Brunthaler and M. Franz. Readactor: Practical code randomization resilient to memory disclosure. In 36th IEEE Symposium on Security and Privacy 2015.
 S. Crane S. Volckaert F. Schuster C. Liebchen P. Larsen L. Davi A.-R. Sadeghi T. Holz B. D. Sutter and M. Franz. It’s a TRaP: Table randomization and protection against function-reuse attacks. In ACM SIGSAC Conference on Computer and Communications Security 2015.
 L. Davi A. Dmitrienko S. Nürnberger and A. Sadeghi. Gadge me if you can: secure and efficient ad-hoc instruction-level randomization for x86 and ARM. In 8th ACM Symposium on Information Computer and Communications Security 2013.
 L. Davi A. Sadeghi D. Lehmann and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In 23rd USENIX Security Symposium 2014.
 L. Davi C. Liebchen A.-R. Sadeghi K. Z. Snow and F. Monrose. Isomeron: Code randomization resilient to (Just-In-Time) return-oriented programming. In 22nd Annual Network and Distributed System Security Symposium 2015.
 T. de Raadt. openbsd-tech - Anti-ROP mechanism in libc. https://marc.info/?l=openbsd-tech&m=146159002802803&w=2 2016.
 R. Dingledine. Tor security advisory: "relay early" traffic confirmation attack. https://blog.torproject.org/blog/torsecurity-advisory-relay-early-traffic-confirmation-attack/.
 R. Dingledine. Tor security advisory: Old tor browser bundles vulnerable. https://lists.torproject.org/pipermail/torannounce/2013-August/000089.html 2013.
 I. Evans S. Fingeret J. Gonzalez U. Otgonbaatar T. Tang H. Shrobe S. Sidiroglou-Douskos M. Rinard and H. Okhravi. Missing the point(er): On the effectiveness of code pointer integrity. In 36th IEEE Symposium on Security and Privacy 2015.
 I. Evans F. Long U. Otgonbaatar H. Shrobe M. Rinard H. Okhravi and S. Sidiroglou-Douskos. Control jujutsu: On the weaknesses of fine-grained control flow integrity. In ACM SIGSAC Conference on Computer and Communications Security 2015.
 S. Forrest A. Somayaji and D. H. Ackley. Building diverse computer systems. In 6th Workshop on Hot Topics in Operating Systems 1997.
 F. S. Foundation. Gcc manual - § 3.10 options that control optimization. https://gcc.gnu.org/onlinedocs/gcc-5.2.0/gcc/Optimize-Options.html#index-ffunction-sections-1103 2015.
 M. Franz. E unibus pluram: Massive-scale software diversity as a defense mechanism. In Proceedings of the 2010 Workshop on New Security Paradigms NSPW ’10 2010.
 G. Fresi Roglia L. Martignoni R. Paleari and D. Bruschi. Surgically returning to randomized lib(c). In 25th Annual Computer Security Applications Conference 2009.
 J. Gionta W. Enck and P. Ning. HideM: Protecting the contents of userspace memory in the face of disclosure vulnerabilities. In 5th ACM Conference on Data and Application Security and Privacy 2015.
 C. Giuffrida A. Kuijsten and A. S. Tanenbaum. Enhanced operating system security through efficient and fine-grained address space randomization. In 21st USENIX Security Symposium 2012.
 E. Göktas E. Athanasopoulos H. Bos and G. Portokalidis. Out of control: Overcoming control-flow integrity. In 35th IEEE Symposium on Security and Privacy 2014.
 E. Göktas E. Athanasopoulos M. Polychronakis H. Bos and G. Portokalidis. Size does matter: Why using gadgetchain length to prevent code-reuse attacks is hard. In 23rd USENIX Security Symposium 2014.
 A. Gupta S. Kerr M. S. Kirkpatrick and E. Bertino. Marlin: A fine grained randomization approach to defend against ROP attacks. In Network and System Security. 2013.
 D. Herrmann R.Wendolsky and H. Federrath. Website fingerprinting: Attacking popular privacy enhancing technologies with the multinomial naïve-bayes classifier. In ACM Workshop on Cloud Computing Security 2009.
 J. Hiser A. Nguyen M. Co M. Hall and J. Davidson. ILR: Where’d my gadgets go. In 33rd IEEE Symposium on Security and Privacy 2012.
 A. Homescu S. Neisius P. Larsen S. Brunthaler and M. Franz. Profile-guided automatic software diversity. In IEEE/ACM International Symposium on Code Generation and Optimization 2013.
 A. Homescu T. Jackson S. Crane S. Brunthaler P. Larsen and M. Franz. Large-scale automated software diversity-program evolution redux. Dependable and Secure Computing IEEE Transactions on 2015.
 Itanium informal industry coalition. Itanium C++ ABI: Member pointers. https://mentorembedded.github.io/cxxabi/abi.html#member-pointers 1999-2015.
 C. Kil J. Jun C. Bookholt J. Xu and P. Ning. Address space layout permutation (ASLP): towards fine-grained randomization of commodity software. In 22nd Annual Computer Security Applications Conference 2006.
 G. Koppen. Include selfrando patches into our hardened builds. https://trac.torproject.org/projects/tor/ticket/17406 2015.
 P. Larsen A. Homescu S. Brunthaler and M. Franz. SoK: Automated software diversity. In 35th IEEE Symposium on Security and Privacy 2014.
 C. Lattner and V. S. Adve. LLVM: A compilation framework for lifelong program analysis & transformation. In IEEE/ACM International Symposium on Code Generation and Optimization 2004.
 C. Liebchen M. Negro P. Larsen L. Davi A.-R. Sadeghi S. Crane M. Qunaibit M. Franz and M. Conti. Losing control: On the effectiveness of control-flow integrity under stack attacks. In ACM SIGSAC Conference on Computer and Communications Security 2015.
 Microsoft. Data execution prevention (DEP). http://support.microsoft.com/kb/875352/EN-US/ 2006.
 Microsoft. Exploitation Trends. Microsoft Security Intelligence Report 16 2013.
 S. Nagy. Address sanitizer local root. http://seclists.org/oss-sec/2016/q1/363 2016.
 Nergal. The advanced return-into-lib(c) exploits: PaX case study. Phrack Magazine 11 2001.
 G. Owenson. Analysis of the FBI Tor malware. http://blog.owenson.me/analysis-of-the-fbi-tor-malware/ 2013.
 PaX Team. Homepage of The PaX Team 2001. http://pax.grsecurity.net.
 M. Perry. Deterministic builds part one: Cyberwar and global compromise. https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-globalcompromise 2013.
 M. Perry. iSEC partners conducts Tor Browser hardening study. https://blog.torproject.org/blog/isec-partnersconducts-tor-browser-hardening-study 2014.
 K. Poulsen. FBI admits it controlled Tor servers behind mass malware attack. https://www.wired.com/2013/09/freedom-hosting-fbi/ 2013.
 T. Ritter and A. Grant. iSEC Partners Final Report - Tor Project Tor Browser Bundle. https://github.com/iSECPartners/publications/tree/master/reports/Tor%20Browser%20Bundle 2014.
 F. Schuster T. Tendyck C. Liebchen L. Davi A.-R. Sadeghi and T. Holz. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in C++ applications. In 36th IEEE Symposium on Security and Privacy 2015.
 J. Seibert H. Okhravi and E. Söderström. Information leaks without memory disclosures: Remote side channel attacks on diversified code. In ACM SIGSAC Conference on Computer and Communications Security 2014.
 K. Serebryany D. Bruening A. Potapenko and D. Vyukov. AddressSanitizer: A fast address sanity checker. In USENIX Annual Technical Conference 2012.
 F. J. Serna. The info leak era on software exploitation. In Blackhat USA 2012.
 H. Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In ACM SIGSAC Conference on Computer and Communications Security 2007.
 H. Shacham M. Page B. Pfaff E. Goh N. Modadugu and D. Boneh. On the effectiveness of address-space randomization. In ACM SIGSAC Conference on Computer and Communications Security 2004.
 sinn3r. Here’s that FBI Firefox exploit for you (cve-2013-1690). https://community.rapid7.com/community/metasploit/blog/2013/08/07/heres-that-fbi-firefox-exploit-for-you-cve-2013-1690 2013.
 K. Z. Snow F. Monrose L. Davi A. Dmitrienko C. Liebchen and A. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In 34th IEEE Symposium on Security and Privacy 2013.
 R. Strackx Y. Younan P. Philippaerts F. Piessens S. Lachmund and T. Walter. Breaking the memory secrecy assumption. In 2nd European Workshop on System Security 2009.
 L. Szekeres M. Payer T. Wei and D. Song. SoK: Eternal war in memory. In 34th IEEE Symposium on Security and Privacy 2013.
 The Clang Team. Clang 3.8 documentation SafeStack. http://clang.llvm.org/docs/SafeStack.html 2015.
 The Firefox Developers. Mozilla foundation security advisory 2013-53: Execution of unmapped memory through on ready state change event. https://www.mozilla.org/en-US/security/advisories/mfsa2013-53/ 2013.
 The Gitian developers. Gitian: a secure software distribution method. https://gitian.org/.
 The Tor Project. The tor browser. https://www.torproject.org/projects/torbrowser.html.
 The Washington Post. Meet the woman in charge of the FBI’s most controversial high-tech tools. http://wapo.st/1m7UMBQ 2015.
 C. Tice. Improving function pointer security for virtual method dispathes. https://gcc.gnu.org/wiki/cauldron2012?action=AttachFile&do=get&target=cmtice.pdf 2012.
 M. Tran M. Etheridge T. Bletsch X. Jiang V. W. Freeh and P. Ning. On the expressiveness of return-into-libc attacks. In 14th International Symposium on Research in Attacks Intrusions and Defenses 2011.
 R. Wartell V. Mohan K. W. Hamlen and Z. Lin. Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In ACM SIGSAC Conference on Computer and Communications Security 2012.
 D. Williams W. Hu J. W. Davidson J. D. Hiser J. C. Knight and A. Nguyen-Tuong. Security through diversity: Leveraging virtual machine technology. IEEE Security Privacy 2009.