Tor is a well-known anonymous communication system used by millions of users, including journalists and civil rights activists all over the world. The Tor Browser gives non-technical users an easy way to access the Tor Network. However, many government organizations are actively trying to compromise Tor not only in regions with repressive regimes but also in the free world, as the recent FBI incidents clearly demonstrate. Exploiting software vulnerabilities in general, and browser vulnerabilities in particular, constitutes a clear and present threat to the Tor software. The Tor Browser shares a large part of its attack surface with the Firefox browser. Therefore, Firefox vulnerabilities (even patched ones) are highly valuable to attackers trying to monitor users of the Tor Browser.
In this paper, we present selfrando-an enhanced and practical load-time randomization technique for the Tor Browser that defends against exploits, such as the one FBI allegedly used against Tor users. Our solution significantly improves security over standard address space layout randomization (ASLR) techniques currently used by Firefox and other mainstream browsers. Moreover, we collaborated closely with the Tor Project to ensure that selfrando is fully compatible with AddressSanitizer (ASan), a compiler feature to detect memory corruption. ASan is used in a hardened version of Tor Browser for test purposes. The Tor Project decided to include our solution in the hardened releases of the Tor Browser, which is currently undergoing field testing.
 Jetstream 1.1. http://browserbench.org/JetStream/.
 Massive: the asm.js benchmark. https://kripken.github.io/Massive/.
 Octane 2.0. http://chromium.github.io/octane/.
 M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Controlflow integrity. In ACM SIGSAC Conference on Computer and Communications Security, 2005.
 M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Controlflow integrity principles, implementations, and applications. ACM Transactions on Information System Security, 13, 2009.
 Aleph One. Smashing the stack for fun and profit. Phrack Magazine, 49, 2000.
 M. Backes, T. Holz, B. Kollenda, P. Koppe, S. Nürnberger, and J. Pewny. You can run but you can’t read: Preventing disclosure exploits in executable code. In ACM SIGSAC Conference on Computer and Communications Security, 2014.
 A. Bittau, A. Belay, A. J. Mashtizadeh, D. Mazières, and D. Boneh. Hacking blind. In 35th IEEE Symposium on Security and Privacy, 2014.
 Black Duck Software, Inc. Chromium project on Open Hub. https://www.openhub.net/p/chrome, 2014.
 T. K. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. Jumporiented programming: a new class of code-reuse attack. In 6th ACM Symposium on Information, Computer and Communications Security, 2011.
 E. Bosman and H. Bos. Framing signals-a return to portable shellcode. In 35th IEEE Symposium on Security and Privacy, 2014.
 K. Braden, S. Crane, L. Davi, M. Franz, P. Larsen, C. Liebchen, and A.-R. Sadeghi. Leakage-resilient layout randomization for mobile devices. In 23rd Annual Network and Distributed System Security Symposium, 2016.
 N. Carlini and D.Wagner. ROP is still dangerous: Breaking modern defenses. In 23rd USENIX Security Symposium, 2014.
 N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross. Control-flow bending: On the effectiveness of control-flow integrity. In 24th USENIX Security Symposium, 2015.
 S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In ACM SIGSAC Conference on Computer and Communications Security, 2010.
 X. Chen. ASLR bypass apocalypse in recent zero-day exploits. http://www.fireeye.com/blog/technical/cyberexploits/2013/10/aslr-bypass-apocalypse-in-lately-zeroday-exploits.html, 2013.
 F. B. Cohen. Operating system protection through program evolution. Computers & Security, 12, 1993.
 C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In 8th USENIX Security Symposium, 1998.
 J. Cox. Confirmed: Carnegie Mellon University attacked Tor, was subpoenaed by Feds. http://motherboard.vice.com/read/carnegie-mellon-university-attacked-tor-wassubpoenaed-by-feds, 2016.
 S. Crane, C. Liebchen, A. Homescu, L. Davi, P. Larsen, A.-R. Sadeghi, S. Brunthaler, and M. Franz. Readactor: Practical code randomization resilient to memory disclosure. In 36th IEEE Symposium on Security and Privacy, 2015.
 S. Crane, S. Volckaert, F. Schuster, C. Liebchen, P. Larsen, L. Davi, A.-R. Sadeghi, T. Holz, B. D. Sutter, and M. Franz. It’s a TRaP: Table randomization and protection against function-reuse attacks. In ACM SIGSAC Conference on Computer and Communications Security, 2015.
 L. Davi, A. Dmitrienko, S. Nürnberger, and A. Sadeghi. Gadge me if you can: secure and efficient ad-hoc instruction-level randomization for x86 and ARM. In 8th ACM Symposium on Information, Computer and Communications Security, 2013.
 L. Davi, A. Sadeghi, D. Lehmann, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In 23rd USENIX Security Symposium, 2014.
 L. Davi, C. Liebchen, A.-R. Sadeghi, K. Z. Snow, and F. Monrose. Isomeron: Code randomization resilient to (Just-In-Time) return-oriented programming. In 22nd Annual Network and Distributed System Security Symposium, 2015.
 T. de Raadt. openbsd-tech - Anti-ROP mechanism in libc. https://marc.info/?l=openbsd-tech&m=146159002802803&w=2, 2016.
 R. Dingledine. Tor security advisory: "relay early" traffic confirmation attack. https://blog.torproject.org/blog/torsecurity-advisory-relay-early-traffic-confirmation-attack/.
 R. Dingledine. Tor security advisory: Old tor browser bundles vulnerable. https://lists.torproject.org/pipermail/torannounce/2013-August/000089.html, 2013.
 I. Evans, S. Fingeret, J. Gonzalez, U. Otgonbaatar, T. Tang, H. Shrobe, S. Sidiroglou-Douskos, M. Rinard, and H. Okhravi. Missing the point(er): On the effectiveness of code pointer integrity. In 36th IEEE Symposium on Security and Privacy, 2015.
 I. Evans, F. Long, U. Otgonbaatar, H. Shrobe, M. Rinard, H. Okhravi, and S. Sidiroglou-Douskos. Control jujutsu: On the weaknesses of fine-grained control flow integrity. In ACM SIGSAC Conference on Computer and Communications Security, 2015.
 S. Forrest, A. Somayaji, and D. H. Ackley. Building diverse computer systems. In 6th Workshop on Hot Topics in Operating Systems, 1997.
 F. S. Foundation. Gcc manual - § 3.10, options that control optimization. https://gcc.gnu.org/onlinedocs/gcc-5.2.0/gcc/Optimize-Options.html#index-ffunction-sections-1103, 2015.
 M. Franz. E unibus pluram: Massive-scale software diversity as a defense mechanism. In Proceedings of the 2010 Workshop on New Security Paradigms, NSPW ’10, 2010.
 G. Fresi Roglia, L. Martignoni, R. Paleari, and D. Bruschi. Surgically returning to randomized lib(c). In 25th Annual Computer Security Applications Conference, 2009.
 J. Gionta, W. Enck, and P. Ning. HideM: Protecting the contents of userspace memory in the face of disclosure vulnerabilities. In 5th ACM Conference on Data and Application Security and Privacy, 2015.
 C. Giuffrida, A. Kuijsten, and A. S. Tanenbaum. Enhanced operating system security through efficient and fine-grained address space randomization. In 21st USENIX Security Symposium, 2012.
 E. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In 35th IEEE Symposium on Security and Privacy, 2014.
 E. Göktas, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis. Size does matter: Why using gadgetchain length to prevent code-reuse attacks is hard. In 23rd USENIX Security Symposium, 2014.
 A. Gupta, S. Kerr, M. S. Kirkpatrick, and E. Bertino. Marlin: A fine grained randomization approach to defend against ROP attacks. In Network and System Security. 2013.
 D. Herrmann, R.Wendolsky, and H. Federrath. Website fingerprinting: Attacking popular privacy enhancing technologies with the multinomial naïve-bayes classifier. In ACM Workshop on Cloud Computing Security, 2009.
 J. Hiser, A. Nguyen, M. Co, M. Hall, and J. Davidson. ILR: Where’d my gadgets go. In 33rd IEEE Symposium on Security and Privacy, 2012.
 A. Homescu, S. Neisius, P. Larsen, S. Brunthaler, and M. Franz. Profile-guided automatic software diversity. In IEEE/ACM International Symposium on Code Generation and Optimization, 2013.
 A. Homescu, T. Jackson, S. Crane, S. Brunthaler, P. Larsen, and M. Franz. Large-scale automated software diversity-program evolution redux. Dependable and Secure Computing, IEEE Transactions on, 2015.
 Itanium informal industry coalition. Itanium C++ ABI: Member pointers. https://mentorembedded.github.io/cxxabi/abi.html#member-pointers, 1999-2015.
 C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning. Address space layout permutation (ASLP): towards fine-grained randomization of commodity software. In 22nd Annual Computer Security Applications Conference, 2006.
 G. Koppen. Include selfrando patches into our hardened builds. https://trac.torproject.org/projects/tor/ticket/17406, 2015.
 P. Larsen, A. Homescu, S. Brunthaler, and M. Franz. SoK: Automated software diversity. In 35th IEEE Symposium on Security and Privacy, 2014.
 C. Lattner and V. S. Adve. LLVM: A compilation framework for lifelong program analysis & transformation. In IEEE/ACM International Symposium on Code Generation and Optimization, 2004.
 C. Liebchen, M. Negro, P. Larsen, L. Davi, A.-R. Sadeghi, S. Crane, M. Qunaibit, M. Franz, and M. Conti. Losing control: On the effectiveness of control-flow integrity under stack attacks. In ACM SIGSAC Conference on Computer and Communications Security, 2015.
 Microsoft. Data execution prevention (DEP). http://support.microsoft.com/kb/875352/EN-US/, 2006.
 Microsoft. Exploitation Trends. Microsoft Security Intelligence Report, 16, 2013.
 S. Nagy. Address sanitizer local root. http://seclists.org/oss-sec/2016/q1/363, 2016.
 Nergal. The advanced return-into-lib(c) exploits: PaX case study. Phrack Magazine, 11, 2001.
 G. Owenson. Analysis of the FBI Tor malware. http://blog.owenson.me/analysis-of-the-fbi-tor-malware/, 2013.
 PaX Team. Homepage of The PaX Team, 2001. http://pax.grsecurity.net.
 M. Perry. Deterministic builds part one: Cyberwar and global compromise. https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-globalcompromise, 2013.
 M. Perry. iSEC partners conducts Tor Browser hardening study. https://blog.torproject.org/blog/isec-partnersconducts-tor-browser-hardening-study, 2014.
 K. Poulsen. FBI admits it controlled Tor servers behind mass malware attack. https://www.wired.com/2013/09/freedom-hosting-fbi/, 2013.
 T. Ritter and A. Grant. iSEC Partners Final Report - Tor Project Tor Browser Bundle. https://github.com/iSECPartners/publications/tree/master/reports/Tor%20Browser%20Bundle, 2014.
 F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in C++ applications. In 36th IEEE Symposium on Security and Privacy, 2015.
 J. Seibert, H. Okhravi, and E. Söderström. Information leaks without memory disclosures: Remote side channel attacks on diversified code. In ACM SIGSAC Conference on Computer and Communications Security, 2014.
 K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. AddressSanitizer: A fast address sanity checker. In USENIX Annual Technical Conference, 2012.
 F. J. Serna. The info leak era on software exploitation. In Blackhat USA, 2012.
 H. Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In ACM SIGSAC Conference on Computer and Communications Security, 2007.
 H. Shacham, M. Page, B. Pfaff, E. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In ACM SIGSAC Conference on Computer and Communications Security, 2004.
 sinn3r. Here’s that FBI Firefox exploit for you (cve-2013-1690). https://community.rapid7.com/community/metasploit/blog/2013/08/07/heres-that-fbi-firefox-exploit-for-you-cve-2013-1690, 2013.
 K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In 34th IEEE Symposium on Security and Privacy, 2013.
 R. Strackx, Y. Younan, P. Philippaerts, F. Piessens, S. Lachmund, and T. Walter. Breaking the memory secrecy assumption. In 2nd European Workshop on System Security, 2009.
 L. Szekeres, M. Payer, T. Wei, and D. Song. SoK: Eternal war in memory. In 34th IEEE Symposium on Security and Privacy, 2013.
 The Clang Team. Clang 3.8 documentation SafeStack. http://clang.llvm.org/docs/SafeStack.html, 2015.
 The Firefox Developers. Mozilla foundation security advisory 2013-53: Execution of unmapped memory through on ready state change event. https://www.mozilla.org/en-US/security/advisories/mfsa2013-53/, 2013.
 The Gitian developers. Gitian: a secure software distribution method. https://gitian.org/.
 The Tor Project. The tor browser. https://www.torproject.org/projects/torbrowser.html.
 The Washington Post. Meet the woman in charge of the FBI’s most controversial high-tech tools. http://wapo.st/1m7UMBQ, 2015.
 C. Tice. Improving function pointer security for virtual method dispathes. https://gcc.gnu.org/wiki/cauldron2012?action=AttachFile&do=get&target=cmtice.pdf, 2012.
 M. Tran, M. Etheridge, T. Bletsch, X. Jiang, V. W. Freeh, and P. Ning. On the expressiveness of return-into-libc attacks. In 14th International Symposium on Research in Attacks, Intrusions and Defenses, 2011.
 R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In ACM SIGSAC Conference on Computer and Communications Security, 2012.
 D. Williams, W. Hu, J. W. Davidson, J. D. Hiser, J. C. Knight, and A. Nguyen-Tuong. Security through diversity: Leveraging virtual machine technology. IEEE Security Privacy, 2009.
 Zerodium. Our exploit acquisition platform. https://www.zerodium.com/program.html, 2015.