Conti, Mauro ; Crane, Stephen ; Frassetto, Tommaso ; Homescu, Andrei ; Koppen, Georg ; Larsen, Per ; Liebchen, Christopher ; Perry, Mike ; Sadeghi, Ahmad-Reza (2016)
Selfrando: Securing the Tor Browser against De-anonymization Exploits.
Konferenzveröffentlichung, Bibliographie
Kurzbeschreibung (Abstract)
Tor is a well-known anonymous communication system used by millions of users, including journalists and civil rights activists all over the world. The Tor Browser gives non-technical users an easy way to access the Tor Network. However, many government organizations are actively trying to compromise Tor not only in regions with repressive regimes but also in the free world, as the recent FBI incidents clearly demonstrate. Exploiting software vulnerabilities in general, and browser vulnerabilities in particular, constitutes a clear and present threat to the Tor software. The Tor Browser shares a large part of its attack surface with the Firefox browser. Therefore, Firefox vulnerabilities (even patched ones) are highly valuable to attackers trying to monitor users of the Tor Browser.
In this paper, we present selfrando — an enhanced and practical load-time randomization technique for the Tor Browser that defends against exploits, such as the one FBI allegedly used against Tor users. Our solution significantly improves security over standard ASLR techniques currently used by Firefox and other mainstream browsers.
Moreover, we collaborated closely with the Tor Project to ensure that selfrando is fully compatible with AddressSanitizer, a compiler feature to detect memory corruption. AddressSanitizer is used in a hardened version of Tor Browser for test purposes. The Tor Project decided to include our solution in the hardened releases of the Tor Browser, which is currently undergoing field testing.
| Typ des Eintrags: | Konferenzveröffentlichung |
|---|---|
| Erschienen: | 2016 |
| Autor(en): | Conti, Mauro ; Crane, Stephen ; Frassetto, Tommaso ; Homescu, Andrei ; Koppen, Georg ; Larsen, Per ; Liebchen, Christopher ; Perry, Mike ; Sadeghi, Ahmad-Reza |
| Art des Eintrags: | Bibliographie |
| Titel: | Selfrando: Securing the Tor Browser against De-anonymization Exploits |
| Sprache: | Englisch |
| Publikationsjahr: | Juli 2016 |
| Buchtitel: | The annual Privacy Enhancing Technologies Symposium (PETS) |
| Zugehörige Links: | |
| Kurzbeschreibung (Abstract): | Tor is a well-known anonymous communication system used by millions of users, including journalists and civil rights activists all over the world. The Tor Browser gives non-technical users an easy way to access the Tor Network. However, many government organizations are actively trying to compromise Tor not only in regions with repressive regimes but also in the free world, as the recent FBI incidents clearly demonstrate. Exploiting software vulnerabilities in general, and browser vulnerabilities in particular, constitutes a clear and present threat to the Tor software. The Tor Browser shares a large part of its attack surface with the Firefox browser. Therefore, Firefox vulnerabilities (even patched ones) are highly valuable to attackers trying to monitor users of the Tor Browser. In this paper, we present selfrando — an enhanced and practical load-time randomization technique for the Tor Browser that defends against exploits, such as the one FBI allegedly used against Tor users. Our solution significantly improves security over standard ASLR techniques currently used by Firefox and other mainstream browsers. Moreover, we collaborated closely with the Tor Project to ensure that selfrando is fully compatible with AddressSanitizer, a compiler feature to detect memory corruption. AddressSanitizer is used in a hardened version of Tor Browser for test purposes. The Tor Project decided to include our solution in the hardened releases of the Tor Browser, which is currently undergoing field testing. |
| Freie Schlagworte: | ICRI-SC;S2;Secure Things;Solutions |
| ID-Nummer: | TUD-CS-2016-0094 |
| Fachbereich(e)/-gebiet(e): | 20 Fachbereich Informatik 20 Fachbereich Informatik > Systemsicherheit DFG-Sonderforschungsbereiche (inkl. Transregio) DFG-Sonderforschungsbereiche (inkl. Transregio) > Sonderforschungsbereiche Profilbereiche Profilbereiche > Cybersicherheit (CYSEC) LOEWE LOEWE > LOEWE-Zentren LOEWE > LOEWE-Zentren > CRISP - Center for Research in Security and Privacy LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt DFG-Sonderforschungsbereiche (inkl. Transregio) > Sonderforschungsbereiche > SFB 1119: CROSSING – Kryptographiebasierte Sicherheitslösungen als Grundlage für Vertrauen in heutigen und zukünftigen IT-Systemen |
| Hinterlegungsdatum: | 04 Aug 2016 10:13 |
| Letzte Änderung: | 06 Jun 2018 13:20 |
| PPN: | |
| Export: | |
| Suche nach Titel in: | TUfind oder in Google |
 |
Frage zum Eintrag |
Optionen (nur für Redakteure)
 |
Redaktionelle Details anzeigen |
Drucken
Impressum