The Tor Project is joining forces with security researchers in efforts to boost its browser security and protect users from hacking attempts made by government agencies like the FBI. A new paper published by researchers from the University of California, Irvine, is testing a new technique called Selfrando, which is aimed at deterring de-anonymising of Tor.
The researchers describe Selfrando as "an enhanced and practical load-time randomisation technique for the Tor Browser that defends against exploits, such as the one FBI allegedly used against Tor users", adding that it "can thwart most real-world exploits".
"The Tor Project decided to include our solution in the hardened releases of the Tor Browser, which is currently undergoing field testing. Our solution significantly improves security over standard address space layout randomisation (ASLR) techniques currently used by Firefox and other mainstream browsers," the paper highlighted.
The Tor Network was established as an anonymous communication platform, which has since been used by millions, including journalists and activists across the globe. However, given the nature and allure of such anonymity, cybercriminals have also capitalised on Tor to conduct criminal activities. The FBI has targeted Tor in the past in efforts to crack is anonymous system to capture criminals hiding in the dark web. The agency has used Tor exploits in cases like the Playpen child pornography case as well as the Silkroad dark web marketplace case, to unmask cybercriminals.
Although the FBI justifies its hacking of Tor by unmasking and capturing criminals, it is uncertain if the agency is also utilising the Tor exploits for other purposes. The FBI's firm refusal in sharing information on how and why it uses such exploits has put privacy activists as well as the Tor Project itself on the defence, leading to the network now boosting browser security against such government spying and hacking.
Explaining the advantages of Selfrando, the researchers said the tool requires no changes to be made to build tools or processes, adding that using Selfrando is "as easy as adding a new compiler and linker flags to your existing build scripts".
The researchers said "Selfrando reduces the impact of information leakage vulnerabilities and increases entropy relative to ASLR, making Selfrando more effective against guessing attacks", adding that it is compatible with Android and closed-source platforms such as Microsoft Windows.