A recent study conducted by iSEC Partners provided the developers of the Tor Browser Bundle with several long and short-term recommendations on how to make the application more secure.
The study, commissioned by the Open Technology Fund, the primary funder of the Tor Browser, focused on reviewing current hardening options and finding additional ways of making the software more difficult to exploit.
Since the Tor Browser is based on Firefox, researchers have also performed a historical vulnerability analysis on Mozilla’s Web browser. This, along with other information on public and private exploits, is useful for the Security Slider, an upcoming feature that will allow users to disable certain elements of the browser for enhanced security.
The Security Slider will have four levels: low, medium-low, medium-high and high. For example, the “low” mode will be the current Tor Browser settings, with the addition of JIT support. In the “high” level, JavaScript will be completely disabled, remote fonts will be blocked via NoScript, and all media codecs (except WebM, which remains click-to-play) will be disabled.
One of the short-term recommendations made by iSEC is re-enabling Address Space Layout Randomization (ASLR) on Windows and Mac builds. Mike Perry, lead developer of the Tor Browser, admitted in a blog post that several hardening features have been disabled due to the use of cross-compilation and non-standard toolchains in the reproducible build system. He says they’re working on addressing the Windows issues, but it’s more complicated for Mac and they might have to build 64-bit versions of the Tor Browser for full support.
The developers of the Tor Browser should also consider testing and recommending the use of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), which detects and neutralizes certain exploitation techniques.
Another recommendation made by iSEC is to find vulnerabilities in the Tor Browser by entering it the Pwn2Own competition that takes place each year along the CanSecWest security conference. The idea is to give Pwn2Own participants the opportunity to find flaws specific to the browser in a semi-hardened configuration. While the Tor Project is interested in the idea and encourages potential sponsors to step forward, it’s uncertain if they’ll be able to prepare for the March 2015 edition.
The list of long-term recommendations includes replacing the “jemalloc” allocator with “ctmalloc” and other partition object allocation types to make the exploitation of heap corruption vulnerabilities more difficult. The Tor Browser Bundle team should also look for ways to enhance protection against use-after-free exploits. One method would be to use the partitioning features of PartitionAlloc, which has been developed by the Chrome security team, to separate DOM objects from user-controlled buffers such as strings and arrays.
iSEC also advised Tor to closely follow the work of the Chrome security team, which is considered a source of innovation when it comes to browser security.
“Tor Browser Bundle is based on Firefox and thus inherits progress made by Mozilla automatically. While improvements in Chrome may not be appropriate for Firefox, they could be integrated in Tor Browser Bundle. In a best case scenario, members of the Chrome Security team may be allowed to work with the Tor Project on these changes,” iSEC researchers noted in their report.
Perry admits that Chrome is more secure then Firefox, especially since it has a multiprocess sandboxing architecture and other hardening options.
“Unfortunately, our budget for the browser project is still very constrained compared to the amount of work that is required to provide the privacy properties we feel are important, and Firefox remains a far more cost-effective platform for us for several reasons,” Perry explained. “In particular, Firefox’s flexible extension system, fully scriptable UI, solid proxy support, and its long Extended Support Release cycle all allow us to accomplish far more with fewer resources than we could with any other web browser.”
For Chrome to become a viable option, either funding for the project must be increased considerably, or Google must agree to make some changes in certain features that are crucial for the Tor Browser, Perry said.
In July, Tor Project representatives warned of an attack attempting to deanonymize users. Fortunately, the attack appeared to have been carried out by a group of researchers who were planning to hold a presentation on cracking Tor at the Black Hat security conference in Las Vegas. The talk was cancelled, but the experts had tested their methods in the wild.
