Tor is fighting back. The Onion Router (Tor) released version 6.5a1 of its browser in early June, and users will be happy to note that the updated browser contained some welcome security initiatives.

Hardening the Tor Browser

As the Tor Project announced on its blog, the latest version of its browser “updates Firefox to 45.2.0esr and contains all the improvements that went into Tor Browser 6.0.” Specifically, this new release boasts significant security advancements designed to avoid privacy invasions and deanonymization — things Tor is supposed to fundamentally prevent.

The Project worked on the Firefox browser that runs underneath Tor to reduce its potential as an attack surface. This hardening was needed given recent and apparently successful deanonymization attacks, which revealed the identities of Tor users.

A New Way to Randomize Memory

But there’s more: Softpedia reported that this hardened version of the Tor browser includes a new feature called Selfrando. The article described this feature as “an enhanced and practical load-time randomization technique.” This should prevent user identities from ever going public as the result of a cyberattack.

The Tor Project and researchers from the University of California, Irvine have been collaborating to create Selfrando. It is an alternative to the use of address space layout randomization (ASLR), which Tor had used previously. ASLR works by taking code and shifting the memory location in which it runs. Selfrando increases the granularity of code execution by taking each code function separately and then randomizing the memory address.

This can have a major impact on Tor security. If an attacker cannot predict the memory position in which parts of the code will be executing, then use of some sort of memory corruption bug — which could allow them to run malware inside the Tor browser — won’t do them any good.

It remains to be seen whether these hardening efforts will pay off in the future for Tor, but they look encouraging.

More from

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…