Hardened Malloc (Default)

From Kicksecure
Jump to navigation Jump to search

Hardened Memory Allocator for many Applications to increase Security

Info This page is archived.

Deprecation in Kicksecure[edit]

Reasons:

  • Not stable enough: Through testing and integration development in Kicksecure, the unresolveable #Issues being found, it has been determined that it will never be stable enough to be suitable for installation by default for all users.
  • Unclear Benefit: See chapter #Tickets and Discussions. Whenever it has been suggested to other projects to port to Hardened Malloc (HM), it did not get favorable reviews from other developers.
  • Lack of outreach by upstream: Upstream mentioned that others do not understand HM but also does not have time to engage with them.
  • Potential future deprecation by upstream: Upstream contemplated deprecation of Hardened Malloc support for usage outside of a Android / GrapheneOS context.
  • Security issues? No. Users can keep using Hardened Malloc (Default) or Hardened Malloc Light until the next major release (Kicksecure version 18) but it will be unsupported.
  • Architecture support: Limited. (HM supports AMD64 architecture only, which makes Kicksecure progress towards multiple architecture support such as ARM64 and PPC harder.)
  • Future: Is there any chance this package will get unarchived, maintained again in Kicksecure? No.
  • Forum discussion: https://forums.whonix.org/t/hardened-malloc-hardened-memory-allocator/7474/231archive.org

Introduction[edit]

Hardened Malloc (Default) is a hardened memory allocator which can be used with many applications to increase security.

This is a security-focused general purpose memory allocator providing the malloc API along with various extensions. It provides substantial hardening against heap corruption vulnerabilities. The security-focused design also leads to much less metadata overhead and memory waste from fragmentation than a more traditional allocator design. It aims to provide decent overall performance with a focus on long-term performance and memory usage rather than allocator micro-benchmarks. It offers scalability via a configurable number of entirely independently arenas, with the internal locking within arenas further divided up per size class.Daniel Micay, Hardened Malloc developer, founder and lead developer of GrapheneOSarchive.org, hardened_malloc project pagearchive.org

Readers who wish to discuss the integration of Hardened Malloc with Kicksecure should refer to this forum threadarchive.org.

Naming[edit]

The author of Hardened Malloc uses only the terms:

  • Hardened Malloc
  • Hardened Malloc Light

To distinguish better which version is used, this websites uses the terms:

  • Hardened Malloc (Default)
  • Hardened Malloc Light

This is unrelated to price. Both versions are Freedom Software, free as in price as well as in freedom.

Hardened Malloc Light is provided for cases in which Hardened Malloc (Default) cannot be used due to application specific issues. Hardened Malloc (Default) might trigger issues due to memory allocation bugs found in some applications.

Installation[edit]

Hardened Malloc (Default) is pre-installed.

How-to: Launch Applications with Hardened Malloc Default[edit]

Testers only! Warning: This is for testers-only!

Launch Specific Applications with Hardened Malloc Default[edit]

To launch chosen applications with Hardened Malloc (Default), the LD_PRELOAD environment variable must be edited before starting the application.

For example, to launch application-name in this way, run.

LD_PRELOAD='libhardened_malloc.so' application-name

Using administrative rights, example:

sudo LD_PRELOAD='libhardened_malloc.so' apt update

Launch Systemd Services with Hardened Malloc Default[edit]

To launch individual systemd services with Hardened Malloc (Default), add a drop-in systemd configuration snippet.

Environment="LD_PRELOAD='libhardened_malloc.so'"

Launch All Applications by Default with Hardened Malloc Default[edit]

It is possible to make all applications use Hardened Malloc (Default) as the default memory allocator.

Note:

  • If using a graphical desktop environment (such as Xfce): This action breaks the graphical desktop environment (Xorg). Most users using a graphical desktop environment (such as Xfce) should not proceed enabling Hardened Malloc (Default) for all applications. Only Hardened Malloc Light is suitable for that.
  • If using a command line interface (CLI) (no graphical desktop environment) (such as a server): This can be attempted! Testers only!

To configure this option, the path to the hardened_malloc.so library must be added to the /etc/ld.so.preload file. [1]

1. Open file /etc/ld.so.preload in an editor with root rights.

Kicksecure

See Open File with Root Rights The Web Archive Onion Version for detailed instructions on why to use sudoedit for better security and how to use it.

Note: Mousepad (or the chosen text editor) must be closed before running the sudoedit command.

sudoedit /etc/ld.so.preload

Kicksecure for Qubes

NOTES:

sudoedit /etc/ld.so.preload

  • After applying this change, shutdown the Template.
  • All App Qubes based on the Template need to be restarted if they were already running.
  • This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Kicksecure, please refer to this link.

sudoedit /etc/ld.so.preload

2. Add the hardened_malloc.so library.

Paste.

libhardened_malloc.so

3. Save the file.

4. Done.

The procedure is complete. Hardened Malloc Default has been enabled for all applications by default.

Disable Hardened Malloc per Application[edit]

In case Hardened Malloc Default/Light is enabled globally for all applications it is possible to disable it for select applications should that be required due to application incompatibilities.

Apply the following steps to disable Hardened Malloc Default/Light per application.

Prepend the ld-system-preload-disablearchive.org wrapper.

Syntax:

ld-system-preload-disable application

Example:

Notes:

  • This disabled all ld system preload. This only matters in case the user previously modified ld system preload configuration file /etc/ld.so.preload which the vast majority of users do not do.
  • Replace chromium with the actual application which should be started without ld system preload.

ld-system-preload-disable chromium

Issues[edit]

Incompatible Applications[edit]

Graphical Desktop Environment Xorg[edit]

Hardened Malloc (Default) Hardened Malloc Light
Kicksecure on the host Yes, functional. Yes, functional.
Kicksecure inside VirtualBox Xfce No, Xorg broken. Yes, functional.
Kicksecure inside VirtualBox CLI Yes, functional. (Not using Xorg.) Yes, functional. (Not using Xorg.)
Kicksecure inside KVM Yes, functional. Yes, functional.
Kicksecure for Qubes Yes, functional. (Not using Xorg.) Yes, functional. (Not using Xorg.)

TODO:

VirtualBox Host Software[edit]

Browsers[edit]

Firefox[edit]

Using Hardened Malloc Default/Light with Firefox is broken and unsupported. [3]

To start Firefox without Hardened Malloc, run.

ld-system-preload-disable firefox-esr

Tor Browser[edit]

Using Hardened Malloc Default/Light with Tor Browser is also is broken and unsupported. Same as above. This is because Tor Browser is based on Firefox. [4]

  • To start Tor Browser without Hardened Malloc:
    • Note: Adjust path Tor Browser's startup script start-tor-browser if you are using a different Tor Browser installation folder.
    • ld-system-preload-disable ~/.tb/tor-browser/Browser/start-tor-browser
  • If using Tor Browser Starter (package: tb-starter) by Whonix developers:
    • ld-system-preload-disable torbrowser

Chromium[edit]

Using Hardened Malloc Default/Light with Chromium is also is broken and unsupported. [5]

To start Tor Browser without Hardened Malloc, run.

ld-system-preload-disable chromium

Other Browsers[edit]

It is unknown whether other browsers can benefit from Hardened Malloc Default/Light.

Flatpak[edit]

Flatpak does not honor /etc/ld.so.preload. Therefore using Hardened Malloc with Flatpak applications is currently unsupported. [6]

Bug: Hardened Malloc Ignored by Flatpaksarchive.org

snap[edit]

snap is untested. Possibly has the same issue as Flatpak.

php[edit]

php command from php8.2-cli php package segfaults.

php

zsh: segmentation fault (core dumped)  php

To start PHP on the command line without Hardened Malloc, run.

ld-system-preload-disable php

If PHP is started by other applications such as a web server, it is currently untested if that is broken.

Others[edit]

Other applications might not easily benefit from Hardened Malloc Default/Light for the same reasons outlined in the browsers section above.

Whether an application can benefit from Hardened Malloc Default/Light or not depends on technical implementation details of the application in question. Vendors of applications will probably know if their application is compatible with Hardened Malloc Default/Light. Community wiki contributions are most welcome -- please post any additional vendor Q&As here.

workaround available[edit]

Slowdown of swap-file-creator at shutdown.

no workaround available[edit]

major issues:

minor issues:

Development Notes[edit]

Tickets and Discussions[edit]

Related Feature Requests Improving Integration Work[edit]

These are not caused by hardened malloc but instead are feature requests for other upstream projects which would ease integration.

Upstream Considerations of Hardened Malloc Deprecation for x86[edit]

Perhaps we'll give up on the partial support for using hardened_malloc outside of an Android-based OS, particularly since people don't seem to understand the difference between it and simply bolting on some hardening features to a traditional allocator design, I've already had the usual experience today.quotearchive.org Hardened Malloc upstream developer Daniel Micay, @thestingerarchive.org

How-to: Check Hardened Malloc Status[edit]

Check If Hardened Malloc is Enabled[edit]

Open the terminal and type either:

  • A): Using hardened-malloc-enabled-test. hardened-malloc-enabled-test
    • If enabled, should output should show:

      yes

  • B): For advanced users: Using systemcheck with command line parameter --verbose. systemcheck --verbose
    • If enabled, should output should include:

      [INFO] [systemcheck] Hardened Malloc: Hardened Malloc enabled.

Check If Hardened Malloc Default or Hardened Malloc Light is Enabled[edit]

hardened-malloc-type-test

Possible outputs:

  • none
  • default
  • light

Kicksecure Feature Default Status Information[edit]

(A) blocker, reason why Hardened Malloc is not enabled by default in Kicksecure yet is because it breaks browsers, which would be confusing.

Past Contributions[edit]

Credits and Source Code[edit]

The Hardened Malloc upstream source codearchive.org is maintained by security researcher, Daniel Micay.

This website is the software forkarchive.org homepage for Hardened Malloc, with a focus on easy installation, added user documentation, and integration with Kicksecure, Whonix®archive.org, Debian, and other distributions. The Kicksecure software fork source code can be found herearchive.org.

Footnotes[edit]

  1. glibcarchive.org feature request: /etc/ld.so.preload.d drop-in configuration folder supportarchive.org
  2. Tor Browser is also based on Firefox, therefore the following information equally applies to both, Tor Browser and Firefox.

    LD_PRELOAD='/path/to/libhardened_malloc.so' /path/to/program will do nothing or approximately nothing.

    The reason is recompilation is necessary.

    To successfully replace Firefox memory allocator you should either use LD_PRELOAD _with_ a --disable-jemalloc build OR Firefox's replace_malloc functionality: https://searchfox.org/mozilla-central/source/memory/build/replace_malloc.harchive.org

    Sources:

  3. crosvmarchive.org functions only if an option is specified at compile time

    • CrosVM ships with strict Seccomp policies that block syscalls not typically generated by CrosVM.
    • The hardened_malloc library generates calls a syscall for a random number generator, which will be blocked silently.
    • Append string getrandom: 1 to jail/seccomp/x86_64/common_device.policy, which permits the RNG syscall for all CrosVM devices.
    • Other getrandom: 1 entries must be removed from files in jail/seccomp/x86_64/*, as CrosVM will not compile with duplicate entries for devices.
    • Without this addition: if too much data is buffered at once by the serial console or NIC, the device subprocess will crash, and thus the rest of the virtual machine.
    • Without this addition, errors regarding seccomp violations for nr_random syscalls are detected in strace.Anonymously contributed wiki edit.
  4. Flatpak does not honor /etc/ld.so.preload. Viewing contents of /etc/ld.so.preload on the host operating system. cat /etc/ld.so.preload Expected output:
    libhardened_malloc-light.so
    

    Starting a shell inside a Flatpak application sandbox. This example uses org.chromium.Chromium and could be replaced with any other Flatpak application.

    flatpak run --command=sh org.chromium.Chromium

    Viewing contents of /etc/ld.so.preload inside the Flatpak sandbox.

    cat /etc/ld.so.preload

    Conclusion: File /etc/ld.so.preload does not exist inside the Flatpak sandbox.

    cat: /etc/ld.so.preload: No such file or directory
    

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!