Hardened Malloc - Hardened Memory Allocator

Patrick · December 20, 2020, 12:19pm

Not sure.

DefaultEnvironment= is “not really global”. It’s “pretty good but not perfect”.

DefaultEnvironment= sets environment variables it for all systemd units [1] [2], virtual consoles but not for graphical X sessions. I don’t know why yet. This may or may not be fault of systemd. The login manager or X might unset environment variables.

It can be viewed using:

systemctl show-environment

I don’t know yet a (full) list of exceptions where DefaultEnvironment= is effectively, eventually ignored due to whatever cause.

However, DefaultEnvironment= might be be good enough for MAN_DISABLE_SECCOMP=1 man seccomp workaround. Implementing now.

[1] To add more potential exceptions… Individual systemd units using Environment= or EnvironmentFile= may or may not change this. Untested.
[2] Good enough for our use case as long as no APT related systemd units do this.

Patrick · December 20, 2020, 12:50pm

Patrick · December 20, 2020, 12:54pm

Patrick · December 20, 2020, 2:01pm

lintian is getting confused.

lintian  --suppress-tags testsuite-autopkgtest-missing --quiet --pedantic --info --display-info  "/home/user/whonix_binary/genmkfile-packages-result/helper-scripts_8.5-1_amd64.changes"

W: helper-scripts: manpage-has-bad-whatis-entry usr/share/man/man1/str_replace.1.gz

This breaks the build process. Probably happening due to lintian’s internal use of lexgrog.

env -i MAN_DISABLE_SECCOMP=1 lexgrog /usr/share/man/man1/nano.1.gz

/usr/share/man/man1/nano.1.gz: “nano - Nano’s ANOther editor, an enhanced free Pico clone”
0

env -i MAN_DISABLE_SECCOMP= lexgrog /usr/share/man/man1/nano.1.gz

lexgrog: zcat: Bad system call (core dumped)
…
1

I guess this is happening because lintian implicitly unsets MAN_DISABLE_SECCOMP environment variable. (It only sets LC_ALL.)

        delete local $ENV{$_}
          for grep { $_ ne 'PATH' && $_ ne 'TMPDIR' } keys %ENV;
        local $ENV{LC_ALL} = 'C.UTF-8';

        my @command = ('lexgrog', $file->unpacked_path);

Btw MAN_DISABLE_SECCOMP=0 does not really work to re-enable man seccomp for tesging purposes but MAN_DISABLE_SECCOMP= does.

Patrick · December 20, 2020, 2:07pm

Should be fixed by this workaround.

Patrick · December 20, 2020, 3:19pm

openssh-server (sshd) is broken indeed in Debian buster in combination with hardened-malloc-kicksecure. Tested just now.

github.com/GrapheneOS/hardened_malloc

seccomp-bpf filter violation in sshd

opened 05:12PM - 22 Aug 19 UTC

closed 11:25PM - 09 Oct 19 UTC

mike2307

upstream

After enabling the preload of the libhardened_malloc.so, I'm not able to login a…ny more via SSH. This is the case for a system running the Fedora 30 with all the latest updates as well as RHEL 7.7 with all the latest updates. What I've done: - Compiled libhardened_malloc.so with all default settings. - Installed into /usr/local/lib64/ - Created /etc/ld.so.preload with content /usr/local/lib64/libhardened_malloc.so - Created /etc/sysctl.d/51-hardened_malloc.conf with content vm.max_map_count = 524288 - Rebooted - Everything working normal - Trying to login via SSH from a different machine (where I'm getting _Connection closed by 192.168.0.10 port 22_) I looked through the logs after a failed login and could find something in /var/log/audit/audit.log on the server's side. ``` ... type=ANOM_ABEND msg=audit(1566493285.761:2070): auid=4294967295 uid=74 gid=74 ses=4294967295 subj=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 pid=56568 comm="sshd" reason="memory violation" sig=31 ... type=USER_LOGIN msg=audit(1566493285.762:2074): pid=56567 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=192.168.0.20 terminal=ssh res=failed' ... ``` Please help. Must be caused by libhardened_malloc.so because removing it from /etc/ld.so.preload fixes the problem.

A potential workaround would be a systemd unit file drop in prepending ld-system-preload-disable in for ExecStart= etc. in front of sshd. Thoughts?

Patrick · December 20, 2020, 3:56pm

Patrick · December 20, 2020, 5:02pm

OpenSSH feature request: test compatibility with hardened memory allocator Hardened Malloc

madaidan · December 21, 2020, 7:38pm

It may work but sshd sets up its own sandbox that ld-system-preload-disable may conflict with.

Patrick · December 29, 2020, 1:26pm

VirtualBox bug report: VirtualBox crashes with hardened memory allocator Hardened Malloc on the host

Patrick · January 9, 2021, 4:24am

Added: Add test against Graphene hardened malloc. · openssh/openssh-portable@b744914 · GitHub

Patrick · January 9, 2021, 4:29am

Patrick · February 21, 2021, 4:45pm

Now in Whonix developers repository.

Patrick · March 11, 2021, 6:38pm

github.com/GrapheneOS/hardened_malloc

add test utility to check whether hardened malloc is in use or not

opened 06:38PM - 11 Mar 21 UTC

closed 12:29AM - 12 Mar 21 UTC

adrelanos

enhancement

Loading hardened malloc using `/etc/ld.so.preload`. But it's not easy to know if… that is functional in all environments (such as daemons started by systemd or inside chroot). To check if hardened malloc is in use or not it would be useful to have a simple command line utility. Could you please add such a utility? (Exit code zero vs non-zero.) Otherwise, is there some other easy way to detect if hardened malloc is in use or not?

Patrick · March 13, 2021, 9:11am

https://gitlab.com/whonix/helper-scripts/-/blob/master/usr/bin/hardened-malloc-enabled-test

https://gitlab.com/whonix/helper-scripts/-/blob/master/usr/bin/hardened-malloc-type-test

https://gitlab.com/whonix/systemcheck/-/blob/master/usr/lib/systemcheck/check_hardened_malloc.bsh

Patrick · March 13, 2021, 10:29pm

Wondering if hardend malloc can be combined with flatpak.

On the host:

cat /proc/$$/maps | grep malloc

[…] /usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so

Run a shell for debugging purposes inside flatpak.

flatpak run --command=bash org.chromium.Chromium

See if hardend malloc Kcksecure is loaded.

cat /proc/$$/maps | grep malloc

No, it’s not.

Trying to ld preload hardened malloc Kicksecure using environment variable inside flatpak.

flatpak run --env=LD_PRELOAD=/usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so org.chromium.Chromium

ERROR: ld.so: object ‘/usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so’ from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.

Any ideas?

Not sure that makes sense for Chromium. Which allocator is more secure, Chromium’s built-in or Hardened Malloc (Kicksecure)?

But even if it doesn’t make sense for Chromium, would be useful to know generally for other applications from flatpak.

madaidan · March 17, 2021, 10:16pm

The file /usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so is likely not available from within the Flatpak sandbox.

hardened_malloc is more secure but you can’t just switch allocators with LD_PRELOAD since Chromium uses PartitionAlloc internally anyway, similar to Firefox with mozjemalloc.

Patrick · March 19, 2021, 12:22pm

telegram desktop failing with Hardened Malloc Kicksecure (on Qubes Debian template):

fatal allocator error: invalid free

madaidan · March 19, 2021, 2:05pm

I can’t reproduce this. At exactly which point does this happen? Immediately upon start of the app or when doing something (e.g. logging in, clicking on a chat, etc.)?

madaidan · March 19, 2021, 2:07pm

Actually, when preloading hardened_malloc with Telegram on my host, I got a different error:

fatal allocator error: sized deallocation mismatch (large)

Edit: using a newer hardened_malloc seems to have fixed that.