Hardened Malloc - Hardened Memory Allocator

Patrick · January 9, 2021, 4:24am

Added: Add test against Graphene hardened malloc. · openssh/openssh-portable@b744914 · GitHub

Patrick · January 9, 2021, 4:29am

Patrick · February 21, 2021, 4:45pm

Now in Whonix developers repository.

Patrick · March 11, 2021, 6:38pm

github.com/GrapheneOS/hardened_malloc

add test utility to check whether hardened malloc is in use or not

opened 06:38PM - 11 Mar 21 UTC

closed 12:29AM - 12 Mar 21 UTC

adrelanos

enhancement

Loading hardened malloc using `/etc/ld.so.preload`. But it's not easy to know if… that is functional in all environments (such as daemons started by systemd or inside chroot). To check if hardened malloc is in use or not it would be useful to have a simple command line utility. Could you please add such a utility? (Exit code zero vs non-zero.) Otherwise, is there some other easy way to detect if hardened malloc is in use or not?

Patrick · March 13, 2021, 9:11am

https://gitlab.com/whonix/helper-scripts/-/blob/master/usr/bin/hardened-malloc-enabled-test

https://gitlab.com/whonix/helper-scripts/-/blob/master/usr/bin/hardened-malloc-type-test

https://gitlab.com/whonix/systemcheck/-/blob/master/usr/lib/systemcheck/check_hardened_malloc.bsh

Patrick · March 13, 2021, 10:29pm

Wondering if hardend malloc can be combined with flatpak.

On the host:

cat /proc/$$/maps | grep malloc

[…] /usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so

Run a shell for debugging purposes inside flatpak.

flatpak run --command=bash org.chromium.Chromium

See if hardend malloc Kcksecure is loaded.

cat /proc/$$/maps | grep malloc

No, it’s not.

Trying to ld preload hardened malloc Kicksecure using environment variable inside flatpak.

flatpak run --env=LD_PRELOAD=/usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so org.chromium.Chromium

ERROR: ld.so: object ‘/usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so’ from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.

Any ideas?

Not sure that makes sense for Chromium. Which allocator is more secure, Chromium’s built-in or Hardened Malloc (Kicksecure)?

But even if it doesn’t make sense for Chromium, would be useful to know generally for other applications from flatpak.

madaidan · March 17, 2021, 10:16pm

The file /usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so is likely not available from within the Flatpak sandbox.

hardened_malloc is more secure but you can’t just switch allocators with LD_PRELOAD since Chromium uses PartitionAlloc internally anyway, similar to Firefox with mozjemalloc.

Patrick · March 19, 2021, 12:22pm

telegram desktop failing with Hardened Malloc Kicksecure (on Qubes Debian template):

fatal allocator error: invalid free

madaidan · March 19, 2021, 2:05pm

I can’t reproduce this. At exactly which point does this happen? Immediately upon start of the app or when doing something (e.g. logging in, clicking on a chat, etc.)?

madaidan · March 19, 2021, 2:07pm

Actually, when preloading hardened_malloc with Telegram on my host, I got a different error:

fatal allocator error: sized deallocation mismatch (large)

Edit: using a newer hardened_malloc seems to have fixed that.

Patrick · March 19, 2021, 5:36pm

Yes. I do not see any GUI. Instantly outputs that in the terminal.

Patrick · March 29, 2021, 12:11pm

Patrick · March 31, 2021, 3:08pm

Patrick · April 10, 2021, 9:29pm

This was fixed upstream.

I git cherry-picked the commit and uploaded to Whonix developers repository.

Patrick · May 1, 2021, 10:41am

chromium feature request: consider using hardened malloc
https://bugs.chromium.org/p/chromium/issues/detail?id=1204783

madaidan · May 29, 2021, 4:01pm

I don’t think Chromium will seriously consider using it. Maybe they can take some ideas from it though.

Patrick · May 29, 2021, 5:29pm

Yes, I give that a less than 5% chance. But I suggested it for sake of completeness.

madaidan · May 30, 2021, 2:30am

grep alone is sufficient. No need for a pipe.

madaidan · May 30, 2021, 2:45am

Are these all the current blockers for enabling this globally?

cryptsetup slowing down due to a kernel bug.
Chromium dying due to a bug in the Debian patches.
Telegram dying due to an invalid free.
OpenSSH dying due to seccomp.

I can’t seem to reproduce the last two though. Can you verify that they’re still broken now?

madaidan · May 30, 2021, 1:12pm

I’ve discussed with Daniel and some others about how to workaround these.

We can patch hardened_malloc and build in a different malloc implementation (e.g. musl’s) that will be used as a fallback for specific apps. Or, we can change the file permissions of /etc/ld.so.preload so that an application cannot read it (and we don’t need to use bwrap). We can use ACLs for this:

addgroup --system disable-hardened-malloc
setfacl -m g:disable-hardened-malloc:- /etc/ld.so.preload
sudo -g disable-hardened-malloc cat /proc/self/maps
sudo -g disable-hardened-malloc chromium

To enable this by default, we could do something similar to hide-hardware-info and change the executable’s group and make it setgid. However, for some reason, Chromium errors out:

Running as root without --no-sandbox is not supported. See https://crbug.com/638180.

even though it’s not actually running as root. cryptsetup at boot also wouldn’t work with this since it runs as root and can bypass ACLs anyway.

Daniel also pointed out another glaring security issue in the Debian package that I’ll add to the wiki (it’s not a production build of Chromium so sandboxing, ASLR, etc. are crippled).