If we use hardened_malloc along with AppArmor or Firejail would we need to allow access to /usr/lib/libhardened_malloc.so in the AppArmor/Firejail profile?
Can someone test if it’s needed or not?
1 Like
I wonder if this is even possible due to the recent kernel hardening. Many of the things done for kernel hardening have a performance decrease and may obfuscate the results of any performance fingerprinting.
1 Like
At this point unless outside code contrbutors add this TBB it won’t happen. The ML discussion concludes that the added benefit of it for modern exploit techniques is negligible.
1 Like
Upstream recently released version 2.
Merged into GitHub - Kicksecure/hardened_malloc: Hardened Memory Allocator for many Applications to increase Security. Debian packaging fork only. Fork Homepage: https://www.whonix.org/wiki/Hardened_Malloc Upstream original: https://github.com/GrapheneOS/hardened_malloc and into all Whonix repositories except Whonix stable repository.
1 Like
I just tested it and yes it does.
Although, the majority of profiles allow access to /usr/lib which means we don’t have to do anything,
1 Like
Good candidate for upcoming
/etc/apparmor.d/abstractions/base.d
References:
2 Likes
The base abstraction allows access to all of /usr/lib already so I don’t see why it’d be needed for hardened_malloc.
1 Like
I’m testing hardened_malloc globally and there doesn’t actually seem to be much breakage. It might be ok to enable it globally by default on Whonix.
The only thing that seems to be breaking is the Tor Browser for some reason. I’ve narrowed down the issue to .tb/tor-browser/Browser/firefox (not Whonix’s torbrowser script).
This is weird since firefox uses it’s own malloc, mozjemalloc.
2 Likes
Last time I tested it, it broke X Window System. (No GUI come up.)
Done.
RFP: hardened-malloc – hardened memory allocator
Is it worth it? Due to…
This is too early. We shouldn’t be the “only” ones using hardened malloc. Would be much better if some people using Debian testing and/or Debian sid used hardened malloc. So bugs (applications refusing to start) are spotted by others than Whonix people and reported upstream. Whonix cannot be the only ones using it, bumping into issues, working on integration by being the “only” users. “The world doesn’t know about hardened malloc.”
There are zero discussions on debian.org about hardened malloc. “google” search term:
site:debian.org "hardened malloc"
Mozilla.
site:mozilla.org hardened malloc
glibc
site:https://gnu.org hardened malloc
glibc issue tracker:
https://sourceware.org hardened malloc
2 Likes
2 Likes
Packaging related enhancements:
Comparing 0.6-1...2.0.1-1 · Kicksecure/hardened_malloc · GitHub
- no longer depend on genmkfile, can be build using
dpkg-buildpackage -bor other standard Debian package build tools- therefore reset to upstream original
Makefile
- therefore reset to upstream original
- use version number by upstream
2.0- the last ocetot
2.0.1,2.0.2,2.0.3,2.0.15is for packaging changes. - the first part
2.0will only change as upstream releases new releases
- the last ocetot
2 Likes
Some decent conversation starting up I think it would be beneficial to “advertise” the security enhancements hardened_malloc offers. Also raise the issue of cross hardware platform support with Dan Micay because that is one big blocker glibc people have.
2 Likes
Relayed back feedback from glibc to Dan.
2 Likes
I’ve notified upstream about all postings just after these were created and before these got any replies.
Debian packaging · Issue #89 · GrapheneOS/hardened_malloc · GitHub
Not sure that is sufficient.
2 Likes
I asked him about the scudo allocator at risk of igniting a cyber firestorm, but I find his opinions valuable even if a bit crude in presentation sometimes.
2 Likes
Seems to work fine now.
That was only about mozjemalloc, not glibc and even then, it was going off what the guy on the mailing lists said which was then replied to by Daniel.
hardened_malloc has far superior security than other allocators.
He’s talked about scudo before.
https://twitter.com/search?l=&q=scudo%20from%3ADanielMicay&src=typd
2 Likes
2 Likes
Not the original intent of this issue but I realised it would help.
HardenedBSD also intends to use hardened_malloc.
2 Likes