Security researcher, Daniel Micay has created hardened_malloc which is a hardened memory allocator that protects against heap corruption vulnerabilities.
It isn’t available in the Debian repos but is very easy to build and takes a few seconds. It can be used by changing the LD_PRELOAD variable. For example, to use it with the Tor Browser you should run
LD_PRELOAD="/usr/lib/libhardened_malloc.so" torbrowser
It can be configured globally in /etc/ld.so.preload but this breaks a few things like Xorg and man.
This sounds like it’d be good to add to Whonix. I haven’t tested this on Whonix myself though but it should work. It works fine on my host (Arch).
It can also be easily used with Firejail.
https://wiki.archlinux.org/index.php/Firejail#Use_With_hardened_malloc
Daniel Micay is very trusted and respected in the infosec community. He has put a lot of work into hardening Android and Linux in general. A lot of his patches have even been accepted upstream.
Edit by Patrick:
2 Likes
What are other options in this space? I’m familiar with Micay’s great work, but I’m curious what other advances/implementations are available.
What is the effect on Tor Browser fingerprinting? I think we should ask upstream about their opinion on this just in case.
EDIT:
Ideally we would have them support this upstream so anyTBB cross acrch support is automatically rolled in.
3 Likes
I don’t know any other hardened memory allocators. The ticket you linked seems to have some.
I doubt a website could access that kind of information. It seems unlikely but not impossible.
2 Likes
There is a related issue about Xorg and man.
opened 07:29PM - 10 May 19 UTC
closed 02:08AM - 11 May 19 UTC
I love what you're doing! I've been following your work since the previous OS th… at shall not be named.
On desktop Linux, the only issues I've seen are that Xorg refuses to start with the hardened malloc library preloaded, and man segfaults unless you disable seccomp for man with an application specific environment variable. Otherwise, even the dreaded systemd runs fine if an individual is insane enough to put the library in /etc/ld.so.preload.
For testing and production use, I plan on using it for internet facing applications on the desktop when not using Graphene on my phone. I've already found that hardened_malloc plays nice with the firejail seccomp sandbox - I wonder if firejail could somehow integrate this implementation and make it a baked in option someday?
Either way, for anyone else who wants to play with this on Arch:
https://aur.archlinux.org/packages/hardened-malloc-git/
It seems some syscalls just need to be added to the whitelist.
2 Likes
I’m not against it if this if you will be available to maintain it/deal with breakage and if it is simple to reverse it via an apt update to the default malloc until the breakage is fixed.
2 Likes
It’d probably be best to use it just for high-risk applications like the Tor Browser. I’d imagine using it system-wide would cause a lot of problems.
2 Likes
Agreed. That’s what my comments apply to.
2 Likes
I’ve just tested hardened_malloc with the Tor Browser on the Workstation and it works flawlessly.
There was just a compilation error due to Debian using an outdated GCC that is now resolved as I raised an issue on the github repo.
2 Likes
General system hardening guide?
It can be useful for SecBrowser and even Tor on the GW if we test for breakage. Perhaps assigned for bash instances if it detects it is installed. While we can’t/shouldn’t switch the entire system to it we can do this on a per process basis.
2 Likes
That sounds like a good idea although how would we get programs to use it by default? Would it need a bunch of wrappers?
1 Like
Hopefully not.⚓ T634 write draft for stackable wrappers on debian-devel
Old, working for its purpose, covering much of user applications but not system applications:
Maybe /usr/lib/environment.d/*.conf would come to rescue (much better than above) as per environment.d ?
Wondering if there is a systemd feature “set this environment variable for all systemd units”? Ask upstream systemd about it?
Or can we replace system default malloc?
Ask hardened malloc developer how to apply to everything or as much as possible?
1 Like
That would set it system-wide which we probably don’t want as it’ll break a lot of things.
Yes. You could add
Environment="LD_PRELOAD='/usr/lib/libhardened_malloc.so'"
See systemd.exec
You can do that but that will break a lot of things.
1 Like
Version 1 was released.
opened 01:57PM - 19 Jul 19 UTC
closed 03:12PM - 19 Jul 19 UTC
This project is over my head. During considerations of packaging it, I randomly … found something.
```
checksec --file libhardened_malloc.so
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Full RELRO No canary found NX enabled DSO No RPATH No RUNPATH libhardened_malloc.so
```
```
hardening-check libhardened_malloc.so
libhardened_malloc.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: yes
```
You tell me if worth fixing or pointless for this package. In case it's pointless, just close this ticket.
Considering packaging for Whonix.
2 Likes
0brand
July 19, 2019, 5:53pm
16
I didn’t realy dive into it but setting sys-wide broke Tor Browser for me.
2 Likes
Does starting it directly by running /home/user/.tb/Browser/start-tor-browser break it?
It probably broke something that /usr/bin/torbrowser does.
1 Like
0brand
July 19, 2019, 9:02pm
18
Reconfigred sys-wide malloc in a whonix-ws-15 TemplateVM and Tor Browser worked as expected. The previous issue was with a whonix-ws-14 based AppVM which had a “memory error” when starting Tor Browser (would not start) just after configuring hardened_malloc. I could always restore Whonix 14 templates from backup if you’d like.
3 Likes