Hardened Malloc - Hardened Memory Allocator

It’d probably be best to use it just for high-risk applications like the Tor Browser. I’d imagine using it system-wide would cause a lot of problems.

2 Likes

Agreed. That’s what my comments apply to.

2 Likes

I’ve just tested hardened_malloc with the Tor Browser on the Workstation and it works flawlessly.

There was just a compilation error due to Debian using an outdated GCC that is now resolved as I raised an issue on the github repo.

2 Likes

General system hardening guide?

It can be useful for SecBrowser and even Tor on the GW if we test for breakage. Perhaps assigned for bash instances if it detects it is installed. While we can’t/shouldn’t switch the entire system to it we can do this on a per process basis.

2 Likes

That sounds like a good idea although how would we get programs to use it by default? Would it need a bunch of wrappers?

1 Like

Hopefully not.
Issue: there are no stackable wrappers, see ⚓ T634 write draft for stackable wrappers on debian-devel

Old, working for its purpose, covering much of user applications but not system applications:

Maybe /usr/lib/environment.d/*.conf would come to rescue (much better than above) as per environment.d?

Wondering if there is a systemd feature “set this environment variable for all systemd units”? Ask upstream systemd about it?

Or can we replace system default malloc?

Ask hardened malloc developer how to apply to everything or as much as possible?

1 Like

That would set it system-wide which we probably don’t want as it’ll break a lot of things.

Yes. You could add

Environment="LD_PRELOAD='/usr/lib/libhardened_malloc.so'"

See systemd.exec

You can do that but that will break a lot of things.

1 Like

Whonix-Workstation Security - Whonix

1 Like

Version 1 was released.

Considering packaging for Whonix.

2 Likes

I didn’t realy dive into it but setting sys-wide broke Tor Browser for me.

2 Likes

Does starting it directly by running /home/user/.tb/Browser/start-tor-browser break it?

It probably broke something that /usr/bin/torbrowser does.

1 Like

Reconfigred sys-wide malloc in a whonix-ws-15 TemplateVM and Tor Browser worked as expected. The previous issue was with a whonix-ws-14 based AppVM which had a “memory error” when starting Tor Browser (would not start) just after configuring hardened_malloc. I could always restore Whonix 14 templates from backup if you’d like.

3 Likes
2 Likes
2 Likes
2 Likes
3 Likes
2 Likes

Package hardened-malloc is now available from Whonix testers repository. Will move to stable-proposed-updates and stable repository over time.

It installs its file to /usr/lib/libhardened_malloc.so/libhardened_malloc.so.

Package hardened-malloc will be installed by default in Whonix but not used by default for anything in Whonix (yet) since installation by default simplifies things but does not break things.

2 Likes

Moved to its own homepage.

And available from all Whonix repositories.

2 Likes

Notified upstream about the fork.

Debian packaging · Issue #89 · GrapheneOS/hardened_malloc · GitHub

2 Likes