Hardened Malloc (Default)
Hardened Memory Allocator for many Applications to increase Security
Deprecation in Kicksecure[edit]
Reasons:
- Not stable enough: Through testing and integration development in Kicksecure, the unresolveable #Issues being found, it has been determined that it will never be stable enough to be suitable for installation by default for all users.
- Unclear Benefit: See chapter #Tickets and Discussions. Whenever it has been suggested to other projects to port to Hardened Malloc (HM), it did not get favorable reviews from other developers.
- Lack of outreach by upstream: Upstream mentioned that others do not understand HM but also does not have time to engage with them.
- Potential future deprecation by upstream: Upstream contemplated deprecation of Hardened Malloc support for usage outside of a Android / GrapheneOS context.
- Security issues? No. Users can keep using Hardened Malloc (Default) or Hardened Malloc Light until the next major release (Kicksecure version 18) but it will be unsupported.
- Future: Is there any chance this package will get unarchived, maintained again in Kicksecure? No.
- Forum discussion: https://forums.whonix.org/t/hardened-malloc-hardened-memory-allocator/7474/231
Introduction[edit]
Hardened Malloc (Default) is a hardened memory allocator which can be used with many applications to increase security.
This is a security-focused general purpose memory allocator providing the malloc API along with various extensions. It provides substantial hardening against heap corruption vulnerabilities. The security-focused design also leads to much less metadata overhead and memory waste from fragmentation than a more traditional allocator design. It aims to provide decent overall performance with a focus on long-term performance and memory usage rather than allocator micro-benchmarks. It offers scalability via a configurable number of entirely independently arenas, with the internal locking within arenas further divided up per size class.
Daniel Micay, Hardened Malloc developer, founder and lead developer of GrapheneOS, hardened_malloc project page
Readers who wish to discuss the integration of Hardened Malloc with Kicksecure should refer to this forum thread.
Naming[edit]
The author of Hardened Malloc
uses only the terms:
Hardened Malloc
Hardened Malloc Light
To distinguish better which version is used, this websites uses the terms:
Hardened Malloc (Default)
Hardened Malloc Light
This is unrelated to price. Both versions are Freedom Software, free as in price as well as in freedom.
Hardened Malloc Light
is provided for cases in which Hardened Malloc (Default)
cannot be used due to application specific issues. Hardened Malloc (Default)
might trigger issues due to memory allocation bugs found in some applications.
Installation[edit]
Hardened Malloc (Default) is pre-installed.
How-to: Launch Applications with Hardened Malloc Default[edit]
Launch Specific Applications with Hardened Malloc Default[edit]
To launch chosen applications with Hardened Malloc (Default), the LD_PRELOAD
environment variable must be edited before starting the application.
For example, to launch application-name
in this way, run.
LD_PRELOAD='libhardened_malloc.so' application-name
Using administrative rights, example:
sudo LD_PRELOAD='libhardened_malloc.so' apt update
Launch Systemd Services with Hardened Malloc Default[edit]
To launch individual systemd services with Hardened Malloc (Default), add a drop-in systemd configuration snippet.
Environment="LD_PRELOAD='libhardened_malloc.so'"
Launch All Applications by Default with Hardened Malloc Default[edit]
It is possible to make all applications use Hardened Malloc (Default) as the default memory allocator.
Note:
- If using a graphical desktop environment (such as Xfce): This action breaks the graphical desktop environment (Xorg). Most users using a graphical desktop environment (such as Xfce) should not proceed enabling Hardened Malloc (Default) for all applications. Only Hardened Malloc Light is suitable for that.
- If using a command line interface (CLI) (no graphical desktop environment) (such as a server): This can be attempted! Testers only!
To configure this option, the path to the hardened_malloc.so
library must be added to the /etc/ld.so.preload
file. [1]
1.
Open file /etc/ld.so.preload
in an editor with root rights.
Kicksecure for Qubes
NOTES:
- When using Kicksecure-Qubes, this needs to be done inside the Template.
sudoedit /etc/ld.so.preload
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Kicksecure, please refer to this link.
sudoedit /etc/ld.so.preload
2. Add the hardened_malloc.so
library.
Paste.
libhardened_malloc.so
3. Save the file.
4. Done.
The procedure is complete. Hardened Malloc Default has been enabled for all applications by default.
Disable Hardened Malloc per Application[edit]
In case Hardened Malloc Default/Light is enabled globally for all applications it is possible to disable it for select applications should that be required due to application incompatibilities.
Apply the following steps to disable Hardened Malloc Default/Light per application.
Prepend the ld-system-preload-disable
wrapper.
Syntax:
ld-system-preload-disable application
Example:
Notes:
- This disabled all ld system preload. This only matters in case the user previously modified ld system preload configuration file
/etc/ld.so.preload
which the vast majority of users do not do. - Replace
chromium
with the actual application which should be started without ld system preload.
ld-system-preload-disable chromium
Issues[edit]
Incompatible Applications[edit]
Graphical Desktop Environment Xorg[edit]
Hardened Malloc (Default) | Hardened Malloc Light | |
---|---|---|
Kicksecure on the host | Yes, functional. | Yes, functional. |
Kicksecure inside VirtualBox Xfce | No, Xorg broken. | Yes, functional. |
Kicksecure inside VirtualBox CLI | Yes, functional. (Not using Xorg.) | Yes, functional. (Not using Xorg.) |
Kicksecure inside KVM | Yes, functional. | Yes, functional. |
Kicksecure for Qubes | Yes, functional. (Not using Xorg.) | Yes, functional. (Not using Xorg.) |
TODO:
- Xorg systemd drop in InaccessiblePaths=-/etc/ld.so.preload
- port to Wayland
VirtualBox Host Software[edit]
- A) Hardened Malloc on the host: VirtualBox crashes with hardened memory allocator Hardened Malloc on the host. [2]
- B) Hardened Malloc inside a VM: However, using HM inside VirtualBox VMs is different. For that, see above wiki chapter.
Browsers[edit]
Firefox[edit]
Using Hardened Malloc Default/Light with Firefox is broken and unsupported. [3]
To start Firefox without Hardened Malloc, run.
ld-system-preload-disable firefox-esr
Tor Browser[edit]
Using Hardened Malloc Default/Light with Tor Browser is also is broken and unsupported. Same as above. This is because Tor Browser is based on Firefox. [4]
- To start Tor Browser without Hardened Malloc:
- Note: Adjust path Tor Browser's startup script
start-tor-browser
if you are using a different Tor Browser installation folder. - ld-system-preload-disable ~/.tb/tor-browser/Browser/start-tor-browser
- Note: Adjust path Tor Browser's startup script
- If using Tor Browser Starter (package:
tb-starter
) by Whonix developers:- ld-system-preload-disable torbrowser
Chromium[edit]
Using Hardened Malloc Default/Light with Chromium is also is broken and unsupported. [5]
To start Tor Browser without Hardened Malloc, run.
ld-system-preload-disable chromium
Other Browsers[edit]
It is unknown whether other browsers can benefit from Hardened Malloc Default/Light.
Flatpak[edit]
Flatpak does not honor /etc/ld.so.preload
. Therefore using Hardened Malloc with Flatpak applications is currently unsupported. [6]
Bug: Hardened Malloc Ignored by Flatpaks
snap[edit]
snap is untested. Possibly has the same issue as Flatpak.
php[edit]
php
command from php8.2-cli
php package segfaults.
php
zsh: segmentation fault (core dumped) php
To start PHP on the command line without Hardened Malloc, run.
ld-system-preload-disable php
If PHP is started by other applications such as a web server, it is currently untested if that is broken.
Others[edit]
Other applications might not easily benefit from Hardened Malloc Default/Light for the same reasons outlined in the browsers section above.
Whether an application can benefit from Hardened Malloc Default/Light or not depends on technical implementation details of the application in question. Vendors of applications will probably know if their application is compatible with Hardened Malloc Default/Light. Community wiki contributions are most welcome -- please post any additional vendor Q&As here.
workaround available[edit]
Slowdown of swap-file-creator at shutdown.
- related to above cryptsetup slowdown by factor ~ 7
- workaround OK https://github.com/Kicksecure/swap-file-creator/commit/c65edf17f952ac4a296ae6a0aac5a10541579ff6
no workaround available[edit]
major issues:
- cryptsetup slowdown by factor ~ 6
minor issues:
- Qubes issues (when using Debian based VMs inside Qubes OS):
- element bug report: Memory issues detected by hardened malloc - libva error: vaGetDriverNameByIndex() failed with unknown libva error, driver_name = (null)
Development Notes[edit]
Tickets and Discussions[edit]
glibc
feature request:/etc/ld.so.preload.d
drop-in configuration folder supportglibc
feature request: LD_ETC_IGNORE - environment variable to ignore /etc/ld.so.preload configuration file on a per-application basis- Debian
glibc
feature request: consider using hardened malloc (hardened memory allocator) - Debian request for packaging: RFP: hardened-malloc -- hardened memory allocator
- Qubes feature request: Hardened Malloc For Qubes OpenQA
- chromium feature request: consider using hardened malloc
- https://sourceware.org/bugzilla/show_bug.cgi?id=25223
- Tor Browser feature request: consider using Hardened Malloc for better security in TBB
- tor-dev mailing list: TBB Memory Allocator choice fingerprint implications
Upstream Considerations of Hardened Malloc Deprecation for x86[edit]
Perhaps we'll give up on the partial support for using hardened_malloc outside of an Android-based OS, particularly since people don't seem to understand the difference between it and simply bolting on some hardening features to a traditional allocator design,
I've already had the usual experience today.
How-to: Check Hardened Malloc Status[edit]
Check If Hardened Malloc is Enabled[edit]
Open the terminal and type either:
- A): Using
hardened-malloc-enabled-test
. hardened-malloc-enabled-test- If enabled, should output should show:
yes
- If enabled, should output should show:
- B): For advanced users: Using systemcheck with command line parameter
--verbose
. systemcheck --verbose- If enabled, should output should include:
[INFO] [systemcheck] Hardened Malloc: Hardened Malloc enabled.
- If enabled, should output should include:
Check If Hardened Malloc Default or Hardened Malloc Light is Enabled[edit]
hardened-malloc-type-test
Possible outputs:
none
default
light
Kicksecure Feature Default Status Information[edit]
(A) blocker, reason why Hardened Malloc is not enabled by default in Kicksecure yet is because it breaks browsers, which would be confusing.
Credits and Source Code[edit]
The Hardened Malloc upstream source code is maintained by security researcher, Daniel Micay.
This website is the software fork homepage for Hardened Malloc, with a focus on easy installation, added user documentation, and integration with Kicksecure, Whonix®, Debian, and other distributions. The Kicksecure software fork source code can be found here.
Footnotes[edit]
- ↑
glibc
feature request:/etc/ld.so.preload.d
drop-in configuration folder support - ↑
- ↑
Tor Browser is also based on Firefox, therefore the following information equally applies to both, Tor Browser and Firefox.
LD_PRELOAD='/path/to/libhardened_malloc.so' /path/to/program will do nothing or approximately nothing.
The reason is recompilation is necessary.
To successfully replace Firefox memory allocator you should either use LD_PRELOAD _with_ a --disable-jemalloc build OR Firefox's replace_malloc functionality: https://searchfox.org/mozilla-central/source/memory/build/replace_malloc.h
Sources:
- ↑
- ↑
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971876
- workaround
ld-system-preload-disable chromium
ok - chromium from flathub also functional (Hardened Malloc Light is disregarded inside flatpak's bubblewrap based sandbox)
- workaround
crosvm functions only if an option is specified at compile time
- CrosVM ships with strict Seccomp policies that block syscalls not typically generated by CrosVM.
- The hardened_malloc library generates calls a syscall for a random number generator, which will be blocked silently.
- Append string
getrandom: 1
tojail/seccomp/x86_64/common_device.policy
, which permits the RNG syscall for all CrosVM devices. - Other
getrandom: 1
entries must be removed from files injail/seccomp/x86_64/*
, as CrosVM will not compile with duplicate entries for devices. - Without this addition: if too much data is buffered at once by the serial console or NIC, the device subprocess will crash, and thus the rest of the virtual machine.
- Without this addition, errors regarding seccomp violations for
nr_random
syscalls are detected in strace.
Anonymously contributed wiki edit. - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971876
- ↑
Flatpak does not honor
/etc/ld.so.preload
. Viewing contents of/etc/ld.so.preload
on the host operating system. cat /etc/ld.so.preload Expected output:libhardened_malloc-light.so
Starting a shell inside a Flatpak application sandbox. This example uses
org.chromium.Chromium
and could be replaced with any other Flatpak application.flatpak run --command=sh org.chromium.Chromium
Viewing contents of
/etc/ld.so.preload
inside the Flatpak sandbox.cat /etc/ld.so.preload
Conclusion: File
/etc/ld.so.preload
does not exist inside the Flatpak sandbox.cat: /etc/ld.so.preload: No such file or directory
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!