Hardened Malloc Light

From Kicksecure
(Redirected from Hardened Malloc Kicksecure)
Jump to navigation Jump to search



Kicksecurehardenedmalloc.jpg

Hardened Malloc | Hardened Malloc Light

Introduction[edit]

Hardened Malloc is a hardened memory allocator which can be used with many applications to increase security.

According to the author's GitHub description: [1]

This is a security-focused general purpose memory allocator providing the malloc API along with various extensions. It provides substantial hardening against heap corruption vulnerabilities. The security-focused design also leads to much less metadata overhead and memory waste from fragmentation than a more traditional allocator design. It aims to provide decent overall performance with a focus on long-term performance and memory usage rather than allocator micro-benchmarks. It offers scalability via a configurable number of entirely independently arenas, with the internal locking within arenas further divided up per size class.

Default Hardened Malloc unfortunately cannot be globally enabled by default due to issues.

The development goal of Hardened Malloc Light is pre-installation by default.

Hardened Malloc Light uses different compile time options.

Both, Hardened Malloc and Hardened Malloc Light are already installed by default but not yet enabled by default.

Hardened Malloc Light is not yet enabled by default since there are still various known issues. Most notably, it breaks possibly VirtualBox host software crashes, which haven't been reproduced by testers yet.

Advanced users may still wish to use Hardened Malloc for specific high risk applications.

Before getting started with Hardened Malloc (Light) it is recommended to first test the host operating system using memtest86+ (link) since hardware issues with RAM might be more likely be resulting in system crashes with Hardened Malloc (Light) enabled. [2]

Forum development discussion:
https://forums.whonix.org/t/hardened-malloc-hardened-memory-allocator/7474/69

Enable[edit]

Testers only! Ambox warning pn.svg.png Warning: This is for testers-only!

Package hardened-malloc-light-enable [3] is provided as an easy way to enable Hardened Malloc Light globally.

Install hardened-malloc-light-enable.

1. Update the package lists.

sudo apt update

2. Upgrade the system.

sudo apt full-upgrade

3. Install the hardened-malloc-light-enable package.

Using apt command line parameter --no-install-recommends is in most cases optional.

sudo apt install --no-install-recommends hardened-malloc-light-enable

The procedure of installing hardened-malloc-light-enable is complete.

Disable[edit]

Hardened Malloc Light can be disabled either per application or globally.

Disable per Application[edit]

Apply the following steps to disable Hardened Malloc Light per application.

Prepend the ld-system-preload-disable wrapper.

Syntax:

ld-system-preload-disable application

Example:

Note: replace chromium with the actual application which should be started without ld system preload.

ld-system-preload-disable chromium

Disable Globally[edit]

Apply the following steps to globally disable Hardened Malloc Light.

If the system is still fully functional, the easiest way is to uninstall the hardened-malloc-light-enable package.

sudo apt purge hardened-malloc-light-enable

Otherwise...

1) Boot into recovery mode. Optional.

This is only required if the system is no longer bootable. In this case, refer to boot into recovery mode.

2) View the /etc/ld.so.preload file.

cat /etc/ld.so.preload

3) Remove /usr/lib/libhardened_malloc.so/libhardened_malloc-light.so from /etc/ld.so.preload.

If not using /etc/ld.so.preload for anything else. Warning: this removes all entries from /etc/ld.so.preload.

sudo rm /etc/ld.so.preload

Issues[edit]

workaround available[edit]

slowdown by swap-file-creator shutdown

chromium requires ld-system-preload-disable

  • https://bugs.debian.org/971876
    • workaround ld-system-preload-disable chromium ok
    • chromium from flathub also functional (Hardened Malloc Light is probably disregarded inside flatpak's bubblewrap based sandbox?)

no workaround available[edit]

Notes[edit]

Credits and Source Code[edit]

The original source software is maintained by security researcher, Daniel Micay.

This website is the software fork homepage for Hardened Malloc Light, with a focus on pre-installation by default in Whonix ™ and Kicksecure ™. The software fork source code can be found here. Continuous integration: travis CI

Footnotes[edit]

  1. https://github.com/GrapheneOS/hardened_malloc
  2. In the experience of Kicksecure ™ developer Patrick, the VirtualBox host software crashed with Hardened Malloc enabled with different error messages when faulty RAM banks where used compared to VirtualBox host software crashes with RAM banks that did not show any errors in memtest86+.
  3. https://gitlab.com/whonix/hardened_malloc/-/blob/master/debian/control#L42

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.


Your Advertisement Here | Investors


Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Kicksecure ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Kicksecure donate bitcoin.png Monero donate Kicksecure.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png

LIVE MODE: Host operating system or VM can be booted into Live Mode, using Host Live Mode or VM Live Mode.

Whonix Version View Edit
Kicksecure Version View Edit

https link onion link Priority Support | Investors | Professional Support

Kicksecure | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Kicksecure ™ project do not represent the project as a whole.