{{Header}}
{{#seo:
|description=Hardened Memory Allocator for many Applications to increase Security - installation from {{project_name_long}} repository
|image=Malloc423.jpg
}}
{{Title|title=
Hardened Malloc (Default)
}}
[[File:Malloc423.jpg|thumb]]
* [[Hardened Malloc|Hardened Malloc (Default)]]
* [[Hardened Malloc Light]]
{{intro|
Hardened Memory Allocator for many Applications to increase Security
}}
= Deprecation in Kicksecure =
Reasons:
* '''Not stable enough:''' Through testing and integration development in Kicksecure, the unresolveable [[#Issues]] being found, it has been determined that it will never be stable enough to be suitable for installation by default for all users.
* '''Unclear Benefit:''' See chapter [[#Tickets and Discussions]]. Whenever it has been suggested to other projects to port to Hardened Malloc (HM), it did not get favorable reviews from other developers.
* '''Lack of outreach by upstream:''' Upstream mentioned that others do not understand HM but also does not have time to engage with them.
* '''Potential future deprecation by upstream:''' [[#Upstream Considerations of Hardened Malloc Deprecation for x86|Upstream contemplated deprecation of Hardened Malloc support for usage outside of a Android / GrapheneOS context.]]
* '''Security issues?''' '''No.''' Users can keep using Hardened Malloc (Default) or Hardened Malloc Light until the next major release (Kicksecure version 18) but it will be [[unsupported]].
* '''Future:''' Is there any chance this package will get unarchived, maintained again in Kicksecure? No.
* '''Forum discussion:''' https://forums.whonix.org/t/hardened-malloc-hardened-memory-allocator/7474/231
= Introduction =
Hardened Malloc (Default) is a hardened memory allocator which can be used with many applications to increase security.
{{Quotation
|quote=This is a security-focused general purpose memory allocator providing the malloc API along with various extensions. It provides substantial hardening against heap corruption vulnerabilities. The security-focused design also leads to much less metadata overhead and memory waste from fragmentation than a more traditional allocator design. It aims to provide decent overall performance with a focus on long-term performance and memory usage rather than allocator micro-benchmarks. It offers scalability via a configurable number of entirely independently arenas, with the internal locking within arenas further divided up per size class.
|context=Daniel Micay, Hardened Malloc developer, founder and lead developer of [https://grapheneos.org/ GrapheneOS], [https://github.com/GrapheneOS/hardened_malloc hardened_malloc project page]
}}
Readers who wish to discuss the integration of Hardened Malloc with {{project_name_short}} should refer to [https://forums.whonix.org/t/hardened-malloc-hardened-memory-allocator/7474 this forum thread].
= Naming =
The author of Hardened Malloc uses only the terms:
* Hardened Malloc
* Hardened Malloc Light
To distinguish better which version is used, this websites uses the terms:
* Hardened Malloc (Default)
* Hardened Malloc Light
This is unrelated to price. Both versions are Freedom Software, free as in price as well as in freedom.
Hardened Malloc Light is provided for cases in which Hardened Malloc (Default) cannot be used due to application specific issues. Hardened Malloc (Default) might trigger issues due to memory allocation bugs found in some applications.
= Installation =
Hardened Malloc (Default) is pre-installed.
= How-to: Launch Applications with Hardened Malloc Default =
{{Testers-only}}
== Launch Specific Applications with Hardened Malloc Default ==
To launch chosen applications with Hardened Malloc (Default), the LD_PRELOAD environment variable must be edited before starting the application.
For example, to launch application-name in this way, run.
{{CodeSelect|code=
LD_PRELOAD='libhardened_malloc.so' application-name
}}
Using administrative rights, example:
{{CodeSelect|code=
sudo LD_PRELOAD='libhardened_malloc.so' apt update
}}
== Launch Systemd Services with Hardened Malloc Default ==
To launch individual systemd services with Hardened Malloc (Default), add a drop-in systemd configuration snippet.
{{CodeSelect|code=
Environment="LD_PRELOAD='libhardened_malloc.so'"
}}
== Launch All Applications by Default with Hardened Malloc Default ==
It is possible to make all applications use Hardened Malloc (Default) as the default memory allocator.
Note:
* If using a graphical desktop environment (such as Xfce): This action breaks the graphical desktop environment (Xorg). Most users using a graphical desktop environment (such as Xfce) should not proceed enabling Hardened Malloc (Default) for all applications. Only [[Hardened Malloc Light]] is suitable for that.
* If using a command line interface (CLI) (no graphical desktop environment) (such as a server): This can be attempted! Testers only!
To configure this option, the path to the hardened_malloc.so library must be added to the /etc/ld.so.preload file. [
[https://www.gnu.org/software/libc/ ]glibc] feature request: [https://sourceware.org/bugzilla/show_bug.cgi?id=24913 /etc/ld.so.preload.d drop-in configuration folder support]
{{Box|text=
'''1.'''
{{Open with root rights|filename=
/etc/ld.so.preload
}}
'''2.''' Add the hardened_malloc.so library.
Paste.
{{CodeSelect|code=
libhardened_malloc.so
}}
'''3.''' Save the file.
'''4.''' Done.
The procedure is complete. Hardened Malloc Default has been enabled for all applications by default.
}}
== Disable Hardened Malloc per Application ==
In case Hardened Malloc Default/Light is enabled globally for all applications it is possible to disable it for select applications should that be required due to application incompatibilities.
Apply the following steps to disable Hardened Malloc Default/Light per application.
Prepend the [https://github.com/{{project_name_short}}/helper-scripts/blob/master/usr/bin/ld-system-preload-disable ld-system-preload-disable] wrapper.
Syntax:
{{CodeSelect|code=
ld-system-preload-disable application
}}
Example:
Notes:
* This disabled all ld system preload. This only matters in case the user previously modified ld system preload configuration file /etc/ld.so.preload which the vast majority of users do not do.
* Replace [[chromium]] with the actual application which should be started without ld system preload.
{{CodeSelect|code=
ld-system-preload-disable chromium
}}
= Issues =
== Incompatible Applications ==
=== Graphical Desktop Environment Xorg ===
{| class="wikitable"
|
!'''Hardened Malloc (Default)'''
!'''[[Hardened Malloc Light]]'''
|-
!{{project_name_short}} on the host
|{{Yes}}, functional.
|{{Yes}}, functional.
|-
!{{project_name_short}} inside VirtualBox Xfce
|{{No}}, Xorg broken.
|{{Yes}}, functional.
|-
!{{project_name_short}} inside VirtualBox CLI
|{{Yes}}, functional. (Not using Xorg.)
|{{Yes}}, functional. (Not using Xorg.)
|-
!{{project_name_short}} inside KVM
|{{Yes}}, functional.
|{{Yes}}, functional.
|-
!{{q_project_name_long}}
|{{Yes}}, functional. (Not using Xorg.)
|{{Yes}}, functional. (Not using Xorg.)
|-
|}
TODO:
* Xorg systemd drop in InaccessiblePaths=-/etc/ld.so.preload
* [https://forums.whonix.org/t/port-to-wayland/17380 port to Wayland]
=== VirtualBox Host Software ===
* '''A)''' Hardened Malloc on the host: [https://www.virtualbox.org/ticket/20107 VirtualBox crashes with hardened memory allocator Hardened Malloc on the host.] [
* https://www.virtualbox.org/wiki/VBoxMainLogging
* https://www.virtualbox.org/wiki/Core_dump
]
* '''B)''' Hardened Malloc inside a VM: However, using HM inside VirtualBox VMs is different. For that, see above wiki chapter.
=== Browsers ===
==== Firefox ====
Using Hardened Malloc Default/Light with Firefox is broken and [[unsupported]]. [
Tor Browser is also based on Firefox, therefore the following information equally applies to both, Tor Browser and Firefox.
]
LD_PRELOAD='/path/to/libhardened_malloc.so' /path/to/program will do nothing or approximately nothing.
The reason is recompilation is necessary.
To successfully replace Firefox memory allocator you should either use LD_PRELOAD _with_ a --disable-jemalloc build OR Firefox's replace_malloc functionality:
https://searchfox.org/mozilla-central/source/memory/build/replace_malloc.h
Sources:
* https://lists.torproject.org/pipermail/tor-dev/2019-August/013982.html
* https://lists.torproject.org/pipermail/tor-dev/2019-August/013990.html
To start Firefox without Hardened Malloc, run.
{{CodeSelect|code=
ld-system-preload-disable firefox-esr
}}
==== Tor Browser ====
Using Hardened Malloc Default/Light with Tor Browser is also is broken and [[unsupported]]. Same as above. This is because Tor Browser is based on Firefox. [
* https://forums.whonix.org/t/hardened-malloc-hardened-memory-allocator/7474/202
* https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42104
]
* To start Tor Browser without Hardened Malloc:
** Note: Adjust path Tor Browser's startup script start-tor-browser if you are using a different Tor Browser installation folder.
** {{CodeSelect|code=
ld-system-preload-disable ~/.tb/tor-browser/Browser/start-tor-browser
}}
* If using Tor Browser Starter (package: tb-starter) by Whonix developers:
** {{CodeSelect|code=
ld-system-preload-disable torbrowser
}}
==== Chromium ====
Using Hardened Malloc Default/Light with [[Chromium]] is also is broken and [[unsupported]]. [
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971876
** workaround ]ld-system-preload-disable chromium ok
** chromium from flathub also functional (Hardened Malloc Light is disregarded inside flatpak's bubblewrap based sandbox)
{{Quotation
|image=Deep-web-1106648640.jpg
|context=Anonymously contributed wiki edit.
|quote=[https://chromium.googlesource.com/chromiumos/platform/crosvm/ crosvm] functions only if an option is specified at compile time
* CrosVM ships with strict Seccomp policies that block syscalls not typically generated by CrosVM.
* The hardened_malloc library generates calls a syscall for a random number generator, which will be blocked silently.
* Append string getrandom: 1 to jail/seccomp/x86_64/common_device.policy, which permits the RNG syscall for all CrosVM devices.
* Other getrandom: 1 entries must be removed from files in jail/seccomp/x86_64/*, as CrosVM will not compile with duplicate entries for devices.
* Without this addition: if too much data is buffered at once by the serial console or NIC, the device subprocess will crash, and thus the rest of the virtual machine.
* Without this addition, errors regarding seccomp violations for nr_random syscalls are detected in strace.
}}
To start Tor Browser without Hardened Malloc, run.
{{CodeSelect|code=
ld-system-preload-disable chromium
}}
==== Other Browsers ====
It is unknown whether other browsers can benefit from Hardened Malloc Default/Light.
=== Flatpak ===
[[Install_Software#Flatpak|Flatpak]] does not honor /etc/ld.so.preload. Therefore using Hardened Malloc with Flatpak applications is currently [[unsupported]]. [
[[Install_Software#Flatpak|Flatpak]] does not honor ]/etc/ld.so.preload.
Viewing contents of /etc/ld.so.preload on the host operating system.
{{CodeSelect|code=
cat /etc/ld.so.preload
}}
Expected output:
libhardened_malloc-light.so
Starting a shell inside a Flatpak application sandbox. This example uses org.chromium.Chromium and could be replaced with any other Flatpak application.
{{CodeSelect|code=
flatpak run --command=sh org.chromium.Chromium
}}
Viewing contents of /etc/ld.so.preload inside the Flatpak sandbox.
{{CodeSelect|code=
cat /etc/ld.so.preload
}}
Conclusion: File /etc/ld.so.preload does not exist inside the Flatpak sandbox.
cat: /etc/ld.so.preload: No such file or directory
[https://forums.whonix.org/t/bug-hardened-malloc-ignored-by-flatpaks/18199 Bug: Hardened Malloc Ignored by Flatpaks]
=== snap ===
[[Install_Software#snap|snap]] is [[untested]]. Possibly has the same issue as [[#Flatpak|Flatpak]].
=== php ===
php command from php8.2-cli php package segfaults.
{{CodeSelect|code=
php
}}
zsh: segmentation fault (core dumped) php
To start PHP on the command line without Hardened Malloc, run.
{{CodeSelect|code=
ld-system-preload-disable php
}}
If PHP is started by other applications such as a web server, it is currently [[untested]] if that is broken.
=== Others ===
Other applications might not easily benefit from Hardened Malloc Default/Light for the same reasons outlined in the [[#Browsers|browsers]] section above.
Whether an application can benefit from Hardened Malloc Default/Light or not depends on technical implementation details of the application in question. Vendors of applications will probably know if their application is compatible with Hardened Malloc Default/Light. Community wiki contributions are most welcome -- please post any additional vendor Q&As here.
== workaround available ==
Slowdown of swap-file-creator at shutdown.
* related to above cryptsetup slowdown by factor ~ 7
* workaround OK https://github.com/{{project_name_short}}/swap-file-creator/commit/c65edf17f952ac4a296ae6a0aac5a10541579ff6
== no workaround available ==
major issues:
* cryptsetup slowdown by factor ~ 6
** reported upstream: [https://gitlab.com/cryptsetup/cryptsetup/-/issues/617 cryptsetup luksFormat slowdown of factor ~ 6 when using hardened memory allocator Hardened Malloc]
minor issues:
* Qubes issues (when using Debian based VMs inside Qubes OS):
** [https://github.com/QubesOS/qubes-issues/issues/6873 Installing Hardened Malloc and enforce enabling it will lead to duplication in Copy to VM & Move to VM]
** [https://github.com/QubesOS/qubes-issues/issues/7431 Memory issue founded by Hardened-Malloc - "icon-sender: segfault at ... libc-2.31.so"]
* element bug report: [https://github.com/vector-im/element-web/issues/21805 Memory issues detected by hardened malloc - libva error: vaGetDriverNameByIndex() failed with unknown libva error, driver_name = (null)]
== Development Notes ==
=== Tickets and Discussions ===
* [https://www.gnu.org/software/libc/ glibc] feature request: [https://sourceware.org/bugzilla/show_bug.cgi?id=24913 /etc/ld.so.preload.d drop-in configuration folder support]
* glibc feature request: [https://sourceware.org/bugzilla/show_bug.cgi?id=26723 LD_ETC_IGNORE - environment variable to ignore /etc/ld.so.preload configuration file on a per-application basis]
* Debian glibc feature request: [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945457 consider using hardened malloc (hardened memory allocator)]
* Debian request for packaging: [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945455 RFP: hardened-malloc -- hardened memory allocator]
* Qubes feature request: [https://github.com/QubesOS/qubes-issues/issues/7444 Hardened Malloc For Qubes OpenQA]
* chromium feature request: [https://bugs.chromium.org/p/chromium/issues/detail?id=1204783 consider using hardened malloc]
* https://sourceware.org/bugzilla/show_bug.cgi?id=25223
* Tor Browser feature request: [https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/31440 consider using Hardened Malloc for better security in TBB]
* tor-dev mailing list: [https://lists.torproject.org/pipermail/tor-dev/2019-August/013989.html TBB Memory Allocator choice fingerprint implications]
=== Upstream Considerations of Hardened Malloc Deprecation for x86 ===
{{quotation
|quote=Perhaps we'll give up on the partial support for using hardened_malloc outside of an Android-based OS, particularly since people don't seem to understand the difference between it and simply bolting on some hardening features to a traditional allocator design,
I've already had the usual experience today.
|context=[https://github.com/QubesOS/qubes-issues/issues/4371#issuecomment-1912807801 quote] Hardened Malloc upstream developer [https://github.com/thestinger Daniel Micay, @thestinger]
}}
= How-to: Check Hardened Malloc Status =
== Check If Hardened Malloc is Enabled ==
Open the terminal and type either:
* '''A)''': Using hardened-malloc-enabled-test. {{CodeSelect|code=
hardened-malloc-enabled-test
}}
** If enabled, should output should show: yes
* '''B)''': For advanced users: Using [[systemcheck]] with command line parameter --verbose. {{CodeSelect|code=
systemcheck --verbose
}}
** If enabled, should output should include: [INFO] [systemcheck] Hardened Malloc: Hardened Malloc enabled.
== Check If Hardened Malloc Default or Hardened Malloc Light is Enabled ==
{{CodeSelect|code=
hardened-malloc-type-test
}}
Possible outputs:
* none
* default
* light
= Kicksecure Feature Default Status Information =
(A) blocker, reason why Hardened Malloc is not enabled by default in Kicksecure yet is because it [[#Browsers|breaks browsers]], which would be confusing.
= Credits and Source Code =
The [https://github.com/GrapheneOS/hardened_malloc Hardened Malloc upstream source code] is maintained by security researcher, Daniel Micay.
[[Hardened_Malloc|This website]] is the [https://en.wikipedia.org/wiki/Fork_(software_development) software fork] homepage for Hardened Malloc, with a focus on easy installation, added user documentation, and integration with [[About|{{project_name_short}}]], [https://www.whonix.org {{Whonix}}], Debian, and other distributions. The {{project_name_short}} software fork source code can be found [https://github.com/{{project_name_short}}/hardened_malloc here].
= Footnotes =
{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]