Has anyone used hardened malloc ? Pros and cons

I am new to Arch and looking for ways to make my Manjaro installation secure. One interesting topic that I came across in the Security Page in Arch Wiki is the recommendation of using hardened malloc.

Does it replace all malloc functions on the system with hardened malloc ?

So has anyone used it ? Does it provide any benefits ? Does it give you a performance hit ?

What are you thoughts on this ?

Depending on how new you are (You only mention Manjaro, not your background):

  1. Seasoned Linux developer, wanting to become member of the Manjaro team and start testing by getting man to play nicely with hardened_malloc: Go for it! The Manjaro Team will welcome you!
  2. Manjaro user, doesn't even know that malloc() is memory allocation: Avoid it like the plague!

Oh, you're somewhere in-between? I'd advise it up to 1.1 and maybe 1.2, not for 1.3→1.9.

I wouldn't touch it with a 10-foot pole! (And I'm a 1.5 )

:innocent: :wink:

Well I am a developer but I am new to Linux. Is hardended_malloc needed to improve the security of your system ?

You mention that developers are using it. But my question is that is it needed if I want to secure my system ?

The reason I ask is because in comparison to Fedora which gives you certain security features enabled out of the box like SELinux. What does Manjaro give in this aspect ?

What do you mean by:

getting man to play nicely with hardened_malloc

You're a 1.6: Don't touch it with a 10 foot pole!

¯\_(ツ)_/¯

What is your threat model? Which threats do you hope to prevent with hardended_malloc?

2 Likes

Are you saying that for a normal user it is unnecessary to go through the trouble of hardened_malloc ? I mean is it overkill ?

As to threat model you can say the reason I want to do this is make all malloc operations as secure as possible. So that I don't have any buffer overflows or heap vulnerabilities. I don't even know whether I have ASLR on by default.

I apologize for being blunt, but I still don't understand what you mean to say.

Sorry was off the grid. Yes, for a normal user who does not have a server on the Internet, it's total overkill.

Once you start developing your own applications, please use it!

man is the most used application for all *nix pros or would-be pros (=Manual) and even that stops working if you do a sed 's/malloc/hardened_malloc/g' *.c...

Or to quote a cliché: With extraordinary security comes extraordinary responsibility...

:slight_smile:

1 Like

Yes, I think it is. Not all programs will work with it. So you have to carefully test and decide which one you want to start with LD_PRELOAD=... . Others might need a recompile with special options, otherwise hardened_malloc might have no effect.
But if you have time, want to experiment and don't need a stable system, go for it.

Then check it.

cat /proc/sys/kernel/randomize_va_space

https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
search for "randomize_va_space:"

1 Like

I am confused/curious as to why you think this. I would think that hardened_malloc is responsible for only the memory allocation, albeit in a secure way. It will still return allocated memory right ? So why do you think some applications wont work with it ?

MX Linux/Debian has hardening-runtime package that can just be installed with apt-get install hardening-runtime.

Does arch have something similar ? Will installing the linux-hardened package make a difference ?

The output of
cat /proc/sys/kernel/randomize_va_space

is 2

So I guess ASLR is enabled with heap randomization.

I guess so I am trying to understand how many security measures are can I pack in to my install before I break it.

What can I say I might be a Linux noob but I am paranoid one.

:smile:

1 Like

It's always about the use case:

  • if you have a server on the Internet: all these things matter.
  • If it's just a PC behing a NAT router: most of it is overkill, but hardened_malloc is especially dangerous. Take a full Cold System Backup

P.S. It's not because you're paranoid that they aren't out there to get you!

:stuck_out_tongue_winking_eye: :crazy_face:

This has nothing to do with hardened_malloc. It just sets some options to the kernel command line and add sysctl options. If you want to use them, add them to your config. No need to install a package for this.

2 Likes

Yes this has nothing to do with hardended_malloc but how do I go about adding them in my config ?
Anything in the Arch Wiki about this ?

add the Kernel options you want form the package to your grub GRUB_CMDLINE_LINUX_DEFAULT line in /etc/default/grub . Don't forget to run sudo update-grub after you changed the grub config file.

And put the sysctl config file form the package in /etc/sysctl.d , make sure it ends in .conf

Read up on what the options do, to avoid surprises.

Thank you so much for all your help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by