This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: W10 Mandatory ASLR default


I'd say add a check and post a warning would the best solution.

A setup script shouldn't modify a users security setup, and even if the script were to reset the settings they wouldn't be active until after a reboot.

On 2/15/2018 10:41 PM, Brian Inglis wrote:
On 2018-02-14 00:36, Andreas Schiffler wrote:
On 2/13/2018 11:17 PM, Thomas Wolff wrote:
Am 14.02.2018 um 04:25 schrieb Brian Inglis:
On 2018-02-12 21:58, Andreas Schiffler wrote:
Found the workaround (read: not really a solution as it leaves the system
vulnerable, but it unblocks cygwin)
- Go to Windows Defender Security Center - Exploit protection settings
- Disable System Settings - Force randomization for images (Mandatory ASLR) and
Randomize memory allocations (Bottom-up ASLR) from "On by default" to "Off by
default"

Now setup.exe works and can rebase everything; after that Cygwin Terminal
starts as a working shell without problems.
@cygwin dev's - It seems one of the windows updates (system is on 1709 build
16299.214) might have changed my ASLR settings to "system wide mandatory" (i.e.
see
https://blogs.technet.microsoft.com/srd/2017/11/21/clarifying-the-behavior-of-mandatory-aslr/
for info) so that the cygwin DLLs don't work correctly anymore (i.e. see old
thread about this topic here
https://www.cygwin.com/ml/cygwin/2013-06/msg00092.html).
It would be good to devize a test for the setup.exe that
checks the registry (likely
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel])
for this state and alerts the user.
I'm on W10 Home 1709/16299.192 (slightly older).
Under Windows Defender Security Center/App & browser control/Exploit
protection/Exploit protection settings/System settings/Force randomization for
images (Mandatory ASLR) - "Force relocation of images not compiled with
/DYNAMICBASE" is "Off by default", whereas Randomize memory allocations
(Bottom-up ASLR) - "Randomize locations for virtual memory allocations." and all
other settings are "On by default".
Under Windows Defender Security Center/App & browser control/Exploit
protection/Exploit protection settings/Program settings various .exes have 0-2
system overrides of settings.
It would be nice if one of the project volunteers with Windows threat mitigation
knowledge could look at these, to see if there is a better approach.
I guess Andreas' suggestion is confirmed by
https://github.com/mintty/wsltty/issues/6#issuecomment-361281467
Here is the registry state:
Mandatory ASLR off
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
"MitigationOptions"=hex:00,02,22,00,00,00,00,00,00,00,00,00,00,00,00,00
Mandatory ASLR on
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
"MitigationOptions"=hex:00,01,21,00,00,00,00,00,00,00,00,00,00,00,00,00
Could setup be updated to reset Mandatory ASLR if the reg keys exist, or an
/etc/postinstall/[0z]p_disable_mandatory_aslr.sh script do a check and reset?



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]