Re: W10 Mandatory ASLR default

Sun, 18 Feb 2018 11:44:48 -0800 

I'd say add a check and post a warning would the best solution.
A setup script shouldn't modify a users security setup, and even if the 
script were to reset the settings they wouldn't be active until after a 
reboot.

On 2/15/2018 10:41 PM, Brian Inglis wrote:

On 2018-02-14 00:36, Andreas Schiffler wrote:

On 2/13/2018 11:17 PM, Thomas Wolff wrote:

Am 14.02.2018 um 04:25 schrieb Brian Inglis:

On 2018-02-12 21:58, Andreas Schiffler wrote:

Found the workaround (read: not really a solution as it leaves the system
vulnerable, but it unblocks cygwin)
- Go to Windows Defender Security Center - Exploit protection settings
- Disable System Settings - Force randomization for images (Mandatory ASLR) and
Randomize memory allocations (Bottom-up ASLR) from "On by default" to "Off by
default"

Now setup.exe works and can rebase everything; after that Cygwin Terminal
starts as a working shell without problems.
@cygwin dev's - It seems one of the windows updates (system is on 1709 build
16299.214) might have changed my ASLR settings to "system wide mandatory" (i.e.
see
https://blogs.technet.microsoft.com/srd/2017/11/21/clarifying-the-behavior-of-mandatory-aslr/
for info) so that the cygwin DLLs don't work correctly anymore (i.e. see old
thread about this topic here
https://www.cygwin.com/ml/cygwin/2013-06/msg00092.html).
It would be good to devize a test for the setup.exe that
checks the registry (likely
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel])
for this state and alerts the user.

I'm on W10 Home 1709/16299.192 (slightly older).
Under Windows Defender Security Center/App & browser control/Exploit
protection/Exploit protection settings/System settings/Force randomization for
images (Mandatory ASLR) - "Force relocation of images not compiled with
/DYNAMICBASE" is "Off by default", whereas Randomize memory allocations
(Bottom-up ASLR) - "Randomize locations for virtual memory allocations." and all
other settings are "On by default".
Under Windows Defender Security Center/App & browser control/Exploit
protection/Exploit protection settings/Program settings various .exes have 0-2
system overrides of settings.
It would be nice if one of the project volunteers with Windows threat mitigation
knowledge could look at these, to see if there is a better approach.

I guess Andreas' suggestion is confirmed by
https://github.com/mintty/wsltty/issues/6#issuecomment-361281467

Here is the registry state:
Mandatory ASLR off
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
"MitigationOptions"=hex:00,02,22,00,00,00,00,00,00,00,00,00,00,00,00,00
Mandatory ASLR on
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
"MitigationOptions"=hex:00,01,21,00,00,00,00,00,00,00,00,00,00,00,00,00

Could setup be updated to reset Mandatory ASLR if the reg keys exist, or an
/etc/postinstall/[0z]p_disable_mandatory_aslr.sh script do a check and reset?



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


























					Reply via email to