W10 Mandatory ASLR default

Thomas Wolff towo@towo.net
Wed Feb 14 07:17:00 GMT 2018


Am 14.02.2018 um 04:25 schrieb Brian Inglis:
> On 2018-02-12 21:58, Andreas Schiffler wrote:
>> Found the workaround (read: not really a solution as it leaves the system
>> vulnerable, but it unblocks cygwin)
>> - Go to Windows Defender Security Center - Exploit protection settings
>> - Disable System Settings - Force randomization for images (Mandatory ASLR) and
>> Randomize memory allocations (Bottom-up ASLR) from "On by default" to "Off by
>> default"
>>
>> Now setup.exe works and can rebase everything; after that Cygwin Terminal starts
>> as a working shell without problems.
>>
>> @cygwin dev's - It seems one of the windows updates (system is on 1709 build
>> 16299.214) might have changed my ASLR settings to "system wide mandatory" (i.e.
>> see
>> https://blogs.technet.microsoft.com/srd/2017/11/21/clarifying-the-behavior-of-mandatory-aslr/
>> for info) so that the cygwin DLLs don't work correctly anymore (i.e. see old
>> thread about this topic here
>> https://www.cygwin.com/ml/cygwin/2013-06/msg00092.html).
>> This change might have made it into the system as part of the security update
>> for Meltdown+Spectre (I am speculating), but that could explain why my cygwin
>> installation that worked fine before (i.e. mid-2017) stopped working suddenly
>> (beginning 2018). It would be good to devize a test for the setup.exe that
>> checks the registry (likely
>> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel])
>> for this state and alerts the user.
> I'm on W10 Home 1709/16299.192 (slightly older).
>
> Under Windows Defender Security Center/App & browser control/Exploit
> protection/Exploit protection settings/System settings/Force randomization for
> images (Mandatory ASLR) - "Force relocation of images not compiled with
> /DYNAMICBASE" is "Off by default", whereas Randomize memory allocations
> (Bottom-up ASLR) - "Randomize locations for virtual memory allocations." and all
> other settings are "On by default".
>
> Under Windows Defender Security Center/App & browser control/Exploit
> protection/Exploit protection settings/Program settings various .exes have 0-2
> system overrides of settings.
>
> I used the Export settings selection at the bottom to export the settings, which
> use the implied System settings defaults, and include the Program settings
> system overrides shown in the attached xml file.
>
> It may be useful if you could export your default and updated settings for
> comparison and information.
> It would be nice if one of the project volunteers with Windows threat mitigation
> knowledge could look at these, to see if there is a better approach.
>
> I expect to get updated the next time I restart, as I have been seeing
> notifications to that effect, and will not be surprised if my system startup
> Cygwin shell scripts fail.
I guess Andreas' suggestion is confirmed by 
https://github.com/mintty/wsltty/issues/6#issuecomment-361281467
Thomas

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple



More information about the Cygwin mailing list