Re: W10 Mandatory ASLR default

[Andreas Schiffler <aschiffler@ferzkopp.net>]

I'd say add a check and post a warning would the best solution.

A setup script shouldn't modify a users security setup, and even if the 
script were to reset the settings they wouldn't be active until after a 
reboot.

On 2/15/2018 10:41 PM, Brian Inglis wrote:
> On 2018-02-14 00:36, Andreas Schiffler wrote:
>> On 2/13/2018 11:17 PM, Thomas Wolff wrote:
>>> Am 14.02.2018 um 04:25 schrieb Brian Inglis:
>>>> On 2018-02-12 21:58, Andreas Schiffler wrote:
>>>>> Found the workaround (read: not really a solution as it leaves the system
>>>>> vulnerable, but it unblocks cygwin)
>>>>> - Go to Windows Defender Security Center - Exploit protection settings
>>>>> - Disable System Settings - Force randomization for images (Mandatory ASLR) and
>>>>> Randomize memory allocations (Bottom-up ASLR) from "On by default" to "Off by
>>>>> default"
>>>>>
>>>>> Now setup.exe works and can rebase everything; after that Cygwin Terminal
>>>>> starts as a working shell without problems.
>>>>> @cygwin dev's - It seems one of the windows updates (system is on 1709 build
>>>>> 16299.214) might have changed my ASLR settings to "system wide mandatory" (i.e.
>>>>> see
>>>>> https://blogs.technet.microsoft.com/srd/2017/11/21/clarifying-the-behavior-of-mandatory-aslr/
>>>>> for info) so that the cygwin DLLs don't work correctly anymore (i.e. see old
>>>>> thread about this topic here
>>>>> https://www.cygwin.com/ml/cygwin/2013-06/msg00092.html).
>>>>> It would be good to devize a test for the setup.exe that
>>>>> checks the registry (likely
>>>>> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel])
>>>>> for this state and alerts the user.
>>>> I'm on W10 Home 1709/16299.192 (slightly older).
>>>> Under Windows Defender Security Center/App & browser control/Exploit
>>>> protection/Exploit protection settings/System settings/Force randomization for
>>>> images (Mandatory ASLR) - "Force relocation of images not compiled with
>>>> /DYNAMICBASE" is "Off by default", whereas Randomize memory allocations
>>>> (Bottom-up ASLR) - "Randomize locations for virtual memory allocations." and all
>>>> other settings are "On by default".
>>>> Under Windows Defender Security Center/App & browser control/Exploit
>>>> protection/Exploit protection settings/Program settings various .exes have 0-2
>>>> system overrides of settings.
>>>> It would be nice if one of the project volunteers with Windows threat mitigation
>>>> knowledge could look at these, to see if there is a better approach.
>>> I guess Andreas' suggestion is confirmed by
>>> https://github.com/mintty/wsltty/issues/6#issuecomment-361281467
>> Here is the registry state:
>> Mandatory ASLR off
>> Windows Registry Editor Version 5.00
>> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
>> "MitigationOptions"=hex:00,02,22,00,00,00,00,00,00,00,00,00,00,00,00,00
>> Mandatory ASLR on
>> Windows Registry Editor Version 5.00
>> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
>> "MitigationOptions"=hex:00,01,21,00,00,00,00,00,00,00,00,00,00,00,00,00
> Could setup be updated to reset Mandatory ASLR if the reg keys exist, or an
> /etc/postinstall/[0z]p_disable_mandatory_aslr.sh script do a check and reset?
>


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple