From: Brian Inglis <Brian.Inglis@SystematicSw.ab.ca>
To: cygwin@cygwin.com
Subject: Re: W10 Mandatory ASLR default (was: cygwin stopped working)
Date: Wed, 14 Feb 2018 03:25:00 -0000 [thread overview]
Message-ID: <dd3a6a82-19bb-eb84-51df-5d1cde39315f@SystematicSw.ab.ca> (raw)
In-Reply-To: <ec5eb9a0-b33e-5bc8-090d-db0c571d5846@ferzkopp.net>
[-- Attachment #1: Type: text/plain, Size: 2770 bytes --]
On 2018-02-12 21:58, Andreas Schiffler wrote:
> Found the workaround (read: not really a solution as it leaves the system
> vulnerable, but it unblocks cygwin)
> - Go to Windows Defender Security Center - Exploit protection settings
> - Disable System Settings - Force randomization for images (Mandatory ASLR) and
> Randomize memory allocations (Bottom-up ASLR) from "On by default" to "Off by
> default"
>
> Now setup.exe works and can rebase everything; after that Cygwin Terminal starts
> as a working shell without problems.
>
> @cygwin dev's - It seems one of the windows updates (system is on 1709 build
> 16299.214) might have changed my ASLR settings to "system wide mandatory" (i.e.
> see
> https://blogs.technet.microsoft.com/srd/2017/11/21/clarifying-the-behavior-of-mandatory-aslr/
> for info) so that the cygwin DLLs don't work correctly anymore (i.e. see old
> thread about this topic here
> https://www.cygwin.com/ml/cygwin/2013-06/msg00092.html).
> This change might have made it into the system as part of the security update
> for Meltdown+Spectre (I am speculating), but that could explain why my cygwin
> installation that worked fine before (i.e. mid-2017) stopped working suddenly
> (beginning 2018). It would be good to devize a test for the setup.exe that
> checks the registry (likely
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel])
> for this state and alerts the user.
I'm on W10 Home 1709/16299.192 (slightly older).
Under Windows Defender Security Center/App & browser control/Exploit
protection/Exploit protection settings/System settings/Force randomization for
images (Mandatory ASLR) - "Force relocation of images not compiled with
/DYNAMICBASE" is "Off by default", whereas Randomize memory allocations
(Bottom-up ASLR) - "Randomize locations for virtual memory allocations." and all
other settings are "On by default".
Under Windows Defender Security Center/App & browser control/Exploit
protection/Exploit protection settings/Program settings various .exes have 0-2
system overrides of settings.
I used the Export settings selection at the bottom to export the settings, which
use the implied System settings defaults, and include the Program settings
system overrides shown in the attached xml file.
It may be useful if you could export your default and updated settings for
comparison and information.
It would be nice if one of the project volunteers with Windows threat mitigation
knowledge could look at these, to see if there is a better approach.
I expect to get updated the next time I restart, as I have been seeing
notifications to that effect, and will not be surprised if my system startup
Cygwin shell scripts fail.
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
[-- Attachment #2: ExploitProtectionProgramSettingsSystemOverrides.xml --]
[-- Type: text/xml, Size: 3211 bytes --]
<?xml version="1.0" encoding="UTF-8"?>
<root>
<SystemConfig></SystemConfig>
<AppConfig Executable="DevicesFlow.exe">
<ExtensionPoints DisableExtensionPoints="true" OverrideExtensionPoint="false"></ExtensionPoints>
</AppConfig>
<AppConfig Executable="ExtExport.exe">
<ASLR Enable="true" ForceRelocateImages="false" OverrideForceRelocateImages="false"></ASLR>
</AppConfig>
<AppConfig Executable="ie4uinit.exe">
<ASLR Enable="true" ForceRelocateImages="false" OverrideForceRelocateImages="false"></ASLR>
</AppConfig>
<AppConfig Executable="ieinstal.exe">
<ASLR Enable="true" ForceRelocateImages="false" OverrideForceRelocateImages="false"></ASLR>
</AppConfig>
<AppConfig Executable="ielowutil.exe">
<ASLR Enable="true" ForceRelocateImages="false" OverrideForceRelocateImages="false"></ASLR>
</AppConfig>
<AppConfig Executable="ieUnatt.exe">
<ASLR Enable="true" ForceRelocateImages="false" OverrideForceRelocateImages="false"></ASLR>
</AppConfig>
<AppConfig Executable="iexplore.exe">
<ASLR Enable="true" ForceRelocateImages="false" OverrideForceRelocateImages="false"></ASLR>
</AppConfig>
<AppConfig Executable="MiracastView.exe">
<ExtensionPoints DisableExtensionPoints="true" OverrideExtensionPoint="false"></ExtensionPoints>
</AppConfig>
<AppConfig Executable="mscorsvw.exe">
<ExtensionPoints DisableExtensionPoints="true" OverrideExtensionPoint="false"></ExtensionPoints>
</AppConfig>
<AppConfig Executable="msfeedssync.exe">
<ASLR Enable="true" ForceRelocateImages="false" OverrideForceRelocateImages="false"></ASLR>
</AppConfig>
<AppConfig Executable="mshta.exe">
<ASLR Enable="true" ForceRelocateImages="false" OverrideForceRelocateImages="false"></ASLR>
</AppConfig>
<AppConfig Executable="ngen.exe">
<ExtensionPoints DisableExtensionPoints="true" OverrideExtensionPoint="false"></ExtensionPoints>
</AppConfig>
<AppConfig Executable="ngentask.exe">
<ExtensionPoints DisableExtensionPoints="true" OverrideExtensionPoint="false"></ExtensionPoints>
</AppConfig>
<AppConfig Executable="PresentationHost.exe">
<DEP Enable="true" EmulateAtlThunks="false" OverrideDEP="false"></DEP>
<ASLR Enable="true" ForceRelocateImages="false" OverrideForceRelocateImages="false" BottomUp="true" HighEntropy="true" OverrideBottomUp="false"></ASLR>
<SEHOP Enable="true" TelemetryOnly="false" OverrideSEHOP="false"></SEHOP>
<Heap TerminateOnError="true" OverrideHeap="false"></Heap>
</AppConfig>
<AppConfig Executable="PrintDialog.exe">
<ExtensionPoints DisableExtensionPoints="true" OverrideExtensionPoint="false"></ExtensionPoints>
</AppConfig>
<AppConfig Executable="PrintIsolationHost.exe"></AppConfig>
<AppConfig Executable="runtimebroker.exe">
<ExtensionPoints DisableExtensionPoints="true" OverrideExtensionPoint="false"></ExtensionPoints>
</AppConfig>
<AppConfig Executable="splwow64.exe"></AppConfig>
<AppConfig Executable="spoolsv.exe"></AppConfig>
<AppConfig Executable="svchost.exe"></AppConfig>
<AppConfig Executable="SystemSettings.exe">
<ExtensionPoints DisableExtensionPoints="true" OverrideExtensionPoint="false"></ExtensionPoints>
</AppConfig>
</root>
[-- Attachment #3: Type: text/plain, Size: 219 bytes --]
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next prev parent reply other threads:[~2018-02-14 3:25 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-11 8:18 cygwin stopped working Andreas Schiffler
2018-02-11 10:42 ` Doug Henderson
2018-02-12 1:16 ` Andreas Schiffler
2018-02-12 2:30 ` Brian Inglis
2018-02-12 16:48 ` Jostein Berntsen
2018-02-13 4:58 ` Andreas Schiffler
2018-02-14 1:42 ` Bryan Zimmer
2018-02-14 7:53 ` Eliot Moss
2018-02-14 8:49 ` Marco Atzeri
2018-02-14 3:25 ` Brian Inglis [this message]
2018-02-14 7:17 ` W10 Mandatory ASLR default Thomas Wolff
2018-02-14 7:36 ` Andreas Schiffler
2018-02-16 6:41 ` Brian Inglis
2018-02-18 19:43 ` Andreas Schiffler
2018-02-18 20:07 ` Achim Gratz
2018-02-18 22:40 ` Brian Inglis
2018-02-12 18:16 ` cygwin stopped working Achim Gratz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dd3a6a82-19bb-eb84-51df-5d1cde39315f@SystematicSw.ab.ca \
--to=brian.inglis@systematicsw.ab.ca \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).