Hardened Malloc Guide for RLC Pro Hardened
Overview
hardened_malloc is a security-focused memory allocator that provides substantial protection against vulnerabilities in dynamic memory management. It comes installed and enabled by default on CIQ’s RLC Pro Hardened images (currently only for programs started as root).
It helps mitigate:
- Buffer Overflows: Prevents heap-based buffer overflow exploitation
- Use-After-Free: Detects and blocks use of freed memory
- Double-Free: Protects against freeing the same block twice
- Heap Corruption: Reduces risk of heap metadata corruption
- Sensitive Data Leakage: Zeroes memory on free to avoid data disclosure
Key Security Features
- Memory Isolation: Strict separation of allocations to limit overflow and corruption
- Quarantine: Freed memory is held in quarantine before reuse to make exploitation harder
- Randomization: Random allocation strategies complicate attacker predictability
- Zeroing Memory: Deallocated memory is cleared to prevent data leaks
Installing and Enabling hardened_malloc
RLC Pro Hardened VM images already include hardened_malloc with root-level programs using it by default.
To install hardened_malloc
sudo -s
dnf install hardened_malloc
(umask 077 && echo /usr/lib64/libhardened_malloc.so > /etc/ld.so.preload)
To enable hardened_malloc
To enable hardened_malloc for all programs (not just those started as root) please run:
sudo chmod 644 /etc/ld.so.preload
To update hardened_malloc
sudo dnf update hardened_malloc
Uninstalling hardened_malloc (Not Recommended)
If you need to disable and remove it:
sudo rm /etc/ld.so.preload
sudo dnf remove hardened_malloc
Reboot afterward for complete effect.
Application-Specific Enable/Disable
You can selectively enable or disable hardened_malloc for specific program invocations:
- Enable for one session:
LD_PRELOAD=/usr/lib64/libhardened_malloc.so bash
- Disable for one session:
LD_PRELOAD=/lib64/libc.so.6 bash
Validation and Testing
Check if hardened_malloc is loaded into a running program
grep hardened_malloc /proc/$$/maps
With $$ in the command, this checks whether hardened_malloc is loaded into the current shell. Substitute a numeric process ID in place of $$ and if necessary run the command via sudo to check another running program.
grep hardened_malloc /proc/<PID>/maps
Expected Output:
7fc0f529b000-7fc0f529d000 r--p 00000000 fd:01 1835242 /usr/lib64/libhardened_malloc.so
7fc0f529d000-7fc0f52a3000 r-xp 00002000 fd:01 1835242 /usr/lib64/libhardened_malloc.so
7fc0f52a3000-7fc0f52a5000 r--p 00008000 fd:01 1835242 /usr/lib64/libhardened_malloc.so
7fc0f52a5000-7fc0f52a6000 r--p 00009000 fd:01 1835242 /usr/lib64/libhardened_malloc.so
7fc0f52a6000-7fc0f52a7000 rw-p 0000a000 fd:01 1835242 /usr/lib64/libhardened_malloc.so
Check if hardened_malloc would be correctly loaded into a given program (e.g., into bash) from the current shell session
ldd $(which bash) | grep hardened_malloc
Expected output:
libhardened_malloc.so => /usr/lib64/libhardened_malloc.so (0x00007f1234567000)
hardened_malloc.Best Practices
- Keep Systems Updated: Always patch OS and software directly;
hardened_mallocmitigates issues but is not a substitute for fixes. - Update hardened_malloc Regularly: Ensure you get the latest security and compatibility improvements.
See Also
- LKRG Guide - Kernel runtime protection
- Control Tool Guide - Security facility management
- RLC Pro Hardened Getting Started - Initial RLC Pro Hardened setup
- RLC Pro Hardened Overview - RLC Pro Hardened overview
For additional technical details, consult the official documentation:
/usr/share/doc/hardened_malloc/README.md- Complete hardened malloc documentation/usr/share/doc/hardened_malloc/LICENSE- License information/usr/share/doc/hardened_malloc/CREDITS- Contributors and credits- GrapheneOS hardened malloc project