Hardened Malloc Guide

Overview¶

hardened_malloc is a security-focused memory allocator that provides substantial protection against vulnerabilities in dynamic memory management. It comes installed and enabled by default on CIQ’s RLC-H images (currently only for programs started as root).

It helps mitigate:

Buffer Overflows: Prevents heap-based buffer overflow exploitation
Use-After-Free: Detects and blocks use of freed memory
Double-Free: Protects against freeing the same block twice
Heap Corruption: Reduces risk of heap metadata corruption
Sensitive Data Leakage: Zeroes memory on free to avoid data disclosure

Key Security Features¶

Memory Isolation: Strict separation of allocations to limit overflow and corruption
Quarantine: Freed memory is held in quarantine before reuse to make exploitation harder
Randomization: Random allocation strategies complicate attacker predictability
Zeroing Memory: Deallocated memory is cleared to prevent data leaks

Installing and Enabling hardened_malloc¶

RLC-H VM images already include hardened_malloc with root-level programs using it by default.

To install `hardened_malloc`¶

sudo -s
dnf install hardened_malloc
(umask 077 && echo /usr/lib64/libhardened_malloc.so > /etc/ld.so.preload)

To enable `hardened_malloc`¶

To enable hardened_malloc for all programs (not just those started as root) please run:

sudo chmod 644 /etc/ld.so.preload

Warning

Enabling for all programs can break certain software (e.g., PHP) and has substantial performance cost. CIQ does not currently recommend this.

To update `hardened_malloc`¶

sudo dnf update hardened_malloc

Note

These changes only affect newly started processes; a reboot ensures full system-wide effect.

Uninstalling hardened_malloc (Not Recommended)¶

If you need to disable and remove it:

sudo rm /etc/ld.so.preload
sudo dnf remove hardened_malloc

Reboot afterward for complete effect.

Application-Specific Enable/Disable¶

You can selectively enable or disable hardened_malloc for specific program invocations:

Enable for one session:

LD_PRELOAD=/usr/lib64/libhardened_malloc.so bash

Disable for one session:

LD_PRELOAD=/lib64/libc.so.6 bash

Validation and Testing¶

Check if `hardened_malloc` is loaded into a running program¶

grep hardened_malloc /proc/$$/maps

With $$ in the command, this checks whether hardened_malloc is loaded into the current shell. Substitute a numeric process ID in place of $$ and if necessary run the command via sudo to check another running program.

grep hardened_malloc /proc/<PID>/maps

Expected Output:

7fc0f529b000-7fc0f529d000 r--p 00000000 fd:01 1835242                    /usr/lib64/libhardened_malloc.so
7fc0f529d000-7fc0f52a3000 r-xp 00002000 fd:01 1835242                    /usr/lib64/libhardened_malloc.so
7fc0f52a3000-7fc0f52a5000 r--p 00008000 fd:01 1835242                    /usr/lib64/libhardened_malloc.so
7fc0f52a5000-7fc0f52a6000 r--p 00009000 fd:01 1835242                    /usr/lib64/libhardened_malloc.so
7fc0f52a6000-7fc0f52a7000 rw-p 0000a000 fd:01 1835242                    /usr/lib64/libhardened_malloc.so

Check if `hardened_malloc` would be correctly loaded into a given program (e.g., into `bash`) from the current shell session¶

ldd $(which bash) | grep hardened_malloc

Expected output:

libhardened_malloc.so => /usr/lib64/libhardened_malloc.so (0x00007f1234567000)

Note

This sort of output (with the numeric addresses varying) indicates successful loading of hardened_malloc.

Best Practices¶

Keep Systems Updated: Always patch OS and software directly; hardened_malloc mitigates issues but is not a substitute for fixes.
Update hardened_malloc Regularly: Ensure you get the latest security and compatibility improvements.