W10 Mandatory ASLR default

Andreas Schiffler aschiffler@ferzkopp.net
Wed Feb 14 07:36:00 GMT 2018 

Here is the registry state:

Mandatory ASLR off

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
"MitigationOptions"=hex:00,02,22,00,00,00,00,00,00,00,00,00,00,00,00,00


Mandatory ASLR on

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
"MitigationOptions"=hex:00,01,21,00,00,00,00,00,00,00,00,00,00,00,00,00


On 2/13/2018 11:17 PM, Thomas Wolff wrote:
> Am 14.02.2018 um 04:25 schrieb Brian Inglis:
>> On 2018-02-12 21:58, Andreas Schiffler wrote:
>>> Found the workaround (read: not really a solution as it leaves the 
>>> system
>>> vulnerable, but it unblocks cygwin)
>>> - Go to Windows Defender Security Center - Exploit protection settings
>>> - Disable System Settings - Force randomization for images 
>>> (Mandatory ASLR) and
>>> Randomize memory allocations (Bottom-up ASLR) from "On by default" 
>>> to "Off by
>>> default"
>>>
>>> Now setup.exe works and can rebase everything; after that Cygwin 
>>> Terminal starts
>>> as a working shell without problems.
>>>
>>> @cygwin dev's - It seems one of the windows updates (system is on 
>>> 1709 build
>>> 16299.214) might have changed my ASLR settings to "system wide 
>>> mandatory" (i.e.
>>> see
>>> https://blogs.technet.microsoft.com/srd/2017/11/21/clarifying-the-behavior-of-mandatory-aslr/ 
>>>
>>> for info) so that the cygwin DLLs don't work correctly anymore (i.e. 
>>> see old
>>> thread about this topic here
>>> https://www.cygwin.com/ml/cygwin/2013-06/msg00092.html).
>>> This change might have made it into the system as part of the 
>>> security update
>>> for Meltdown+Spectre (I am speculating), but that could explain why 
>>> my cygwin
>>> installation that worked fine before (i.e. mid-2017) stopped working 
>>> suddenly
>>> (beginning 2018). It would be good to devize a test for the 
>>> setup.exe that
>>> checks the registry (likely
>>> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session 
>>> Manager\kernel])
>>> for this state and alerts the user.
>> I'm on W10 Home 1709/16299.192 (slightly older).
>>
>> Under Windows Defender Security Center/App & browser control/Exploit
>> protection/Exploit protection settings/System settings/Force 
>> randomization for
>> images (Mandatory ASLR) - "Force relocation of images not compiled with
>> /DYNAMICBASE" is "Off by default", whereas Randomize memory allocations
>> (Bottom-up ASLR) - "Randomize locations for virtual memory 
>> allocations." and all
>> other settings are "On by default".
>>
>> Under Windows Defender Security Center/App & browser control/Exploit
>> protection/Exploit protection settings/Program settings various .exes 
>> have 0-2
>> system overrides of settings.
>>
>> I used the Export settings selection at the bottom to export the 
>> settings, which
>> use the implied System settings defaults, and include the Program 
>> settings
>> system overrides shown in the attached xml file.
>>
>> It may be useful if you could export your default and updated 
>> settings for
>> comparison and information.
>> It would be nice if one of the project volunteers with Windows threat 
>> mitigation
>> knowledge could look at these, to see if there is a better approach.
>>
>> I expect to get updated the next time I restart, as I have been seeing
>> notifications to that effect, and will not be surprised if my system 
>> startup
>> Cygwin shell scripts fail.
> I guess Andreas' suggestion is confirmed by 
> https://github.com/mintty/wsltty/issues/6#issuecomment-361281467
> Thomas
>
> -- 
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>
>


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

More information about the Cygwin mailing list