X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:from:message-id:date
	:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=l/wNRllxUpRuvOox
	NzrumpuBZQt0G7nqF3jj1raHFZzK6sAwc+gIIyq2GnYNTN+dWckV1cCoiTP/XcAC
	VxsyTY0eZjknYNyGF9FXjhRMUOlpLlU5bVMNFjGS4nUZXiHmukiuUesXI4Jcalq9
	+OBidOjUBuZUDtQDFAWIZDYrw6c=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:to:references:from:message-id:date
	:mime-version:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=tOJmjiO9qdhtKewFoPfbaI
	vKIYg=; b=Uxw0azoRxeNqwRHmpm5dr+H9IbHejTzIGI/TwJFxoqmWBBZEI0fk4A
	inenHBFg0cjNu3MOW/b1UpgxoAxCKL7Um3hAlxb5WTAxONb+MHsCLKYlLWN0U9/g
	poAo84VmvicoECSTgHvvJBpF7E6QF962ihl2E6ycpaP3Qyxiz8wLQ=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=1.5 required=5.0 tests=AWL,BAYES_50,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS autolearn=no version=3.3.2 spammy=Editor, threat, W10, w10
X-HELO: mout.perfora.net
Subject: Re: W10 Mandatory ASLR default
To: cygwin AT cygwin DOT com
References: <8297ddf5-5d06-c2b1-526b-16ca311749aa AT ferzkopp DOT net> <CAJ1FpuMivfg+RKg3kDf8rt6n-Ky0Ami_5_HpGjbAMGpHgM57Tg AT mail DOT gmail DOT com> <e4b6f4cd-1fb2-5d4c-1f94-f8ca73bbfa1f AT ferzkopp DOT net> <20180212164945 DOT GA2361 AT jbsupah> <ec5eb9a0-b33e-5bc8-090d-db0c571d5846 AT ferzkopp DOT net> <dd3a6a82-19bb-eb84-51df-5d1cde39315f AT SystematicSw DOT ab DOT ca> <890bb1f3-65b3-b9d8-fdaa-bb148cce4163 AT towo DOT net> <aff8daa3-a958-acd2-66ca-579751981c9a AT ferzkopp DOT net> <327030c8-7dfa-8e57-eb70-45e890f8aac2 AT SystematicSw DOT ab DOT ca>
From: Andreas Schiffler <aschiffler AT ferzkopp DOT net>
Message-ID: <1a6ccf95-02ea-067c-82e6-54646face0ba@ferzkopp.net>
Date: Sun, 18 Feb 2018 11:43:41 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <327030c8-7dfa-8e57-eb70-45e890f8aac2@SystematicSw.ab.ca>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-UI-Out-Filterresults: notjunk:1;V01:K0:TF+K04k3JzY=:76L6FG8dsFozHo3PpaX5Pc nrXsDPuWSDtVrYZn/F5FxqyZMbVno0rljbr77HtbiBnQ2i3uTdOwvlANzYhAVJw0zAqitothJ ABUO3k/y2zcpeOTE4jiYhSAQ0wViSDxZr8sRaGCn6uFjXk5We/Gs7Lb2NJKK1QkwIebX2SZcH qY/OBV2femsnKO83LKSkem1HqOfxiYwScme8tl/rGDUQm9OhMMxW/X3fPUuRryLUhtQKDmSzi OBJ36DZZ/W5cY5HISfFgJJaD/fyxlKo6ptjk5sXQNR0s0aAItzZv4GXiL1YuP/IFxgbzEoG3m wAy71mQe4G6cFrsbexz9lPdJ99UAe67ywcZM6Lwh60oEl6EEGlHROi/6tbBKMg16EbwW9WyxK 0VCEt4iHdMJswU1EtjezPQxUDCAa+n9puZCvX8ukxe//Ui8DdfQNfR86IFA8ja4w65HGf35Hv Z1VR+tZl2D20cLx+2C4MUwLZcvzJVPzz2uNSIPtfhQx1qmzi7RPEss1LVMy8E6GEavo3l1BRK LHMbS8SQao+psFs7bUi6inc9A4BzX7Bn2oTMn9KoRk3i52yRZVitZIlRYdTGxMgl5vyIQTrHK UjpNlWsJa96DHe0EsoyNSpJbbVl6U875ssK/3T1BVdPvh5/BhSpJuz6xjb6kO3H3FKFQIgrjb CkqTGbwkT90Jz0Z/GCAQnLeRGFhKIrV8mJJSCOK0tEQJz1cxVwY2cGqL3mqbuT105RSfjxuLe ilKjCDtuXLfVMiTwmQz4iiECJXgAr21T9dIuGuLO/4zQB4yFJS5EDKg/oRs=
X-IsSubscribed: yes

I'd say add a check and post a warning would the best solution.

A setup script shouldn't modify a users security setup, and even if the 
script were to reset the settings they wouldn't be active until after a 
reboot.

On 2/15/2018 10:41 PM, Brian Inglis wrote:
> On 2018-02-14 00:36, Andreas Schiffler wrote:
>> On 2/13/2018 11:17 PM, Thomas Wolff wrote:
>>> Am 14.02.2018 um 04:25 schrieb Brian Inglis:
>>>> On 2018-02-12 21:58, Andreas Schiffler wrote:
>>>>> Found the workaround (read: not really a solution as it leaves the system
>>>>> vulnerable, but it unblocks cygwin)
>>>>> - Go to Windows Defender Security Center - Exploit protection settings
>>>>> - Disable System Settings - Force randomization for images (Mandatory ASLR) and
>>>>> Randomize memory allocations (Bottom-up ASLR) from "On by default" to "Off by
>>>>> default"
>>>>>
>>>>> Now setup.exe works and can rebase everything; after that Cygwin Terminal
>>>>> starts as a working shell without problems.
>>>>> @cygwin dev's - It seems one of the windows updates (system is on 1709 build
>>>>> 16299.214) might have changed my ASLR settings to "system wide mandatory" (i.e.
>>>>> see
>>>>> https://blogs.technet.microsoft.com/srd/2017/11/21/clarifying-the-behavior-of-mandatory-aslr/
>>>>> for info) so that the cygwin DLLs don't work correctly anymore (i.e. see old
>>>>> thread about this topic here
>>>>> https://www.cygwin.com/ml/cygwin/2013-06/msg00092.html).
>>>>> It would be good to devize a test for the setup.exe that
>>>>> checks the registry (likely
>>>>> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel])
>>>>> for this state and alerts the user.
>>>> I'm on W10 Home 1709/16299.192 (slightly older).
>>>> Under Windows Defender Security Center/App & browser control/Exploit
>>>> protection/Exploit protection settings/System settings/Force randomization for
>>>> images (Mandatory ASLR) - "Force relocation of images not compiled with
>>>> /DYNAMICBASE" is "Off by default", whereas Randomize memory allocations
>>>> (Bottom-up ASLR) - "Randomize locations for virtual memory allocations." and all
>>>> other settings are "On by default".
>>>> Under Windows Defender Security Center/App & browser control/Exploit
>>>> protection/Exploit protection settings/Program settings various .exes have 0-2
>>>> system overrides of settings.
>>>> It would be nice if one of the project volunteers with Windows threat mitigation
>>>> knowledge could look at these, to see if there is a better approach.
>>> I guess Andreas' suggestion is confirmed by
>>> https://github.com/mintty/wsltty/issues/6#issuecomment-361281467
>> Here is the registry state:
>> Mandatory ASLR off
>> Windows Registry Editor Version 5.00
>> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
>> "MitigationOptions"=hex:00,02,22,00,00,00,00,00,00,00,00,00,00,00,00,00
>> Mandatory ASLR on
>> Windows Registry Editor Version 5.00
>> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
>> "MitigationOptions"=hex:00,01,21,00,00,00,00,00,00,00,00,00,00,00,00,00
> Could setup be updated to reset Mandatory ASLR if the reg keys exist, or an
> /etc/postinstall/[0z]p_disable_mandatory_aslr.sh script do a check and reset?
>


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple