X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:subject:to:references:from:message-id:date :mime-version:in-reply-to:content-type :content-transfer-encoding; q=dns; s=default; b=l/wNRllxUpRuvOox NzrumpuBZQt0G7nqF3jj1raHFZzK6sAwc+gIIyq2GnYNTN+dWckV1cCoiTP/XcAC VxsyTY0eZjknYNyGF9FXjhRMUOlpLlU5bVMNFjGS4nUZXiHmukiuUesXI4Jcalq9 +OBidOjUBuZUDtQDFAWIZDYrw6c= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:subject:to:references:from:message-id:date :mime-version:in-reply-to:content-type :content-transfer-encoding; s=default; bh=tOJmjiO9qdhtKewFoPfbaI vKIYg=; b=Uxw0azoRxeNqwRHmpm5dr+H9IbHejTzIGI/TwJFxoqmWBBZEI0fk4A inenHBFg0cjNu3MOW/b1UpgxoAxCKL7Um3hAlxb5WTAxONb+MHsCLKYlLWN0U9/g poAo84VmvicoECSTgHvvJBpF7E6QF962ihl2E6ycpaP3Qyxiz8wLQ= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=1.5 required=5.0 tests=AWL,BAYES_50,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS autolearn=no version=3.3.2 spammy=Editor, threat, W10, w10 X-HELO: mout.perfora.net Subject: Re: W10 Mandatory ASLR default To: cygwin AT cygwin DOT com References: <8297ddf5-5d06-c2b1-526b-16ca311749aa AT ferzkopp DOT net> <20180212164945 DOT GA2361 AT jbsupah> <890bb1f3-65b3-b9d8-fdaa-bb148cce4163 AT towo DOT net> <327030c8-7dfa-8e57-eb70-45e890f8aac2 AT SystematicSw DOT ab DOT ca> From: Andreas Schiffler Message-ID: <1a6ccf95-02ea-067c-82e6-54646face0ba@ferzkopp.net> Date: Sun, 18 Feb 2018 11:43:41 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <327030c8-7dfa-8e57-eb70-45e890f8aac2@SystematicSw.ab.ca> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-UI-Out-Filterresults: notjunk:1;V01:K0:TF+K04k3JzY=:76L6FG8dsFozHo3PpaX5Pc nrXsDPuWSDtVrYZn/F5FxqyZMbVno0rljbr77HtbiBnQ2i3uTdOwvlANzYhAVJw0zAqitothJ ABUO3k/y2zcpeOTE4jiYhSAQ0wViSDxZr8sRaGCn6uFjXk5We/Gs7Lb2NJKK1QkwIebX2SZcH qY/OBV2femsnKO83LKSkem1HqOfxiYwScme8tl/rGDUQm9OhMMxW/X3fPUuRryLUhtQKDmSzi OBJ36DZZ/W5cY5HISfFgJJaD/fyxlKo6ptjk5sXQNR0s0aAItzZv4GXiL1YuP/IFxgbzEoG3m wAy71mQe4G6cFrsbexz9lPdJ99UAe67ywcZM6Lwh60oEl6EEGlHROi/6tbBKMg16EbwW9WyxK 0VCEt4iHdMJswU1EtjezPQxUDCAa+n9puZCvX8ukxe//Ui8DdfQNfR86IFA8ja4w65HGf35Hv Z1VR+tZl2D20cLx+2C4MUwLZcvzJVPzz2uNSIPtfhQx1qmzi7RPEss1LVMy8E6GEavo3l1BRK LHMbS8SQao+psFs7bUi6inc9A4BzX7Bn2oTMn9KoRk3i52yRZVitZIlRYdTGxMgl5vyIQTrHK UjpNlWsJa96DHe0EsoyNSpJbbVl6U875ssK/3T1BVdPvh5/BhSpJuz6xjb6kO3H3FKFQIgrjb CkqTGbwkT90Jz0Z/GCAQnLeRGFhKIrV8mJJSCOK0tEQJz1cxVwY2cGqL3mqbuT105RSfjxuLe ilKjCDtuXLfVMiTwmQz4iiECJXgAr21T9dIuGuLO/4zQB4yFJS5EDKg/oRs= X-IsSubscribed: yes I'd say add a check and post a warning would the best solution. A setup script shouldn't modify a users security setup, and even if the script were to reset the settings they wouldn't be active until after a reboot. On 2/15/2018 10:41 PM, Brian Inglis wrote: > On 2018-02-14 00:36, Andreas Schiffler wrote: >> On 2/13/2018 11:17 PM, Thomas Wolff wrote: >>> Am 14.02.2018 um 04:25 schrieb Brian Inglis: >>>> On 2018-02-12 21:58, Andreas Schiffler wrote: >>>>> Found the workaround (read: not really a solution as it leaves the system >>>>> vulnerable, but it unblocks cygwin) >>>>> - Go to Windows Defender Security Center - Exploit protection settings >>>>> - Disable System Settings - Force randomization for images (Mandatory ASLR) and >>>>> Randomize memory allocations (Bottom-up ASLR) from "On by default" to "Off by >>>>> default" >>>>> >>>>> Now setup.exe works and can rebase everything; after that Cygwin Terminal >>>>> starts as a working shell without problems. >>>>> @cygwin dev's - It seems one of the windows updates (system is on 1709 build >>>>> 16299.214) might have changed my ASLR settings to "system wide mandatory" (i.e. >>>>> see >>>>> https://blogs.technet.microsoft.com/srd/2017/11/21/clarifying-the-behavior-of-mandatory-aslr/ >>>>> for info) so that the cygwin DLLs don't work correctly anymore (i.e. see old >>>>> thread about this topic here >>>>> https://www.cygwin.com/ml/cygwin/2013-06/msg00092.html). >>>>> It would be good to devize a test for the setup.exe that >>>>> checks the registry (likely >>>>> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]) >>>>> for this state and alerts the user. >>>> I'm on W10 Home 1709/16299.192 (slightly older). >>>> Under Windows Defender Security Center/App & browser control/Exploit >>>> protection/Exploit protection settings/System settings/Force randomization for >>>> images (Mandatory ASLR) - "Force relocation of images not compiled with >>>> /DYNAMICBASE" is "Off by default", whereas Randomize memory allocations >>>> (Bottom-up ASLR) - "Randomize locations for virtual memory allocations." and all >>>> other settings are "On by default". >>>> Under Windows Defender Security Center/App & browser control/Exploit >>>> protection/Exploit protection settings/Program settings various .exes have 0-2 >>>> system overrides of settings. >>>> It would be nice if one of the project volunteers with Windows threat mitigation >>>> knowledge could look at these, to see if there is a better approach. >>> I guess Andreas' suggestion is confirmed by >>> https://github.com/mintty/wsltty/issues/6#issuecomment-361281467 >> Here is the registry state: >> Mandatory ASLR off >> Windows Registry Editor Version 5.00 >> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel] >> "MitigationOptions"=hex:00,02,22,00,00,00,00,00,00,00,00,00,00,00,00,00 >> Mandatory ASLR on >> Windows Registry Editor Version 5.00 >> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel] >> "MitigationOptions"=hex:00,01,21,00,00,00,00,00,00,00,00,00,00,00,00,00 > Could setup be updated to reset Mandatory ASLR if the reg keys exist, or an > /etc/postinstall/[0z]p_disable_mandatory_aslr.sh script do a check and reset? > -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple