Hardened Malloc is a hardened memory allocator which can be used with many applications to increase security.
According to the author's GitHub description: 
This is a security-focused general purpose memory allocator providing the malloc API along with various extensions. It provides substantial hardening against heap corruption vulnerabilities. The security-focused design also leads to much less metadata overhead and memory waste from fragmentation than a more traditional allocator design. It aims to provide decent overall performance with a focus on long-term performance and memory usage rather than allocator micro-benchmarks. It offers scalability via a configurable number of entirely independently arenas, with the internal locking within arenas further divided up per size class.
Users of Debian (-based) Linux distributions other than Whonix or Kicksecure need to first add the Whonix APT repository, which is documented on the Whonix Packages for Debian Hosts wiki page. For other distributions, refer to the Hardened Malloc Manual Installation instructions.
How-to: Launch Applications with Hardened Malloc
To launch individual systemd services with hardened malloc, add a drop-in systemd configuration snippet.
To launch other applications with Hardened Malloc, the
LD_PRELOAD environment variable must be edited before starting the application. For example, to launch
application-name in this way, run.
All Applications by Default
Note: This action may break numerous applications such as man, apt or Xorg.
It is possible to make all applications use Hardened Malloc as the default memory allocator. To configure this option, the path to the
hardened_malloc.so library must be added to the
/etc/ld.so.preload file. 
It is unknown whether other browsers can benefit from Hardened Malloc.
Other applications might not easily benefit from Hardened Malloc for the same reasons outlined in the browsers section above.
Whether an application can benefit from Hardened Malloc or not depends on technical implementation details of the application in question. Vendors of applications will probably know if their application is compatible with Hardened Malloc. Community wiki contributions are most welcome -- please post any additional vendor Q&As here.
Credits and Source Code
This website [archive] is the software fork [archive] homepage for Hardened Malloc, with a focus on easy installation, added user documentation, and integration with Whonix, Kicksecure, Debian, and other distributions. The Whonix software fork source code can be found here [archive]. Continuous integration: travis CI [archive]
Hardened Malloc Kicksecure Fork
Forum development discussion:
hardened-malloc-kicksecure can be disabled either per application or globally.
Disable per Application
Apply the following steps to disable hardened-malloc-kicksecure per application.
ld-system-preload-disable wrapper. Example:
Apply the following steps to globally disable hardened-malloc-kicksecure.
1) Boot into recovery mode. Optional.
This is only required if the system is no longer bootable. In this case, refer to boot into recovery mode.
2) View the
If not using
/etc/ld.so.preload for anything else. Warning: this removes all entries from
sudo rm /etc/ld.so.preload
slowdown by swap-file-creator shutdown
- related to above cryptsetup slowdown by factor ~ 7
- workaround OK https://github.com/Whonix/swap-file-creator/commit/c65edf17f952ac4a296ae6a0aac5a10541579ff6 [archive]
chromium requires ld-system-preload-disable
- https://bugs.debian.org/971876 [archive]
- chromium from flathub also functional (hardened-malloc-kicksecure probably disregarded inside flatpak's bubblewrap based sandbox?)
no workaround available
breaks sshd in Debian buster
- https://forums.whonix.org/t/hardened-malloc-hardened-memory-allocator/7474/127 [archive]
- https://github.com/GrapheneOS/hardened_malloc/issues/97 [archive]
- workaround idea: https://forums.whonix.org/t/hardened-malloc-hardened-memory-allocator/7474/137 [archive]
cryptsetup slowdown by factor ~ 6
- reported upstream: cryptsetup luksFormat slowdown of factor ~ 6 when using hardened memory allocator Hardened Malloc [archive]
could break scripts / build process
- TODO: test building Whonix with hardened-malloc-kicksecure enabled
chromium crashes with hardened-malloc(-kicksecure) (requires disabling using
- https://bugs.debian.org/971876 [archive]
- glibc feature request: LD_ETC_IGNORE - environment variable to ignore /etc/ld.so.preload configuration file on a per-application basis [archive]
- https://github.com/GrapheneOS/hardened_malloc [archive]
- https://github.com/Whonix/hardened_malloc [archive]
/etc/ld.so.preload.ddrop-in configuration folder support [archive]
These browsers are all based on Firefox, therefore the following applies equally to each of them.
LD_PRELOAD='/path/to/libhardened_malloc.so' /path/to/program will do nothing or approximately nothing.
The reason is recompilation is necessary.
To successfully replace Firefox memory allocator you should either use LD_PRELOAD _with_ a --disable-jemalloc build OR Firefox's replace_malloc functionality: https://searchfox.org/mozilla-central/source/memory/build/replace_malloc.h [archive]
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)