Hardened Malloc Kicksecure ™

From Whonix


Hardened Malloc | Hardened Malloc Kicksecure ™ Fork


Hardened Malloc is a hardened memory allocator which can be used with many applications to increase security.

According to the author's GitHub description: [1]

This is a security-focused general purpose memory allocator providing the malloc API along with various extensions. It provides substantial hardening against heap corruption vulnerabilities. The security-focused design also leads to much less metadata overhead and memory waste from fragmentation than a more traditional allocator design. It aims to provide decent overall performance with a focus on long-term performance and memory usage rather than allocator micro-benchmarks. It offers scalability via a configurable number of entirely independently arenas, with the internal locking within arenas further divided up per size class.

Original [archive] Hardened Malloc unfortunately cannot be globally enabled by default in Whonix ™ and Kicksecure ™ due to issues [archive].

The development goal of Hardened Malloc Kicksecure ™ is pre-installation by default in Whonix ™ and Kicksecure ™.

Hardened Malloc Kicksecure ™ uses different compile time options.

Both, Hardened Malloc and Hardened Malloc Kicksecure ™ are already installed by default in Whonix ™ and Kicksecure ™ but not yet enabled by default.

Hardened Malloc Kicksecure ™ is not yet enabled by default since there are still various known issues. Most notably, it breaks the OpenSSH server sshd on Debian buster based operating systems, which will be fixed in Debian bullseye and above and possibly VirtualBox host software crashes [archive], which haven't been reproduced by testers yet.

Advanced users may still wish to use Hardened Malloc for specific high risk applications.

Before getting started with Hardened Malloc (Kicksecure) it is recommended to first test the host operating system using memtest86+ (link) since hardware issues with RAM might be more likely be resulting in system crashes with Hardened Malloc (Kicksecure) enabled. [2]

Forum development discussion: [archive]


Testers only! Testers only!

Package hardened-malloc-kicksecure-enable [3] is provided as an easy way to enable Hardened Malloc Kicksecure ™ globally.

Install hardened-malloc-kicksecure-enable.

1. Update the package lists.

sudo apt-get update

2. Upgrade the system.

sudo apt-get dist-upgrade

3. Install the hardened-malloc-kicksecure-enable package.

Using apt-get command line parameter --no-install-recommends is in most cases optional.

sudo apt-get install --no-install-recommends hardened-malloc-kicksecure-enable

The procedure of installing hardened-malloc-kicksecure-enable is complete.


hardened-malloc-kicksecure can be disabled either per application or globally.

Disable per Application[edit]

Apply the following steps to disable hardened-malloc-kicksecure per application.

Prepend the ld-system-preload-disable [archive] wrapper.


ld-system-preload-disable application


Note: replace chromium with the actual application which should be started without ld system preload.

ld-system-preload-disable chromium

Disable Globally[edit]

Apply the following steps to globally disable hardened-malloc-kicksecure.

If the system is still fully functional, the easiest way is to uninstall the hardened-malloc-kicksecure-enable package.

sudo apt purge hardened-malloc-kicksecure-enable


1) Boot into recovery mode. Optional.

This is only required if the system is no longer bootable. In this case, refer to boot into recovery mode.

2) View the /etc/ file.

cat /etc/

3) Remove /usr/lib/ from /etc/

If not using /etc/ for anything else. Warning: this removes all entries from /etc/

sudo rm /etc/


workaround available[edit]

slowdown by swap-file-creator shutdown

chromium requires ld-system-preload-disable

  • [archive]
    • workaround ld-system-preload-disable chromium ok
    • chromium from flathub also functional (hardened-malloc-kicksecure probably disregarded inside flatpak's bubblewrap based sandbox?)

no workaround available[edit]

breaks OpenSSH server sshd in Debian buster

  • Fixed in Debian bullseye / Whonix ™ 16. [4]

cryptsetup slowdown by factor ~ 6

might break Whonix ™ build process

  • TODO: test building Whonix ™ with hardened-malloc-kicksecure enabled

chromium crashes with hardened-malloc(-kicksecure) (requires disabling using ld-system-preload-disable)

VirtualBox crashes with hardened memory allocator Hardened Malloc on the host [archive] [5]


Credits and Source Code[edit]

The original [archive] source software is maintained by security researcher, Daniel Micay.

This website [archive] is the software fork [archive] homepage for Hardened Malloc Kicksecure, with a focus on pre-installation by default in Whonix ™ and Kicksecure ™. The software fork source code can be found here [archive]. Continuous integration: travis CI [archive]


Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Hardened Malloc Kicksecure&body= link= Malloc Kicksecure link= Malloc Kicksecure link= Malloc Kicksecure%20 Malloc Kicksecure

Love Whonix ™ and want to help spread the word? You can start by telling your friends or posting news about Whonix ™ on your website, blog or social media.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.