[OpenWrt-Devel] Did they check security of OpenWrt?
richb.hanover at gmail.com
Tue Aug 20 11:34:23 EDT 2019
I don't know whether the article, or its underlying report from Cyber Independent Testing Lab - CITL, is a joke or not. (Although, I'll agree that any firmware using 18-year old kernels is on its face a security joke.)
My questions were more about OpenWrt. How would our current builds stack up under the criteria used in the report's table? It listed:
- Stack Guards
- Fortify SRC
- Non-Exec Stack
And are there other security practices that we enforce that would make an OpenWrt system more secure?
If OpenWrt compares favorably, it occurs to me that we could invite CITL to review OpenWrt builds (on hundreds of routers) and update their report...
> On Aug 20, 2019, at 9:43 AM, Vincent Wiemann <vincent.wiemann at ironai.com> wrote:
> Hi Rich,
> the article is a joke. I'm not talking about the researchers, but about citing a statement like:
> „However, those same firmware binaries did not employ other common security
> features like ASLR or stack guards, or did so only rarely,“
> Look at the source-code of the mentioned vendors. They partially use 18 years old kernel code and
> Telnet-like management interfaces.
> On 20.08.19 13:21, Rich Brown wrote:
>> Hi folks,
>> You've probably seen the Slashdot article about (lack of) security gains in router firmware. https://yro.slashdot.org/story/19/08/16/2050219/huge-survey-of-firmware-finds-no-security-gains-in-15-years The original article on Security Ledger is at: https://securityledger.com/2019/08/huge-survey-of-firmware-finds-no-security-gains-in-15-years/
>> Two questions:
>> 1) Does anyone know if the researchers looked at OpenWrt?
>> 2) If not, how would OpenWrt stable or snapshot have fared in the analysis? Do we enable stack guards, ASLR, etc. on all builds?
>> openwrt-devel mailing list
>> openwrt-devel at lists.openwrt.org
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
More information about the openwrt-devel