[OpenWrt-Devel] Did they check security of OpenWrt?

Rich Brown richb.hanover at gmail.com
Tue Aug 20 18:24:30 EDT 2019

> On Aug 20, 2019, at 5:32 PM, Rosen Penev <rosenp at gmail.com> wrote:
>> Can anyone speak to whether OpenWrt builds use any/all of those techniques called out to provide additional security? OpenWrt's modern kernel provides a bunch of security. That may be good enough, even if builds don't use all those techniques. And if we have implemented them, we can further differentiate ourselves from vendor firmware...Thanks.
> OpenWrt uses several flags like -fstack-protector and format
> hardening...

Excellent! That covers a couple of the flags listed below. Can we say anything about any of the other tests?

> ... Issues are more nuanced than this though. These same people
> several months ago mentioned a serious ASLR weakness with MIPS.
> Patches went in the kernel for it.

Does this mean that snapshot builds (with current kernels) now protect against that MIPS vulnerability? What about the stable builds?

> There are probably more issues like
> those for different platforms.

> At the end of the day, most people use x86 and ARM. That's where most
> of the eyes are.

There are a lot of experts on various architectures on this list. Can they speak to other issues?

Late entry: I was going to volunteer to start a wiki page for this information, but I started to read the Security page (https://openwrt.org/docs/guide-developer/security <https://openwrt.org/docs/guide-developer/security>#os_and_package_hardening) and see that it speaks directly to these issues:

- the checksec.sh script seems to look for the flags mentioned below
- there's a list of build-hardening options for the compiler
- and more... 

What statements/assertions can we make about whether these are used to create release or snapshot builds? Thanks to all who can contribute info.


>>>> My questions were more about OpenWrt. How would our current builds stack up under the criteria used in the report's table? It listed:
>>>> - Stack Guards
>>>> - ASLR
>>>> - RELRO
>>>> - Fortify SRC
>>>> - Non-Exec Stack
>>>> And are there other security practices that we enforce that would make an OpenWrt system more secure?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20190820/bac46fdf/attachment.htm>
-------------- next part --------------
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list