[OpenWrt-Devel] Did they check security of OpenWrt?

Vincent Wiemann vincent.wiemann at ironai.com
Tue Aug 20 18:40:54 EDT 2019

Hi Rich,

On 20.08.19 23:19, Rich Brown wrote:
> Yes, but... Virtually all the other vendor's firmware are "Linux distro's" as well. 
Stone-age linux distros

> And if I understand the CITL scan process, it shows lots of bad build practices in the vendor firmware source code.

So they should do their magic with the Linux kernel's master and maybe they (unlikely) find vulnerabilities.

> Can anyone speak to whether OpenWrt builds use any/all of those techniques called out to provide additional security? OpenWrt's modern kernel provides a bunch of security. That may be good enough, even if builds don't use all those techniques. And if we have implemented them, we can further differentiate ourselves from vendor firmware...Thanks.

As Dmitry said OpenWrt is a state-of-the-art Linux distro and CVEs are addressed timely.
See https://openwrt.org/docs/guide-developers/security

- Stack Guards

Issues mostly fixed in Kernel 4.12.


On the ToDo, but takes up to 30% more space for executables.


Full RELRO used by default

- Fortify SRC

Conservative mode used by default

- Non-Exec Stack

That's a matter of the Linux kernel and I don't know of any configuration options for that.
As far as I know, it's activated by default on all platforms for which there is proper support
(x86-64 IA-32 SPARC PowerPC). I think there is no support for ARM and MIPS.


openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list