[OpenWrt-Devel] Did they check security of OpenWrt?
vincent.wiemann at ironai.com
Tue Aug 20 18:40:54 EDT 2019
On 20.08.19 23:19, Rich Brown wrote:
> Yes, but... Virtually all the other vendor's firmware are "Linux distro's" as well.
Stone-age linux distros
> And if I understand the CITL scan process, it shows lots of bad build practices in the vendor firmware source code.
So they should do their magic with the Linux kernel's master and maybe they (unlikely) find vulnerabilities.
> Can anyone speak to whether OpenWrt builds use any/all of those techniques called out to provide additional security? OpenWrt's modern kernel provides a bunch of security. That may be good enough, even if builds don't use all those techniques. And if we have implemented them, we can further differentiate ourselves from vendor firmware...Thanks.
As Dmitry said OpenWrt is a state-of-the-art Linux distro and CVEs are addressed timely.
- Stack Guards
Issues mostly fixed in Kernel 4.12.
On the ToDo, but takes up to 30% more space for executables.
Full RELRO used by default
- Fortify SRC
Conservative mode used by default
- Non-Exec Stack
That's a matter of the Linux kernel and I don't know of any configuration options for that.
As far as I know, it's activated by default on all platforms for which there is proper support
(x86-64 IA-32 SPARC PowerPC). I think there is no support for ARM and MIPS.
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
More information about the openwrt-devel