[OpenWrt-Devel] Did they check security of OpenWrt?

Alberto Bursi bobafetthotmail at gmail.com
Tue Aug 20 19:19:05 EDT 2019

On 20/08/19 23:19, Rich Brown wrote:
> Dmitry,
>> On Aug 20, 2019, at 11:58 AM, Dmitry Tunin <hanipouspilot at gmail.com> wrote:
>> Rich,
>> OpenWrt is a Linux distro. It has all security as any other one. All
>> CVE are timely addressed.
>> There is no need for special tests.
> Yes, but... Virtually all the other vendor's firmware are "Linux distro's" as well. And if I understand the CITL scan process, it shows lots of bad build practices in the vendor firmware source code.
> Can anyone speak to whether OpenWrt builds use any/all of those techniques called out to provide additional security? OpenWrt's modern kernel provides a bunch of security. That may be good enough, even if builds don't use all those techniques. And if we have implemented them, we can further differentiate ourselves from vendor firmware...Thanks.
> Rich

Vendor firmware aren't usually distros. They are not created by 
assembling modular packages, they usually come from a SDK,

which is a "prebuilt Linux system" bundled with the cross-compiling 
toolchain, that was assembled manually by the SoC manufacturer

and allows the OEM to have a working system where they only need to add 
their own customizations (usually a web interface and such).

They are a "Linux From Scratch" system, while a distro is a modular 
system made of packages assembled depending on need.

That said, OpenWrt's compile-time security functionality is defined here 
(where you find also some descriptions)


and by default

"gcc format-security" is enabled

"User space Stack-Smashing Protection" is set to "Regular"

"Kernel space Stack-Smashing Protection" is also set to "Regular"

"Enable buffer-overflows detection (FORTIFY_SOURCE)" is enabled and set 
to "Conservative"

"Enable RELRO protection"  is set to "Full"

"User space ASLR PIE compilation" is disabled by default

Userspace ALSR is enabled on the kernel config for most (all?) targets


This is the description of the feature in Linux upstream


KALSR (kernel side ALSR) is not enabled on any target.


Here an upstream description of that


It's interesting to note how apparently upstream enables it by default 
on x86 and Arm at least (and others too I guess), while in OpenWrt this 
is still disabled.


openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list