[OpenWrt-Devel] Did they check security of OpenWrt?
bobafetthotmail at gmail.com
Tue Aug 20 19:19:05 EDT 2019
On 20/08/19 23:19, Rich Brown wrote:
>> On Aug 20, 2019, at 11:58 AM, Dmitry Tunin <hanipouspilot at gmail.com> wrote:
>> OpenWrt is a Linux distro. It has all security as any other one. All
>> CVE are timely addressed.
>> There is no need for special tests.
> Yes, but... Virtually all the other vendor's firmware are "Linux distro's" as well. And if I understand the CITL scan process, it shows lots of bad build practices in the vendor firmware source code.
> Can anyone speak to whether OpenWrt builds use any/all of those techniques called out to provide additional security? OpenWrt's modern kernel provides a bunch of security. That may be good enough, even if builds don't use all those techniques. And if we have implemented them, we can further differentiate ourselves from vendor firmware...Thanks.
Vendor firmware aren't usually distros. They are not created by
assembling modular packages, they usually come from a SDK,
which is a "prebuilt Linux system" bundled with the cross-compiling
toolchain, that was assembled manually by the SoC manufacturer
and allows the OEM to have a working system where they only need to add
their own customizations (usually a web interface and such).
They are a "Linux From Scratch" system, while a distro is a modular
system made of packages assembled depending on need.
That said, OpenWrt's compile-time security functionality is defined here
(where you find also some descriptions)
and by default
"gcc format-security" is enabled
"User space Stack-Smashing Protection" is set to "Regular"
"Kernel space Stack-Smashing Protection" is also set to "Regular"
"Enable buffer-overflows detection (FORTIFY_SOURCE)" is enabled and set
"Enable RELRO protection" is set to "Full"
"User space ASLR PIE compilation" is disabled by default
Userspace ALSR is enabled on the kernel config for most (all?) targets
This is the description of the feature in Linux upstream
KALSR (kernel side ALSR) is not enabled on any target.
Here an upstream description of that
It's interesting to note how apparently upstream enables it by default
on x86 and Arm at least (and others too I guess), while in OpenWrt this
is still disabled.
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
More information about the openwrt-devel