[OpenWrt-Devel] Did they check security of OpenWrt?
Rich Brown
richb.hanover at gmail.com
Tue Aug 20 18:24:30 EDT 2019
> On Aug 20, 2019, at 5:32 PM, Rosen Penev <rosenp at gmail.com> wrote:
>> Can anyone speak to whether OpenWrt builds use any/all of those techniques called out to provide additional security? OpenWrt's modern kernel provides a bunch of security. That may be good enough, even if builds don't use all those techniques. And if we have implemented them, we can further differentiate ourselves from vendor firmware...Thanks.
> OpenWrt uses several flags like -fstack-protector and format
> hardening...
Excellent! That covers a couple of the flags listed below. Can we say anything about any of the other tests?
> ... Issues are more nuanced than this though. These same people
> several months ago mentioned a serious ASLR weakness with MIPS.
> Patches went in the kernel for it.
Does this mean that snapshot builds (with current kernels) now protect against that MIPS vulnerability? What about the stable builds?
> There are probably more issues like
> those for different platforms.
> At the end of the day, most people use x86 and ARM. That's where most
> of the eyes are.
There are a lot of experts on various architectures on this list. Can they speak to other issues?
Late entry: I was going to volunteer to start a wiki page for this information, but I started to read the Security page (https://openwrt.org/docs/guide-developer/security <https://openwrt.org/docs/guide-developer/security>#os_and_package_hardening) and see that it speaks directly to these issues:
- the checksec.sh script seems to look for the flags mentioned below
- there's a list of build-hardening options for the compiler
- and more...
What statements/assertions can we make about whether these are used to create release or snapshot builds? Thanks to all who can contribute info.
Rich
>>>> My questions were more about OpenWrt. How would our current builds stack up under the criteria used in the report's table? It listed:
>>>>
>>>> - Stack Guards
>>>> - ASLR
>>>> - RELRO
>>>> - Fortify SRC
>>>> - Non-Exec Stack
>>>>
>>>> And are there other security practices that we enforce that would make an OpenWrt system more secure?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20190820/bac46fdf/attachment.htm>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list