[OpenWrt-Devel] Did they check security of OpenWrt?
Vincent Wiemann
vincent.wiemann at ironai.com
Tue Aug 20 18:40:54 EDT 2019
Hi Rich,
On 20.08.19 23:19, Rich Brown wrote:
> Yes, but... Virtually all the other vendor's firmware are "Linux distro's" as well.
Stone-age linux distros
> And if I understand the CITL scan process, it shows lots of bad build practices in the vendor firmware source code.
So they should do their magic with the Linux kernel's master and maybe they (unlikely) find vulnerabilities.
> Can anyone speak to whether OpenWrt builds use any/all of those techniques called out to provide additional security? OpenWrt's modern kernel provides a bunch of security. That may be good enough, even if builds don't use all those techniques. And if we have implemented them, we can further differentiate ourselves from vendor firmware...Thanks.
As Dmitry said OpenWrt is a state-of-the-art Linux distro and CVEs are addressed timely.
See https://openwrt.org/docs/guide-developers/security
- Stack Guards
Issues mostly fixed in Kernel 4.12.
- ASLR
On the ToDo, but takes up to 30% more space for executables.
- RELRO
Full RELRO used by default
- Fortify SRC
Conservative mode used by default
- Non-Exec Stack
That's a matter of the Linux kernel and I don't know of any configuration options for that.
As far as I know, it's activated by default on all platforms for which there is proper support
(x86-64 IA-32 SPARC PowerPC). I think there is no support for ARM and MIPS.
Regards,
Vincent
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list