[OpenWrt-Devel] Did they check security of OpenWrt?
Alberto Bursi
bobafetthotmail at gmail.com
Tue Aug 20 12:11:45 EDT 2019
On 20/08/19 17:34, Rich Brown wrote:
> Hi Vincent,
>
> I don't know whether the article, or its underlying report from Cyber Independent Testing Lab - CITL, is a joke or not. (Although, I'll agree that any firmware using 18-year old kernels is on its face a security joke.)
>
> My questions were more about OpenWrt. How would our current builds stack up under the criteria used in the report's table? It listed:
>
> - Stack Guards
> - ASLR
> - RELRO
> - Fortify SRC
> - Non-Exec Stack
>
> And are there other security practices that we enforce that would make an OpenWrt system more secure?
>
> If OpenWrt compares favorably, it occurs to me that we could invite CITL to review OpenWrt builds (on hundreds of routers) and update their report...
>
> Thanks.
>
> Rich
>
(up-to-date) OpenWrt compares very favorably to most stock firmware
regardless of any such features, (you could look up in the source to see if
those features are enabled or not by default in OpenWrt), as it is
simply using modern Linux kernel and userspace vs
decade old stuff that was also hacked to work with their own
low-code-quality proprietary drivers, running a web interface that
allows easy
code injection.
There is no point in inviting CITL to review OpenWrt per-se as it's a
third party firmware, most people don't even know what a firmware is,
much less installing it on a supported device.
It could make sense to have them review devices from manufacturers that
employ modern OpenWrt as stock firmware.
Afaik that's GL.Inet mostly, maybe others.
-Alberto
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list