[OpenWrt-Devel] Did they check security of OpenWrt?

Rich Brown richb.hanover at gmail.com
Tue Aug 20 17:19:58 EDT 2019


Dmitry,

> On Aug 20, 2019, at 11:58 AM, Dmitry Tunin <hanipouspilot at gmail.com> wrote:
> 
> Rich,
> 
> OpenWrt is a Linux distro. It has all security as any other one. All
> CVE are timely addressed.
> There is no need for special tests.

Yes, but... Virtually all the other vendor's firmware are "Linux distro's" as well. And if I understand the CITL scan process, it shows lots of bad build practices in the vendor firmware source code.

Can anyone speak to whether OpenWrt builds use any/all of those techniques called out to provide additional security? OpenWrt's modern kernel provides a bunch of security. That may be good enough, even if builds don't use all those techniques. And if we have implemented them, we can further differentiate ourselves from vendor firmware...Thanks.

Rich


> вт, 20 авг. 2019 г. в 18:34, Rich Brown <richb.hanover at gmail.com>:
>> 
>> Hi Vincent,
>> 
>> I don't know whether the article, or its underlying report from Cyber Independent Testing Lab - CITL, is a joke or not. (Although, I'll agree that any firmware using 18-year old kernels is on its face a security joke.)
>> 
>> My questions were more about OpenWrt. How would our current builds stack up under the criteria used in the report's table? It listed:
>> 
>> - Stack Guards
>> - ASLR
>> - RELRO
>> - Fortify SRC
>> - Non-Exec Stack
>> 
>> And are there other security practices that we enforce that would make an OpenWrt system more secure?
>> 
>> If OpenWrt compares favorably, it occurs to me that we could invite CITL to review OpenWrt builds (on hundreds of routers) and update their report...
>> 
>> Thanks.
>> 
>> Rich
>> 
>>> On Aug 20, 2019, at 9:43 AM, Vincent Wiemann <vincent.wiemann at ironai.com> wrote:
>>> 
>>> Hi Rich,
>>> 
>>> the article is a joke. I'm not talking about the researchers, but about citing a statement like:
>>> „However, those same firmware binaries did not employ other common security
>>> features like ASLR or stack guards, or did so only rarely,“
>>> 
>>> Look at the source-code of the mentioned vendors. They partially use 18 years old kernel code and
>>> Telnet-like management interfaces.
>>> 
>>> Regards,
>>> 
>>> Vincent
>>> 
>>> 
>>> On 20.08.19 13:21, Rich Brown wrote:
>>>> Hi folks,
>>>> 
>>>> You've probably seen the Slashdot article about (lack of) security gains in router firmware. https://yro.slashdot.org/story/19/08/16/2050219/huge-survey-of-firmware-finds-no-security-gains-in-15-years The original article on Security Ledger is at: https://securityledger.com/2019/08/huge-survey-of-firmware-finds-no-security-gains-in-15-years/
>>>> 
>>>> Two questions:
>>>> 
>>>> 1) Does anyone know if the researchers looked at OpenWrt?
>>>> 
>>>> 2) If not, how would OpenWrt stable or snapshot have fared in the analysis? Do we enable stack guards, ASLR, etc. on all builds?
>>>> 
>>>> Thanks.
>>>> 
>>>> Rich
>>>> _______________________________________________
>>>> openwrt-devel mailing list
>>>> openwrt-devel at lists.openwrt.org
>>>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
>>>> 
>> 
>> 
>> _______________________________________________
>> openwrt-devel mailing list
>> openwrt-devel at lists.openwrt.org
>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel


_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list