Hi Vincent, I don't know whether the article, or its underlying report from Cyber Independent Testing Lab - CITL, is a joke or not. (Although, I'll agree that any firmware using 18-year old kernels is on its face a security joke.)
My questions were more about OpenWrt. How would our current builds stack up under the criteria used in the report's table? It listed: - Stack Guards - ASLR - RELRO - Fortify SRC - Non-Exec Stack And are there other security practices that we enforce that would make an OpenWrt system more secure? If OpenWrt compares favorably, it occurs to me that we could invite CITL to review OpenWrt builds (on hundreds of routers) and update their report... Thanks. Rich > On Aug 20, 2019, at 9:43 AM, Vincent Wiemann <vincent.wiem...@ironai.com> > wrote: > > Hi Rich, > > the article is a joke. I'm not talking about the researchers, but about > citing a statement like: > „However, those same firmware binaries did not employ other common security > features like ASLR or stack guards, or did so only rarely,“ > > Look at the source-code of the mentioned vendors. They partially use 18 years > old kernel code and > Telnet-like management interfaces. > > Regards, > > Vincent > > > On 20.08.19 13:21, Rich Brown wrote: >> Hi folks, >> >> You've probably seen the Slashdot article about (lack of) security gains in >> router firmware. >> https://yro.slashdot.org/story/19/08/16/2050219/huge-survey-of-firmware-finds-no-security-gains-in-15-years >> The original article on Security Ledger is at: >> https://securityledger.com/2019/08/huge-survey-of-firmware-finds-no-security-gains-in-15-years/ >> >> Two questions: >> >> 1) Does anyone know if the researchers looked at OpenWrt? >> >> 2) If not, how would OpenWrt stable or snapshot have fared in the analysis? >> Do we enable stack guards, ASLR, etc. on all builds? >> >> Thanks. >> >> Rich >> _______________________________________________ >> openwrt-devel mailing list >> openwrt-devel@lists.openwrt.org >> https://lists.openwrt.org/mailman/listinfo/openwrt-devel >> _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
