Dmitry, > On Aug 20, 2019, at 11:58 AM, Dmitry Tunin <[email protected]> wrote: > > Rich, > > OpenWrt is a Linux distro. It has all security as any other one. All > CVE are timely addressed. > There is no need for special tests.
Yes, but... Virtually all the other vendor's firmware are "Linux distro's" as well. And if I understand the CITL scan process, it shows lots of bad build practices in the vendor firmware source code. Can anyone speak to whether OpenWrt builds use any/all of those techniques called out to provide additional security? OpenWrt's modern kernel provides a bunch of security. That may be good enough, even if builds don't use all those techniques. And if we have implemented them, we can further differentiate ourselves from vendor firmware...Thanks. Rich > вт, 20 авг. 2019 г. в 18:34, Rich Brown <[email protected]>: >> >> Hi Vincent, >> >> I don't know whether the article, or its underlying report from Cyber >> Independent Testing Lab - CITL, is a joke or not. (Although, I'll agree that >> any firmware using 18-year old kernels is on its face a security joke.) >> >> My questions were more about OpenWrt. How would our current builds stack up >> under the criteria used in the report's table? It listed: >> >> - Stack Guards >> - ASLR >> - RELRO >> - Fortify SRC >> - Non-Exec Stack >> >> And are there other security practices that we enforce that would make an >> OpenWrt system more secure? >> >> If OpenWrt compares favorably, it occurs to me that we could invite CITL to >> review OpenWrt builds (on hundreds of routers) and update their report... >> >> Thanks. >> >> Rich >> >>> On Aug 20, 2019, at 9:43 AM, Vincent Wiemann <[email protected]> >>> wrote: >>> >>> Hi Rich, >>> >>> the article is a joke. I'm not talking about the researchers, but about >>> citing a statement like: >>> „However, those same firmware binaries did not employ other common security >>> features like ASLR or stack guards, or did so only rarely,“ >>> >>> Look at the source-code of the mentioned vendors. They partially use 18 >>> years old kernel code and >>> Telnet-like management interfaces. >>> >>> Regards, >>> >>> Vincent >>> >>> >>> On 20.08.19 13:21, Rich Brown wrote: >>>> Hi folks, >>>> >>>> You've probably seen the Slashdot article about (lack of) security gains >>>> in router firmware. >>>> https://yro.slashdot.org/story/19/08/16/2050219/huge-survey-of-firmware-finds-no-security-gains-in-15-years >>>> The original article on Security Ledger is at: >>>> https://securityledger.com/2019/08/huge-survey-of-firmware-finds-no-security-gains-in-15-years/ >>>> >>>> Two questions: >>>> >>>> 1) Does anyone know if the researchers looked at OpenWrt? >>>> >>>> 2) If not, how would OpenWrt stable or snapshot have fared in the >>>> analysis? Do we enable stack guards, ASLR, etc. on all builds? >>>> >>>> Thanks. >>>> >>>> Rich >>>> _______________________________________________ >>>> openwrt-devel mailing list >>>> [email protected] >>>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel >>>> >> >> >> _______________________________________________ >> openwrt-devel mailing list >> [email protected] >> https://lists.openwrt.org/mailman/listinfo/openwrt-devel _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
