> On Aug 20, 2019, at 5:32 PM, Rosen Penev <[email protected]> wrote: >> Can anyone speak to whether OpenWrt builds use any/all of those techniques >> called out to provide additional security? OpenWrt's modern kernel provides >> a bunch of security. That may be good enough, even if builds don't use all >> those techniques. And if we have implemented them, we can further >> differentiate ourselves from vendor firmware...Thanks. > OpenWrt uses several flags like -fstack-protector and format > hardening...
Excellent! That covers a couple of the flags listed below. Can we say anything about any of the other tests? > ... Issues are more nuanced than this though. These same people > several months ago mentioned a serious ASLR weakness with MIPS. > Patches went in the kernel for it. Does this mean that snapshot builds (with current kernels) now protect against that MIPS vulnerability? What about the stable builds? > There are probably more issues like > those for different platforms. > At the end of the day, most people use x86 and ARM. That's where most > of the eyes are. There are a lot of experts on various architectures on this list. Can they speak to other issues? Late entry: I was going to volunteer to start a wiki page for this information, but I started to read the Security page (https://openwrt.org/docs/guide-developer/security <https://openwrt.org/docs/guide-developer/security>#os_and_package_hardening) and see that it speaks directly to these issues: - the checksec.sh script seems to look for the flags mentioned below - there's a list of build-hardening options for the compiler - and more... What statements/assertions can we make about whether these are used to create release or snapshot builds? Thanks to all who can contribute info. Rich >>>> My questions were more about OpenWrt. How would our current builds stack >>>> up under the criteria used in the report's table? It listed: >>>> >>>> - Stack Guards >>>> - ASLR >>>> - RELRO >>>> - Fortify SRC >>>> - Non-Exec Stack >>>> >>>> And are there other security practices that we enforce that would make an >>>> OpenWrt system more secure?
_______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
