Hi Rich, On 20.08.19 23:19, Rich Brown wrote: > Yes, but... Virtually all the other vendor's firmware are "Linux distro's" as > well. Stone-age linux distros
> And if I understand the CITL scan process, it shows lots of bad build > practices in the vendor firmware source code. So they should do their magic with the Linux kernel's master and maybe they (unlikely) find vulnerabilities. > Can anyone speak to whether OpenWrt builds use any/all of those techniques > called out to provide additional security? OpenWrt's modern kernel provides a > bunch of security. That may be good enough, even if builds don't use all > those techniques. And if we have implemented them, we can further > differentiate ourselves from vendor firmware...Thanks. As Dmitry said OpenWrt is a state-of-the-art Linux distro and CVEs are addressed timely. See https://openwrt.org/docs/guide-developers/security - Stack Guards Issues mostly fixed in Kernel 4.12. - ASLR On the ToDo, but takes up to 30% more space for executables. - RELRO Full RELRO used by default - Fortify SRC Conservative mode used by default - Non-Exec Stack That's a matter of the Linux kernel and I don't know of any configuration options for that. As far as I know, it's activated by default on all platforms for which there is proper support (x86-64 IA-32 SPARC PowerPC). I think there is no support for ARM and MIPS. Regards, Vincent _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
