Table of Contents

Security

Security Advisories & Vulnerability Reporting

Security advisories should be published on the openwrt-security-announce mailing list.

Security bugs seem to not be treated differently than other kinds of bugs, so one should probably follow the normal bug reporting procedures documented in the bugs wiki page. On the other hand, the mailing list thread [OpenWrt-Devel] Security Vulnerability Reporting and Database indicated that security vulnerabilities be reported by sending an email to the public openwrt-devel mailing list. Whichever way it is done, it is better to report a vulnerability than not report it.

Vulnerabilities in third-party components of OpenWrt, like the Linux kernel, OpenSSL, etc. should be reported directly to the third-party project first unless the vulnerability is somehow OpenWrt-specific (e.g. the vulnerability is in a OpenWrt patch to the third-party component).

Threat Model

Security Updates

Most people set up their device once and then don't touch it, as long as it appears to be working. In particular, very few people make a habit of checking for updates.

Background:

Reproducible Builds

FIXME: Write this section.

Background info:

Binary-Blob-free Builds

Many people are interested in OpenWrt because they believe that it being open source improves security because the code has been (in theory) been carefully reviewed. Further, one of the goals of having reproducible builds is to ensure that the binaries downloaded and installed onto a device derived from the carefully-reviewed OpenWrt source code. Obviously, the OpenWrt doesn't have access to the source code for binary blobs and so it can't review them, and so binary blobs are counterproductive to security. Yet some hardware doesn't work as well, or at all, without the binary blobs, and some users don't care about this issue.

Background:

General Concerns to Address

OS and Package Hardening

See the configuration files under config/ in the source tree for more detailed information about each option, such as the label used in "make menuconfig", the current default value, and prerequisites and conditions for enabling the feature. In particular, "Yes" in the "Enabled by Default" column is often an oversimplification. Options are listed in the order they are listed in their config/Config-*.in file.

Using ''checksec'' to Check Your Build

checksec can be used to verify that some executables and/or libraries have been correctly built with many of these options. To use it:

  1. git clone https://github.com/slimm609/checksec.sh, somewhere outside your OpenWrt tree.
  2. Build OpenWrt with CONFIG_TARGET_ROOTFS_TARGZ=y so that it generates a tar.gz archive.
  3. Extract the .tar.gz archive to a temporary directory.
  4. Run the checksec script from inside your copy of the repo you cloned in the first step.

Note that a lot of documentation for this tool–including the README.md in its GitHub repo–suggests running it as checksec.sh but the script was renamed to checksec. See Evaluating the security of OpenWrt (part 2) for help on analyzing the output; OpenWrt has improved since that blog post was written so your results should be better.

"Hardening build options" in config/Config-build.in

Source: config/Config-build.in. Note that individual packages and/or targets may ignore or otherwise not respect the setting.

.config line Enabled by Default? Notes
CONFIG_PKG_CHECK_FORMAT_SECURITY=y Yes -Wformat -Werror=format-security
CONFIG_PKG_CC_STACKPROTECTOR_STRONG=y "Regular" is the default. "Strong" requires GCC 5.
CONFIG_KERNEL_CC_STACKPROTECTOR_STRONG=y "Regular" is the default. "Strong" requires GCC 5.
CONFIG_PKG_FORTIFY_SOURCE_2=y CONFIG_PKG_FORTIFY_SOURCE_1=y is the default.
CONFIG_PKG_RELRO_FULL=y Yes

Source: config/Config-kernel.in

.config line Enabled by Default? Notes
CONFIG_KERNEL_SECCOMP_FILTER=y
CONFIG_KERNEL_SECCOMP=y
No FIXME: Which services are done? Which services need to be done? How does the JSON-based configuration for procd work? How can the Seccomp BPF configurations be shared upstream?
CONFIG_KERNEL_NAMESPACES=y
CONFIG_KERNEL_UTS_NS=y
CONFIG_KERNEL_IPC_NS=y
CONFIG_KERNEL_USER_NS=y
CONFIG_KERNEL_PID_NS=y
CONFIG_KERNEL_NET_NS=y
No OpenWrt's procd jail feature uses namespaces. See LWN's series of articles on namespaces for more information.

TODOs

Web Interface (LuCI, etc.) Hardening

Cryptography

Potential Future Improvements

LXC Containers

See the LXC in OpenWrt/Turris presentation (Video and slides) by Alex Samorukov on LXC containers. Important unanswered questions: