Question about OpenWrt security

Hi there,

I read an article this morning about routers security and they say that most of them (to not say all of them) were lacking of some Linux security features. Basically they test routers factory firmware with features like ASLR, DEP, RELRO and stack guards and the result are surprisingly low in term of coverage.

Although I'm familiar with the two first features (I'm a SW developer of desktop app), I don't know exactly what are the 2 last ones. But my question is, they are talking about default factory FW, but I was wondering what about my favorite FW OpenWrt? Does someone know if those security feature are used in the firmwares images? If yes, is that enable on all devices) or only some of them only (maybe there HW limitation, I don't know)?

I am just curious to know. For record, here's the article I was referencing to:

Thank you :slight_smile:

1 Like

Regarding MIPS

Page seven,

If your system is running a Linux kernel version 4.8 or higher we recommend checking for the
emulation page in the maps. Again with shell access on the system,

cat /proc/self/maps
and look for a single executable anonymous mapping. On 32 bit systems it should be located at
0x7ffff000 and on 64 bit systems it should be 0xfffffff000. An example of the proc entries is
shown below,marked in red. If your system has the mapping but it is at a different address, it is
possible your system is using a non-standard page size. In the following output we note the fix
to the executable stack, but also the creation of the new emulation segment as readable,
writable, and executable at the expected fixed address range.

Here is some discussion in german and a claim that it is active on tested versions


I read part of the document you sent, this is very interesting because it give clue on how to test it. However, concerning your second link, as I don't speak German, I had to use Google Translate but from what I understood that guy say that he builds his own image with those features enabled, which probably means this is not the case by default. But once again, as I don't speak German, maybe I misunderstood.

Maybe in the future I will do the test describe in the first paper you sent, but it may be very boring since we should test all binaries on the image to check the coverage (some executable may not have been this feature enabled while other do). Also, having a high coverage but not complete may not be a good point, actually if all your binaries like cat or vi are protected and you reach a coverage of let's say 99%, if the 1% remaining represent very sensitive binaries, like OpenSSL or iptable, it may be very dangerous. What do you think?

Anyway, thabk you for your answer which was already helpful :slight_smile:

Addendum in German from an involved developer

It's complicated and depends on a lot of details thing for sure: If spoken about PIE, it's not the qos term, instead it is Position Independent Executables ;- )

Generally spoken: You have a better chance if you dont't use original outdated vendor firmware (except it is based on openwrt ;- ) and MIPS SOCs seem to be (more or less?) worse than ARMs because not many support an extension called RXI and a lot of ARMs are younger and using a more recent toolchain and SDK....if I got it right.....