[Commotion-dev] Stack Smashing Protection on OpenWRT
Nicolás Reynolds
fauno at endefensadelsl.org
Fri Feb 7 21:08:10 UTC 2014
"L. Aaron Kaplan" <aaron at lo-res.org> writes:
> On Feb 7, 2014, at 5:26 PM, Andrew Reynolds <andrew at opentechinstitute.org> wrote:
>
>> Hi all,
>>
>> Does anyone have experience with OpenWRT's stack smashing protection
>> toolchain option? I've been trying to compile Commotion with SSP and
>> haven't had any luck.
>
> Yup! I regularly have the very same issue with that in the openwrt build system.
> Seems like it is not very well tested by developers. But IMHO that should be highly used.
that would be good to have, would it add much overhead to binaries? in
my experience with crosstool-ng this flags have to be added to the final
gcc build and later to package builds.
i see uclibc has a UCLIBC_HAS_SSP config option but i don't know where
the config is located in openwrt
> While talking about these security topics: The other thing that I
> definitely recommend is to take a look at the random number generators
> and their useage in openwrt. It might make sense to generate keys
> somewhere else and copy them to the embedded device (in case that it
> possible) or to at least wait for some time and collect network
> traffic and then generate new keys. By default the entropy is very
> low.
i have haveged and timer_entropyd on my (non openwrt) machine with good
results. i see haveged is being packaged, i can try getting a
timer_entropyd makefile soon. there's also audio_entropyd from the same
guy but it needs an audio source :)
--
}(:=
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 619 bytes
Desc: not available
URL: <http://lists.chambana.net/pipermail/commotion-dev/attachments/20140207/1d1b71a0/attachment.sig>
More information about the Commotion-dev
mailing list