[sf-lug] (forw) Fwd: A look at home routers, and a surprising bug in Linux/MIPS

Rick Moen rick at linuxmafia.com
Sun Jan 6 01:30:02 PST 2019 

My thanks to Bobbie.

The first paper is about home routers in general, where the authors
picked 14 models recently reviewed by _Consumer Reports_, and found
their manufacturer-preload firmware-based OSes woefully deficient in
standard security-hardening techniques to make public-facing software 
tougher to compromise,

The others' other paper concerns hardware-specific reasons why security
has a fixable weakness  on the subset of home routers based on
MIPS-family CPUs.  (Some were MIPS-based, others were ARM-based.)  These
deficiencies can be fixed if interested parties want to expend the
effort.

It's debatable how 'soft' a target home routers lacking these hardening
methods are, but the authors have a point that the techniques should be
included.



----- Forwarded message from Bobbie Sellers <bliss at mouse-potato.com> -----

Date: Sat, 5 Jan 2019 19:01:46 -0800
From: Bobbie Sellers <bliss at mouse-potato.com>
To: Rick Moen <rick at linuxmafia.com>
Subject: Fwd: A look at home routers, and a surprising bug in Linux/MIPS

Hi Rick,
	I certainly don't know enough to decide
if the authors are right or wrong but if you
think it deserves anyone's attention put it on
the mailing list.

	Bobbie Sellers



-------- Forwarded Message --------
Subject: A look at home routers, and a surprising bug in Linux/MIPS
Date: Sun, 6 Jan 2019 02:52:30 +0000 (UTC)
From: anonymous <anonymous at anonymous.com>
Organization: Neodome
Newsgroups: alt.privacy, alt.os.linux, comp.security.misc,
comp.os.linux.security, comp.sys.mips, alt.comp.networking.routers,
comp.os.linux.advocacy
Followup-To: alt.privacy, alt.os.linux, comp.sys.mips,
alt.comp.networking.routers

Today we're pleased to announce the release of two papers:

Build Safety of Software in 28 Popular Home Routers, by Parker
Thompson and Sarah Zatko
<https://cyber-itl.org/assets/papers/2018/build_safety_of_software_in_28_popular_home_routers.pdf>

Linux MIPS - A soft target: past, present, and future, by Parker
Thompson and Mudge Zatko
<https://cyber-itl.org/assets/papers/2018/Linux_MIPS_missing_foundations.pdf>

In the first paper, we analyze the firmware images of 28 popular home
routers, checking for basic code hygiene and software safety features.
What we found was disappointing: none of the routers made consistent
use of basic software safety features like ASLR, stack guards, and DEP
- features which have been standard in desktop environments for over
15 years.

Given the role these devices play in consumers' homes, and the ease
with which these issues could be resolved, we believe the absence of
these features is reckless and negligent. We strongly urge vendors to
review their software build practices and adopt practices which ensure
these basic security features are present prior to product release.

But that's not all. In the second paper, we describe an unfortunate
bug in the Linux/MIPS architecture which we encountered in the course
of our reporting on routers. This bug, whose origins date back to
2001, prevents most Linux/MIPS binaries from enjoying the full
protections of DEP and ASLR. Given the popularity of Linux/MIPS in
embedded devices (such as IoT, consumer and enterprise network
equipment, etc), and the enormous diversity of threat models for such
devices, we believe this bug represents a significant risk to a large
segment of Internet-connected devices.

Source:
<https://cyber-itl.org/2018/12/07/a-look-at-home-routers-and-linux-mips.html>


----- End forwarded message -----

More information about the sf-lug mailing list