Today, the Eclipse Foundation released the results of our security audit for Eclipse CycloneDDS. Findings from the audit have been addressed in the latest versioned source code of Eclipse CycloneDDS, available at https://github.com/eclipse-cyclonedds/cyclonedds .
Eclipse CycloneDDS is an implementation of the Data Distribution Service (DDS) specification published by the OMG Standards Development Organization. The standard defined both the communication protocol and API for a publisher-subscriber model and is used in various fields including aerospace, defense, and autonomous vehicles. It had been developed at a time when malicious actors were less of a concern. To address new challenges in secure communication and in the presence of potentially malicious actors, the OMG has published DDS Security Specification introducing security plugins that implement authentication, access control and cryptographic operations. CycloneDDS supports that new specification. The correctness of the implementation was the main focus of the audit.
During the audit process, the auditors discussed frequently with the Project Team. They implemented three fuzzers to cover the desired functionality. Using those fuzzers, the auditors have found two issues with possible security impact and have given a number of recommendations to improve code quality.
Check the full report for more information and details of findings and fixes.
This was our seventh open source project security audit, and this was completed by X41 D-Sec. Like our six previous audits, this initiative was done in partnership with the Open Source Technology Improvement Fund (OSTIF) and was made possible due to the funding the Eclipse Foundation received from the Alpha-Omega Project.
Impartial security audits like this play an important role in securing the open source software supply chain. Keep an eye on our blog for more security audit announcements in the future.
Get Involved
- Get started with CycloneDDS https://cyclonedds.io/ and learn how you can contribute to the project.
- Learn more about the new Open Regulatory Compliance Working Group, a working group that is forming to address the multifaceted challenges of cybersecurity in the open source ecosystem and to demonstrate our commitment to cooperation with and implementation of the CRA.