OSTIF is proud to share the results of our security audit of CycloneDDS. CycloneDDS is an open source implementation of the Object Management Group-Data Distribution Service (OMG-DDS) under the Eclipse Foundation IoT. With the help of X-41 D-Sec and the Eclipse Foundation, this project can continue to securely develop on its decades of use as a Data Distribution Service across a variety of critical enterprises and fields. 

At the inception of CycloneDDS, the ideal was (and remains) to run programs like this on an isolated network. As that is increasingly impossible, the OMG Standards Development Organization has released the DDS Security Specification to identify plugins in DDS projects that are crucial to the security of Internet-facing code. This documentation was critical in the work of this audit and understanding this project’s security health.

Audit Process:

This security audit consisted of a secure code review as well as a comparison of the OMG Specifications to CycloneDDS’s plugins. To identify weaknesses in plugins functioning with relation to the IoT, the X-41 audit team first created a threat model to identify the project’s attack surfaces and code paths. Once vulnerable areas were identified, the audit team focused review on looking for weaknesses in the code, especially those relevant to the plugins identified by the Specification documentation. About half the audit time was spent developing fuzzers to test the main attack surfaces identified by the Standards and threat model as vulnerable.

Audit Results:

  • 8 Findings with Security Impact
    • 1 Medium
    • 1 Low
    • 6 Informational
  • 3 New Fuzzers Developed for:
    • Topic Deserialization
    • Security Deserialization
    • Authentication Handshake
  • Recommendations of Future Security Work
  • Recommendations of Fixes on Reported Audit Issues

Third-party security audits don’t just create quantitative results but also result in documentation, insights, and recommendations that help project maintainers plan future security work as well as releases and life cycles. CycloneDDS is a mature project with lots of eyes on its security, and there were no Critical or High findings identified as a result of this work. Outside of time spent identifying vulnerabilities, audits that compare and contrast accepted security documentation with a project are important preventative security work. They provide insight into a project’s function, health, and needs, which can then be addressed quickly and effectively by maintainers or auditors.

Thank you to the individuals and groups that made this engagement possible:

  • CycloneDDS maintainers and community- notably Hans Vanthag and Erik Boasson
  • X-41 D-Sec- Robert Femmer, Markus Vervier, Antonela Conti
  • The Eclipse Foundation

You can read the Audit Report HERE

You can read X41’s Blog HERE

You can read the Eclipse Foundation’s Blog HERE

Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact [email protected].