OSTIF is proud to share the results of our security audit of Kuksa. Kuksa.val is an open source vehicle abstraction layer. With the help of Quarkslab and the Eclipse Foundation, this project will continue to provide in-vehicle software components for users working with in-vehicle signals in a secure and efficient way.
Audit Process:
This audit was scoped to focus on the KUKSA.val databroker and the Python client SDK, available under one GitHub repository (eclipse/kuksa.val). While proper usage of third party libraries was included in the audit process, their code was not in the scope of this engagement.
The foundation of this work was based on the threat model, which helps auditors identify and understand the function of the project as well as vulnerable scenarios. Then further review was performed via static analysis, both automated and manual, as well as dynamic fuzz testing.
Audit Results:
- 19 Findings with Security Impact
- 2 High, 1 Medium, 10 Low, 6 Informational
- Recommendations for all 19 findings, based on their Impact, Exploitability, Parameter and Prerequisites
- Formal threat model with figures and detailed documentation of possible threat actors and scenarios
- Security recommendations customized to Kuksa
- 12 new fuzzing harnesses
Security audits don’t just create quantitative results but also result in documentation, insights, and recommendations that help project maintainers plan future security as well as releases and life cycles. OSTIF hopes that this audit can work to help Kuksa improve security in the short and long term as the project moves forward into the future.
Thank you to the individuals and groups that made this engagement possible:
- Kuksa maintainers and community, specifically: Erik Jaegervall, Sven Erik Jeroschewski
- Quarkslab: Frédéric Raynal, Ramtine Tofighi Shirazi, Pauline Sauder, Damien Aumaitre, Victor Houal, Laurent Laubin, Madigan Lebreton
- Eclipse Foundation: Mikaël Barbero, Marta Rybczynska
You can read the Audit Report HERE
You can read Kuksa’s Blog HERE
You can read the Eclipse Foundation’s blog HERE
You can read Quarkslab’s blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact [email protected].