Security Audit of Eclipse Cyclone DDS

Cyclone DDS is an implementation of the Data Distribution Service specification published by the Object Management Group (OMG). The service offers message passing in a publisher-subscriber model with additional Quality of Service (QoS) settings. It is mainly in use in robotics and defense systems and can handle a large number of actors. The first version of Cyclone DDS was released at a time, where the Internet was not ubiquitous and in order to secure an instance it was recommended to not expose the network to the Internet. To improve the situation, OMG has released another specification, extending DDS by security plugins, which handle (among other things) authentication, access control and cryptographic methods.

In cooperation with the Open Source Technology Improvement Fund (OSTIF), X41 audited the security plugins that ship with Eclipse Cyclone DDS for security vulnerabilities and compared the implementation with the security specification. This also included the parts of Cyclone DDS which interface with the security plugins. Further, X41 contributed three fuzzers to be run within the OSS fuzz framework, targeting the primary attack surface of Cyclone DDS: message deserialization and the authentication handshake.

Full report of the security audit:
https://www.x41-dsec.de/static/reports/X41-OSTIF-Eclipse-Cyclone-DDS-2024-05-29-Final-Public.pdf

Eclipse Foundation’s announcement of the release can be found here:
https://blogs.eclipse.org/post/marta-rybczynska/eclipse-cyclonedds-security-audit-has-been-completed

OSTIF’s announcement can be found at:
https://ostif.org/cyclndds-audit-complete

---

If you are interested in working with us on such projects in the future, remote or in-office, have a look at our jobs page!