Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [threadx] Cybersecurity measures for Eclipse ThreadX

Hello Frédéric,

Thank you for your kind and detailed reply.
I will take some time to understand the details.

Let me ask a few more questions about the Eclipse ThreadX initiative.

Is it correct to assume that the Eclipse Foundation will be responsible for and actively promote
the maintenance of Eclipse ThreadX's quality and functionality?
The reason for this is that ThreadX was previously maintained by commercial companies such as
Express Logic and Microsoft, so I am concerned about whether the active maintenance of quality
and performance will continue now that management has been transferred from commercial companies
to a non-profit organization.

In relation to the above, what is the technical support desk for Eclipse ThreadX? (Is it the
threadx-dev@xxxxxxxxxxx mailing list?)
If there are any other technical support desks where we can make individual inquiries involving
information that we do not want to make public (for example, related to development projects for
a specific customer), please let us know.

Returning to the question about cybersecurity measures, if Eclipse ThreadX has an estimate of the
response time from the discovery of a vulnerability to the implementation of a countermeasure,
could you please let us know? (The response time depends on the content of the vulnerability,
so if it is difficult to give a general answer, please let us know.)

Best regards,
--
Yoji Sato
Grape Systems Inc.


On 2024/08/02 19:58, Frédéric Desbiens via threadx wrote:
Hi Yoji.

Thank you very much for your thoughtful questions. My colleagues from the Eclipse security team and I worked on the answers below.

-----


      1. What is Eclipse ThreadX's basic approach to cybersecurity attacks? If there is any initiative, what is the promotion system for such initiatives?

*
*

All Eclipse Foundation projects follow theEclipse Foundation Vulnerability Reporting policy <https://www.eclipse.org/security/policy/>, whichis the main initiative related to security. Each project is responsible for implementing the policy with its technical specificities. The Eclipse Foundation Handbook, which is the main reference on best practices, provides a whole section on security <https://www.eclipse.org/projects/handbook/#vulnerability>.


The Eclipse Foundation possesses a dedicated security team to support projects by implementing security policies and providing guidance. The Eclipse Foundation Security Team provides help and advice to Eclipse projects on security issues and is the first point of contact for handling security vulnerabilities. The Eclipse Foundation is also a CNA (CVE Numbering Authority) and is assigning CVE (Common Vulnerability Enumeration) numbers to vulnerabilities found in Eclipse Foundation Projects. ThreadX has finished the transition to the Eclipse Foundation CNA.


In the last two years, the security team focused on making the Foundation's Open Source Software Supply Chain more secure. This effort included multiple initiatives. For example, it enforced two-factor authentication on committer accounts <https://blogs.eclipse.org/post/mika%C3%ABl-barbero/securing-future-2fa-now-mandatory-eclipse-foundation-committers>. It also worked on the unification of security settings <https://www.eclipse.org/projects/handbook/#resources-github-self-service>on all repositories of Eclipse Foundation projects and enforcing security best practices, like secret scanning or branch protection. In addition, it worked with our open source project teams to gradually deploy comprehensive software bill of materials (SBOMs), enabling adopters of the technology to understand the origin of the Eclipse software itself along with its dependencies.


We also performed several security audits on critical projects, the results of which are available on the Eclipse Foundation blog <https://blogs.eclipse.org/>.


You can stay informed of current and upcoming security initiatives by following the security tag <https://blogs.eclipse.org/blog-tags/security>of the Eclipse Foundation blog.


      2. Does Eclipse ThreadX conduct vulnerability verification? If any vulnerability is confirmed in an Eclipse ThreadX component, what kind of response will be taken?


The Eclipse Foundation manages vulnerabilities according to its Vulnerability Reporting Policy <https://www.eclipse.org/security/policy/>, whichapplies to every Eclipse Foundation project, including ThreadX, and corresponds to industry best practices.

It is worth mentioning that The Eclipse Foundation is a Common Vulnerabilities and Exposures <https://cve.mitre.org/https://cve.mitre.org/>(CVE) Numbering Authority, so the Eclipse Foundation Security Team is allocating CVE numbers directly.


The Eclipse Project handbook <https://www.eclipse.org/projects/handbook>contains a dedicated section on managing and reporting vulnerabilities <https://www.eclipse.org/projects/handbook/#vulnerabilityhttps://www.eclipse.org/projects/handbook/#vulnerability>. Essentially, the ThreadX team selected a subset of committers to validate reported vulnerabilities. When a vulnerability is reported, the security team will share the details privately with those committers, who will then investigate. If a vulnerability is confirmed, the commiters will work with the security team to properly disclose its existence. In parallel, they will implement code fixes to mitigate the vulnerabilities when appropriate.


The ThreadX project, like any other Eclipse Foundation project, gets support from the Eclipse Foundation Security Team in this process. The Eclipse Foundation staff in the Security Team has experience handling multi-project embargoes and provides advice to all projects that need it.


      3. Is Eclipse ThreadX conducting any initiative regarding secure coding? If there is an initiative, could you please explain what it is specifically?


At the most basic level, the Eclipse TreadX source code complies with all "required" and "mandatory" rules of MISRA-C:2004 and MISRA C:2012. In addition, the committer team and Foundation staff, including the Eclipse security team, are working on defining the ThreadX safety process, which will mandate reviews and secure coding best practices. We will inform you about the ThreadX safety process later since work is ongoing.


In April 2024, the Eclipse Foundation announced an initiative to establish common specifications for secure software development based on open source best practices. Named the Open Regulatory Compliance Working Group <https://www.eclipse.org/workinggroups/open-regulatory-compliance-charter.php>, this initiative demonstrates full cooperation with and to support the implementation of the European Union's Cyber Resilience Act (CRA). It is supported by the Apache Software Foundation <https://www.apache.org/>, Blender Foundation <https://www.blender.org/about/foundation/>, OpenSSL Software Foundation <https://www.openssl.org/>, PHP Foundation <https://thephp.foundation/>, Python Software Foundation <https://www.python.org/psf-landing/>, and Rust Foundation <https://foundation.rust-lang.org/>, among others.


The CRA <https://ec.europa.eu/commission/presscorner/detail/en/QANDA_22_5375>introduces common cybersecurity rules for manufacturers and developers of products with digital elements, covering both hardware and software. Naturally, Eclipse Foundation projects dealing with embedded and mission-critical use cases, such as ThreadX, are expected to implement the resulting specifications in their workflows and processes.

You can learn more about the Open Regulatory Compliance Working Group here <https://outreach.eclipse.foundation/open-regulatory-compliance>.


      4. It seems that Eclipse ThreadX has received certifications such as functional safety. If there is any relationship between these and cybersecurity measures, could you please introduce them?


ThreadX, when it was known as Azure RTOS, was certified by SGS-TÜV Saar for use in safety-critical systems, according to IEC-61508 SIL 4, IEC-62304 SW Safety Class C, ISO 26262 ASIL D and EN 50128. It was also certified by UL for compliance with UL 60730-1 Annex H, CSA E60730-1 Annex H, IEC 60730-1 Annex H, UL 60335-1 Annex R, IEC 60335-1 Annex R, and UL 1998. We are working to migrate those certifications to Eclipse ThreadX with the relevant stakeholders.


In parallel, Azure RTOS achieved PSA Level 1 security certification, and its cryptographic libraries have achieved Federal Information Processing Standardization 140-2 (FIPS 140-2) certification. While our focus is currently on the safety certifications, we hope to renew those security certifications at some point in the future.


Safety and security are paramount to the Foundation and the Eclipse ThreadX team. The project committers are involved in both aspects, ensuring a unified strategy for delivering both.


-----

I hope this helps. Do not hesitate to reply if you have further questions.

Best Regards,

*Frédéric DESBIENS*

*Senior Manager — Embedded and IoT | **Eclipse Foundation*

Mastodon: @fdesbiens@xxxxxxxxxxxxxxxxxxxxx <mailto:fdesbiens@xxxxxxxxxxxxxxxxxxxxx>




On Wed, 31 Jul 2024 at 03:30, Yoji Sato via threadx <threadx@xxxxxxxxxxx <mailto:threadx@xxxxxxxxxxx>> wrote:

    Dear Eclipse ThreadX administrator,

    Since Eclipse ThreadX has been open-sourced, I believe that it is more susceptible to cybersecurity attacks
    than before, so I would like to ask a few related questions.

    1.What is Eclipse ThreadX's basic approach to cybersecurity attacks?
        If there is any initiative, what is the promotion system for such initiatives?

    2.Does Eclipse ThreadX conduct vulnerability verification?
        If any vulnerability is confirmed in an Eclipse ThreadX component, what kind of response will be taken?

    3.Is Eclipse ThreadX conducting any initiative regarding secure coding?
        If there is an initiative, could you please explain what it is specifically?

    4.It seems that Eclipse ThreadX has received certifications such as functional safety.
        If there is any relationship between these and cybersecurity measures, could you please introduce them?

    Best regards,
    --
    Yoji Sato
    Grape Systems Inc.
    _______________________________________________
    threadx mailing list
    threadx@xxxxxxxxxxx <mailto:threadx@xxxxxxxxxxx>
    To unsubscribe from this list, visit https://accounts.eclipse.org <https://accounts.eclipse.org>


_______________________________________________
threadx mailing list
threadx@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org


Back to the top