Model

Defence-in-Depth Model

Seven concentric security rings, each independently enforced.

EmbeddedOS defence-in-depth security model
🔑

Hardware Root of Trust

Immutable ROM code, OTP-fused public keys, and hardware secure elements (TPM 2.0, ARM TrustZone, RISC-V PMP) form the unforgeable foundation of trust.

🔒

Verified Boot (eBootloader)

ECDSA-256 signature verification at every boot stage. Anti-rollback counters in OTP prevent downgrade attacks. AES-256-GCM encrypted firmware images.

🛡️

Capability-Based Kernel (EoS)

No ambient authority. Every process holds explicit capability tokens for each resource it accesses. Capabilities cannot be forged or escalated without kernel mediation.

🔐

Process Isolation

MPU/MMU-enforced memory isolation between processes. Stack canaries, ASLR (on capable targets), and NX/XN bit enforcement prevent code injection.

📡

Secure IPC (EIPC)

All inter-process communication flows through EIPC capability-gated channels. No shared mutable state without explicit capability grant.

🗄️

Encrypted Storage (eDB)

AES-256-XTS per-page encryption with HKDF-SHA256 key derivation. Integrity-protected WAL prevents silent data corruption.

Cryptography

Cryptographic Primitives

Asymmetric SignaturesECDSA-256 (NIST P-256); Ed25519 (Curve25519) — used in eBootloader and OTA
Symmetric EncryptionAES-256-GCM (authenticated encryption); AES-256-XTS (disk encryption in eDB)
Hash FunctionsSHA-256, SHA-384, SHA-512 (FIPS 180-4); BLAKE3 (high-speed integrity)
Key DerivationHKDF-SHA256 (RFC 5869); PBKDF2-SHA256 (password-based)
Random Number GenerationHardware TRNG (where available); ChaCha20-based CSPRNG fallback
Key ExchangeECDH (P-256); X25519 — used in OTA update channel
Certificate FormatX.509 v3 (DER encoding); compact CBOR-based certificates for constrained devices
ImplementationmbedTLS 3.x (primary); TinyCrypt (ultra-constrained targets < 32 KB flash)
Compliance

Standards & Certifications

The EmbeddedOS stack is designed to support the following industry standards. Certification artifacts are provided as community resources.

IEC 62443

Industrial cybersecurity standard. EoS capability model and EIPC isolation architecture align with IEC 62443-4-2 component security requirements.

ISO 21434

Automotive cybersecurity engineering. eBootloader secure boot chain and OTA update protocol support ISO 21434 risk assessment and threat modeling.

IEC 62304

Medical device software lifecycle. EoS process isolation and EIPC typed channels support IEC 62304 Class C software architecture requirements.

NIST SP 800-193

Platform firmware resiliency guidelines. eBootloader implements all three NIST resiliency goals: protection, detection, and recovery.

DO-178C

Avionics software standard. EoS deterministic scheduler and formal verification roadmap target DO-178C Level A certification artifacts.

FIPS 140-3

Cryptographic module standard. The EoS crypto HAL uses FIPS 140-3 validated algorithms (AES-256, SHA-256, ECDSA-256) with hardware acceleration.

Disclosure

Vulnerability Disclosure Policy

EmbeddedOS follows a coordinated vulnerability disclosure (CVD) policy. Security researchers who discover vulnerabilities are encouraged to report them privately before public disclosure.

Reporting: Send vulnerability reports to security@embeddedos.org encrypted with our PGP public key.

Response timeline: We acknowledge reports within 48 hours, provide a triage assessment within 7 days, and aim to release patches within 90 days of confirmation.

CVE assignment: We coordinate CVE assignment through MITRE for confirmed vulnerabilities in released versions.

Bug bounty: We do not currently operate a paid bug bounty program, but we publicly credit researchers in our security advisories and release notes.