Security Architecture
The EmbeddedOS stack is designed with security as a first-class property — not an afterthought. Every layer from hardware root of trust to application sandbox enforces the principle of least privilege.
Defence-in-Depth Model
Seven concentric security rings, each independently enforced.
Hardware Root of Trust
Immutable ROM code, OTP-fused public keys, and hardware secure elements (TPM 2.0, ARM TrustZone, RISC-V PMP) form the unforgeable foundation of trust.
Verified Boot (eBootloader)
ECDSA-256 signature verification at every boot stage. Anti-rollback counters in OTP prevent downgrade attacks. AES-256-GCM encrypted firmware images.
Capability-Based Kernel (EoS)
No ambient authority. Every process holds explicit capability tokens for each resource it accesses. Capabilities cannot be forged or escalated without kernel mediation.
Process Isolation
MPU/MMU-enforced memory isolation between processes. Stack canaries, ASLR (on capable targets), and NX/XN bit enforcement prevent code injection.
Secure IPC (EIPC)
All inter-process communication flows through EIPC capability-gated channels. No shared mutable state without explicit capability grant.
Encrypted Storage (eDB)
AES-256-XTS per-page encryption with HKDF-SHA256 key derivation. Integrity-protected WAL prevents silent data corruption.
Cryptographic Primitives
| Asymmetric Signatures | ECDSA-256 (NIST P-256); Ed25519 (Curve25519) — used in eBootloader and OTA |
|---|---|
| Symmetric Encryption | AES-256-GCM (authenticated encryption); AES-256-XTS (disk encryption in eDB) |
| Hash Functions | SHA-256, SHA-384, SHA-512 (FIPS 180-4); BLAKE3 (high-speed integrity) |
| Key Derivation | HKDF-SHA256 (RFC 5869); PBKDF2-SHA256 (password-based) |
| Random Number Generation | Hardware TRNG (where available); ChaCha20-based CSPRNG fallback |
| Key Exchange | ECDH (P-256); X25519 — used in OTA update channel |
| Certificate Format | X.509 v3 (DER encoding); compact CBOR-based certificates for constrained devices |
| Implementation | mbedTLS 3.x (primary); TinyCrypt (ultra-constrained targets < 32 KB flash) |
Standards & Certifications
The EmbeddedOS stack is designed to support the following industry standards. Certification artifacts are provided as community resources.
IEC 62443
Industrial cybersecurity standard. EoS capability model and EIPC isolation architecture align with IEC 62443-4-2 component security requirements.
ISO 21434
Automotive cybersecurity engineering. eBootloader secure boot chain and OTA update protocol support ISO 21434 risk assessment and threat modeling.
IEC 62304
Medical device software lifecycle. EoS process isolation and EIPC typed channels support IEC 62304 Class C software architecture requirements.
NIST SP 800-193
Platform firmware resiliency guidelines. eBootloader implements all three NIST resiliency goals: protection, detection, and recovery.
DO-178C
Avionics software standard. EoS deterministic scheduler and formal verification roadmap target DO-178C Level A certification artifacts.
FIPS 140-3
Cryptographic module standard. The EoS crypto HAL uses FIPS 140-3 validated algorithms (AES-256, SHA-256, ECDSA-256) with hardware acceleration.
Vulnerability Disclosure Policy
EmbeddedOS follows a coordinated vulnerability disclosure (CVD) policy. Security researchers who discover vulnerabilities are encouraged to report them privately before public disclosure.
Reporting: Send vulnerability reports to security@embeddedos.org encrypted with our PGP public key.
Response timeline: We acknowledge reports within 48 hours, provide a triage assessment within 7 days, and aim to release patches within 90 days of confirmation.
CVE assignment: We coordinate CVE assignment through MITRE for confirmed vulnerabilities in released versions.
Bug bounty: We do not currently operate a paid bug bounty program, but we publicly credit researchers in our security advisories and release notes.