| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take the security of ORIP (Open-RemoteID-Parser) seriously. If you discover a security vulnerability, please report it responsibly.
- DO NOT create a public GitHub issue for security vulnerabilities
- Send a detailed report to: [security@your-domain.com] (or create a private security advisory on GitHub)
- Include the following information:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: We will acknowledge receipt within 48 hours
- Initial Assessment: We will provide an initial assessment within 7 days
- Resolution Timeline: Critical vulnerabilities will be addressed within 30 days
- Disclosure: We follow coordinated disclosure practices
ORIP implements multiple layers of security to ensure safe parsing of potentially malicious Remote ID data:
- Payload Size Limits: All inputs are validated against maximum size limits before processing
- Boundary Checks: Pointer arithmetic is protected with bounds checking
- Integer Overflow Protection: Critical integer operations are guarded against overflow/underflow
// Example: Safe length check before processing
if (payload.size() < MIN_MESSAGE_LENGTH || payload.size() > MAX_MESSAGE_LENGTH) {
return ParseResult::error("Invalid payload size");
}- No Raw Pointer Arithmetic: Uses
std::vectorand safe accessors - RAII Patterns: Resources are managed through RAII to prevent leaks
- No Manual Memory Management: Avoids
new/deletein favor of smart pointers
ORIP is continuously fuzz-tested using libFuzzer to discover edge cases:
# Run fuzz tests
CC=clang CXX=clang++ cmake .. -DORIP_BUILD_FUZZ=ON
cmake --build . --target fuzz_parser
./fuzz_parser ../fuzz/corpus -max_len=512 -max_total_time=60CI pipeline includes multiple sanitizers:
| Sanitizer | Purpose | CI Status |
|---|---|---|
| AddressSanitizer (ASan) | Memory errors | ✅ Enabled |
| UndefinedBehaviorSanitizer (UBSan) | Undefined behavior | ✅ Enabled |
| ThreadSanitizer (TSan) | Data races | ✅ Enabled |
| LeakSanitizer (LSan) | Memory leaks | ✅ Enabled |
ORIP parses Remote ID broadcasts which may come from:
- Legitimate UAVs (drones)
- Malicious actors attempting to spoof or disrupt
- Corrupted or malformed transmissions
| Attack Vector | Risk Level | Mitigation |
|---|---|---|
| Malformed payloads | Medium | Input validation, fuzz testing |
| Integer overflow | Medium | Bounds checking, sanitizers |
| Buffer overflow | High | No raw pointers, std::vector |
| Replay attacks | Medium | Timestamp validation, anomaly detection |
| ID spoofing | High | Anomaly detection, signal analysis |
-
Isolate the Parser
// Run parser in a sandboxed environment if possible RemoteIDParser parser(config); // Process untrusted input auto result = parser.parse(untrusted_data, rssi, transport);
-
Validate Results
if (!result.success) { // Handle parsing failure gracefully log_warning("Parse failed: " + result.error_message); return; }
-
Use Anomaly Detection
// Enable anomaly detection to identify suspicious patterns AnomalyDetector detector(config); auto anomalies = detector.analyze(uav, rssi); for (const auto& a : anomalies) { if (a.confidence > 0.8) { log_alert("High-confidence anomaly: " + a.description); } }
-
Limit Resource Usage
// Configure session manager with reasonable limits ParserConfig config; config.session_timeout_ms = 30000; // 30 seconds config.max_uav_count = 1000; // Limit tracked UAVs
| Component | Status | Notes |
|---|---|---|
| Protocol Parsing (ASTM F3411) | ✅ Audited | Integer bounds verified |
| Protocol Parsing (ASD-STAN) | ✅ Audited | Input validation verified |
| WiFi Decoder | ✅ Audited | Pointer safety verified |
| Session Manager | ✅ Audited | Thread safety with TSan |
| Anomaly Detector | ✅ Audited | Floating-point precision fixed |
| C API Bindings | ✅ Audited | Memory ownership clear |
| Python Bindings | ✅ Audited | GIL handling verified |
| Android JNI | 🟡 Partial | Requires Android testing environment |
| Version | Issue | Fix |
|---|---|---|
| 0.1.0 | Integer underflow in message length calculation | Added pre-check for minimum length |
| 0.1.0 | Floating-point precision in anomaly detection | Added epsilon comparison |
| 0.1.0 | Pointer bounds in ASTM parser | Added boundary validation |
ORIP includes comprehensive protection against malicious inputs:
- Empty payloads - Gracefully rejected
- Oversized payloads (10KB, 1MB) - Rejected with size limit
- All-zero payloads - Handled without crash
- All-0xFF payloads - Handled without crash
- Random byte sequences - No undefined behavior
- Format string attacks (%n, %s) - No injection possible
- Truncated messages - Detected and rejected
- Invalid message types - Rejected with error
- Protocol confusion attacks - Handled by protocol detection
- Replay attacks - Detected by anomaly detector
- MessagePack nesting attacks - Depth-limited
Malicious input tests: 40+ test cases
Boundary condition tests: 25+ test cases
Thread safety tests: 20+ test cases
| Dependency | Version | Security Status |
|---|---|---|
| C++ Standard Library | C++17 | N/A (compiler-provided) |
| Google Test | 1.11+ | ✅ No known vulnerabilities |
| Google Benchmark | 1.8+ | ✅ No known vulnerabilities |
- CMake 3.14+ (build only)
- Python 3.8+ (testing only)
- Clang (fuzzing only)
When contributing code, please ensure:
- No use of raw
new/delete - All pointer arithmetic has bounds checks
- All integer arithmetic considers overflow
- All external inputs are validated
- No format string vulnerabilities
- Thread-safe if accessed from multiple threads
- Tests pass with ASan and UBSan enabled
- Fuzz tests run without crashes
For security concerns, please contact:
- Security Issues: Create a private security advisory on GitHub
- General Questions: Open a GitHub issue
Last Updated: 2026-01-23 Security Policy Version: 1.0