Key take‑aways:

| Area | Status (3.3) | |------|--------------| | | Stable, backward‑compatible with 2.x API | | Supported Platforms | Linux (x86_64, ARM64), macOS (Intel, Apple‑silicon), Windows (limited) | | Security | Hardened signature verification, sandboxed plug‑ins, but still susceptible to supply‑chain risks if unsigned modules are used | | Performance | ≤ 2 % overhead on typical workloads; negligible impact on real‑time threads | | Community | Active mailing list, quarterly security audits, open‑source core (MIT‑style) with commercial plug‑ins |

+-----------------+ gRPC/TLS +-------------------+ | Orchestrator |<----------->| rloaderd Daemon | +-----------------+ +-------------------+ ^ | | (CLI) | (seccomp‑sandboxed) v v +-----------------+ +-------------------+ | rlctl client | | Plug‑in Loader | +-----------------+ +-------------------+ | v +-------------------+ | .rlm Module(s) | +-------------------+ | Feature | Description | Impact | |---------|-------------|--------| | Delta‑Update Engine | Generates binary diffs between module versions; reduces OTA payload size by up to 70 % for large libraries. | Bandwidth savings for remote devices. | | Enhanced Crypto | Switch from RSA‑2048 to Ed25519; adds support for P‑256 ECDSA for legacy compatibility. | Faster verification, smaller signatures. | | Namespace‑Based Sandboxing | Each plug‑in runs in its own PID, mount, and network namespace with a strict seccomp profile. | Mitigates risk of malicious plug‑ins. | | Rollback‑Safe Loading | Automatic snapshot of previous module state; on failure the loader reverts automatically. | Improves reliability of hot‑patches. | | K8s Operator | New reloader-operator Helm chart for automated management of modules across a cluster. | Simplifies large‑scale deployment. | | Telemetry Opt‑Out Flag | --disable-telemetry enforced at compile‑time for privacy‑focused deployments. | Addresses compliance concerns. | | Improved Logging | Structured JSON logs with correlation IDs, compatible with ELK/EFK stacks. | Easier debugging and monitoring. | 5. Security Assessment 5.1 Threat Model (as defined by the vendor) | Actor | Goal | Attack Vector | |-------|------|----------------| | External Attacker | Load malicious code onto a target device | Compromise OTA server, supply unsigned modules, or steal signing keys | | Malicious Insider | Escalate privileges via plug‑in | Deploy a plug‑in with excessive capabilities, bypass seccomp | | Supply‑Chain Compromise | Introduce backdoor in the core loader | Modify source before build, tamper with binary distribution | 5.2 Security Controls | Control | Implementation | Effectiveness | |---------|----------------|----------------| | Signature Verification | Ed25519 signatures verified against a configurable keyring. | High (prevents tampering if keys are protected). | | Namespace & Seccomp | Default sandbox profile denies mount , ptrace , mknod , and most network syscalls. | Medium‑High (reduces blast radius). | | Mandatory Access Control (MAC) | Integration with SELinux/AppArmor profiles (optional). | Dependent on host policy. | | Audit Logging | All load/unload actions logged with user ID, timestamp, module hash. | High (detects abuse). | | Rollback Mechanism | Automatic revert on load failure (segfault, validation error). | Medium (prevents persistent crash). | | Key Management | Supports hardware‑backed HSM/YubiKey for signing; recommends rotating keys every 12 months. | High (if followed). | 5.3 Known Vulnerabilities (as of Apr 2026) | CVE | Description | Status | |-----|-------------|--------| | CVE‑2025‑4123 | Out‑of‑bounds read in the delta‑generation algorithm could lead to information disclosure. | Patched in 3.3.1 | | CVE‑2025‑4890 | Incomplete sanitisation of manifest JSON allowed path‑traversal when extracting resources. | Fixed in 3.3.2 | | CVE‑2024‑9987 | Improper handling of TLS renegotiation could allow a man‑in‑the‑middle to downgrade encryption. | Mitigated via forced TLS 1.3 in 3.2; still recommended to enforce server‑side verification. | | CVE‑2023‑7711 (Third‑party lib) | Vulnerable version of libprotobuf bundled with the CLI. | Updated in 3.3.0; users should verify package signatures. |