OpenDNP3 was released as open source over 10 years ago. This post describes where I believe the project has succeeded, where it hasn’t, and why Step Function I/O is using a different licensing model for our new libraries going forward. In many ways, OpenDNP3 has been a success. We are constantly learning of new companies that have successfully used the library to add DNP3 functionality to their product or service offering.
CVE-2020-10611 - RCE in a flawed DNP3 Implementation
S4x20 hosted the Pwn2Own Miami hacking competition this year, and one of the more interesting and impactful results was a bug chain leading to remote code execution (RCE) in the Triangle Microworks (TMW) SCADA Data Gateway. The Zero Day Initiative who puts on these competitions recently released a detailed writeup (and video) of the bugs and the exploit. Achieving code execution on the Triangle MicroWorks SCADA Data Gateway - details (and video!
Binding Rust to other languages safely and productively
When we made the decision to write our next generation of libraries in Rust, we knew we needed a solid approach for binding them to other languages. It may be some time before we have customers purchasing our libraries to use them in a Rust-only codebase. The majority of our customers will want to use the libraries in C/C++, .NET, or Java. Writing the core implementation in Rust means more productivity, fewer errors, and certain safety guarantees compared to writing it in C++.