I’d like to introduce a series of ROS videos. We’re working on a ROS crash-course for security professionals and penetration testers. These will serve as background prep before they start hacking away at a capture-the-flag event. We’re primarily targeting ROS 2 Foxy, so hopefully the videos can also help other tech professionals as a quick kickstart before digging into the many other available ROS 2 training resources.
Here’s a brief rundown of the 5 to 10 minute videos that have been published on the newly minted Ubuntu Robotics youtube channel:
We’re planning to continue putting out content covering ROS concepts to include simulations within LXD.
I hope you find them useful, and please let us know if you have any suggestions!
7 Likes
Fully support this. If implemented appropriately, It will help to raise awareness on security and educate the community about it.
I browsed through the content and looks good to me so far. Short nice pieces, easy to digest.
As a first piece of feedback, It’s a bit unclear to me at this point how this would fit with ongoing community efforts on both containerization and security. Currently, AFAIK, most people in the community using containers, do so via Docker which is multi platform. Also the last security workshop at ROSCon was designed that way to facilitate reproduction and at least myself, got very positive feedback on this regard. These series however seem to invest heavily on lxc/lxd which is a nice alternative however seem Linux specific so the folks running on other-than-lxc supported platforms might not benefit from it. Would it be possible to consider tutorials that teach/launch things with Docker? Maybe a separate track doing that?
As a second piece of feedback, It’s unclear to me what’s the end goal of the CTF. Is it going to be ROS 2 oriented? If so, which part of it? Which packages/tools? I believe this is very relevant and where community can add quite a bit of support. E.g., there seems to be great ongoing work on navigation with good contributions from several folks and groups including @smac, @fmrico, @ruffsl among others, maybe they’d be willing to put a few cycles on this and steer it towards learning/improving navstack2 security situation and awareness? Cooperating with maintainers would deliver best results IMHO.
Something else that popped into my mind: Is it open for contributions? How could someone go ahead and contribute to this? Maybe you could share a list of topics that you plan so far to cover in the series?
Hope it helps. Thanks for putting the series together.
These training videos aren’t necessarily to teach security (at least not yet), they’re to get pentesters interested in ROS. These folks will pen test an Oracle database one week, then a Xerox copier, and then a ROS robot. Heavy on technology, quick to learn, but typically zero background in ROS. Although most are very familar with Python, few seem to be big on C/C++ or IDEs.
Why lxd instead of docker? Simply because that’s how we’re building out the CTF. There’s a virtual box install somewhere in the queue; let me put docker in the queue as well.
Our CTF setup is pretty simple for now. An OpenManipulatorX with a RasPi 4 running some canned routines, one of which is to actually capture a flag. Not even MoveIt. We have to build out the infrastructure before we can do more with ROS: scoring criteria, white cards, when and how to drop protections to keep the contest interesting, setting up the scoring portal, etc.
The CTF goal is pretty straight forward, it’s CIS Critical Security Control #18, Software Security. Secure coding practices, static analysis and dynamic analysis are part of the control, this is the dynamic application security testing (DAST) aspect.
Expect to hear more in the Security WG as this matures; we had to complete refactor when the pandemic forced us to retool for a remote event.
Thanks for these great videos! In some cases it might be reasonable to use ROS2 apps wrapped into snap packages instead of into containers. Are you planning to add videos for this use case as well?
You bet. Just getting some of the fundamentals done now, but snaps are definitely on the roadmap!
1 Like