ROS2 Security Working Group Online Meeting

Hi all, I’m an engineer at Amazon working on ROS2 and wanted to get in touch with people working on SROS2 and the Crystal release of ROS2. I’ve met with a few folks in the community and want to make security intuitive, easy to configure, and performant in ROS2. There were some great talks at RosCon regarding ROS2 and security and I would like to join forces with people working on security-related items for ROS2.

Some gaps to be addressed for ROS2 Crystal:

  • Secure services and parameters
  • Secure key storage
  • Automated security recommendations and configuration
  • Secure, signed configurations management
  • Auditing and logging
  • External network connectivity
  • Security best practices
  • Promoting security-driven tests

This is by no means an exhaustive list, purely just what could be the minimum bar for a system based on ROS2. I would really like to get input from folks working on security and ROS2 and want to host an online meeting on October 15th @ 17:00 PDT.

Please reply if you are interested.

  • Ray Cole

It’s not realistic for ROS2 Crystal as well however worth to be considered for the long time roadmap:

  • integration of fuzzy testing in to the CI environment

There is a nice read (blog post of a Security Engineer) about how to integrate public repositories into Google OSS-Fuzz (“continous open source software fuzzying as a service”) and about how to make OSS-Fuzz work for private repositories. Google tries to motivate people to integrate projects into OSS-Fuzz with patch rewards… probably an interesting model to get people like aliasrobotics.com (@EndikaGu) involved into ROS2 security improvement :wink: . However OSS-Fuzz based Fuzzy Testing addresses low levels of abstraction (source code like rclcpp, rclc, rmw) the priority in comparison to the other point in the list (higher levels of abstraction like features, “security by design”) is quite low. Nevertheless worth to being mention here I guess.

Sounds good, count me in!
I could start earlier though, as I’ll have to leave for another meeting after 18:30 PDT.
Can you post a link to the online meeting?

FYI: Meeting notes from previous security meetup:

Here’s the meeting info:

October 15th @ 17:00 PDT

You have been invited to an online meeting, powered by Amazon Chime.

  1. Click to join the meeting:

https://chime.aws/3393577780

Meeting ID: 3393 57 7780

  1. You can use your computer’s microphone and speakers, however, a headset is recommended. Or, call in using your phone:

United States Toll-Free: +1 855-552-4463
Meeting PIN: 3393 57 7780

One-click Mobile Dial-in (United States (1)): +1 206-462-5569,3393577780#

United States (1): +1 206-462-5569
International: https://chime.aws/dialinnumbers/

Meeting PIN: 3393577780#

1 Like

I completely agree, fuzz testing would be a great thing to add. There’s quite a few more things like HSMs and other ideas that people have thrown out which would be very useful.

I want to try to capture all of this, however I would also like to primarily focus on what could be there for Crystal as well.

Thanks for setting this up. I will call into the meeting.

I’ll be there.

I’d like to see some type of threat scenarios listed with the security measures listed for each.

For example:
Scenario 1: Robot running in a public place, connected to wifi with other users on it.

  • Threat - user can potentially start publishing to ROS2 topics, how do we ensure no user can publish to CMD_VEL topic for instance and start driving our robot?
  • Threat 2 - instead of publishing to a topic, what if they try to make service requests over and over to create a DoS attack?

Those are some admittedly simple examples. I would like to see a more comprehensive list and some type of security answer for each as to how to defend against the threat.

1 Like

@coleray, it’ll be great if you could share the notes after the meeting (or even better, record it)
I’m sure there’re several individuals and groups that like myself, would love to join however 17:00 PDT is a bit late in Europe.

Looking forward to see the results of it.

+1 for this approach. Maybe compiling a list or a joint document would do.

FYI: Back in my Concluding Remarks slides, page 19, I listed some other possible action items for SROS2:

1 Like

Good call @vmayoral I’ll make sure to record the meeting and try to have it available. At a minimum, I’ll make sure to post notes and what we covered here.

1 Like

Much appreciated :slight_smile: !

@ruffsl there is a lot of great content in this presentation. Are you actively working on all of the items in here? It appears there’s some overlap here in the parts we’re targeting. Specifically:

  • Assistive permission policy generation
  • Descriptive connectivity manifests
  • Procedural provisioning security artifacts
  • Expressive security policy definitions
  • Generation, deployment, revocation of PKI
  • Distributed logging over networks
  • Recording Security Events levels
  • Adding additional automated CI tests

I’d be really interested to see your how you’re thinking about these items and if there’s some way we could collaborate on them.

Thanks,
Ray

Hi everyone,

@EndikaGu and I will try to also attend the meeting, even if it’s a bit later for us here in Europe.

We wanted to point out that the RCTF(rctf.aliasrobotics.com) is already available and open for contributions. As we pointed out on ROSCon, it can be played both online and offline, as the containers for the scenarios are available at GitHub, they are also open for modification and contribution too.

It would be very interesting to propose new scenarios that align with the security strategies of ROS2, so we can both train the security researchers to find weaknesses in misconfigured ROS2 systems, as well as to train developers to take care of the security aspects in ROS2 so they actively enforce them.

Right now the available scenarios only cover the basic aspects, but we are working to include more complex scenarios, and specially, more focus on ROS2. Feel free to point out any feedback or improvements that you would like to see, and of course, feel free to create new scenarios that you would like to be included!

1 Like

Thanks @olaldiko I appreciate you taking the time out to make it, even though it’s a very inconvenient time. I think it would probably be good to schedule a time more amenable to folks in Europe very soon.

Thanks,
Ray

Thanks for organizing. I’m looking forward to the discussion. -Morgan

Thanks to everyone that attended last night! It was a great discussion and I’m happy to find out what people are building related to security. In addition to the summary, I have a recording of the session and will post it as well once I’ve got the logistics worked out. Unfortunately since I did not have anything on the screen for most of the meeting, the video is completely black, however the audio is all there.

We decided to meet again within 2 weeks and I’ll post again once I’ve verified an appropriate time. All future meetings will be held in morning US time so we can make sure to include as wide an audience as possible. If you have problems making the schedule, please let me know.

I am also posting a separate meeting on Thursday AM PDT to have all the folks I unintentionally excluded from Europe due to the timing of the meeting.

Summary

  • Reviewed security-related tasks Amazon is delivering for ROS2 Crystal

  • Focusing on simplifying configuration, logging, security development, and community education

  • Review attached presentation for details

    • ROS2 Threat Model
    • Security specific integration tests for eProsima and RTI
    • Security file generator for configuration
    • CMake target for generating configuration for testing
    • Snapshot tool to generate access control (“secure my system”)
    • Recommendations for key/config security
    • Security event logging
  • Ruffin / @ruffsl presented several key items related to SROS2

    • Procedurally Provisioned Access Control for Robotics Systems - https://github.com/ruffsl/PPAC_ROS2
    • Candidate frameworks for automation and testing
      • Keymint - Meta-build system key generation and signed artifacts - https://github.com/keymint/
        • Abstract communication language (ComArmor) - graph of subjects and objects and generate artifacts at compile time
        • Maps object or service to DDS mechanisms
    • Scrape metadata about DDS at runtime and build security artifacts for compilation
    • Want to use static verification and include results in security manifest
    • Include all elements, topics/messages/services in the manifest
  • Dynamic topic names - could potentially impact security configuration, are teams doing things like this?

    • Do we need wildcarding or something else to handle salt in topic names?
    • Typical configurations have static connections between nodes along known topic names
      starting point for creating their own threat model
  • Gerardo / @GerardoPardo presented what RTI is currently working regarding ROS security

    • No outstanding plans for ROS2 right now
    • Believe existing patterns can be used for services and parameters
    • Will depend on design of how these elements are implemented on top of DDS
    • If use cases are not covered by existing DDS security specifications, additional support could be needed
    • Data tags could be used by the identity layer / constrains on security
    • Service mapping is using topics and not DDS service names, which means its unclear if changes are necessary
    • What granularity is needed for parameters, all-or-nothing or more granular permissions
  • ROS2 Threat Model

    • Are there existing threat models for ROS2 out there?
    • Will not target a specific robot but be a “cookbook” to enumerate possible threats and provide someone building a specific system
    • Will use a document on github for collaborating on the threat model
    • Come up with a basic template for a threat model
      • Possibly multiple templates because the domain is so large
      • Start with small number of concrete scenarios and try to expand from there
    • SROS2 issue tracker has several long standing issues on the topic
    • Many security papers are already out there to draw upon
  • Apex.ai

    • Impossible to get a single threat model
    • Use STRIDE for modeling threats https://en.wikipedia.org/wiki/STRIDE_(security)
    • Focusing on several different areas: anomaly detection, data integrity, and static analysis
    • Ament plugin for pclint and colcon build package to show code coverage
    • Security concerns have been around QNX
      • Preconfiguring the entire system (baked, signed, and shipped)
  • A couple of PRs are out there now for improving how security artifacts are retrieved

    • Currently the keystore directory matches the name
    • PR to traverse the namespace to allow multiple packages with the same name to have separate security artifacts
  • Open question: How do we deal with security failures?

    • What should be the behavior when a node failed to authenticate/authorize?
    • Depends heavily on the implementation, it may be ok to have reduced functionality or could be a critical safety issue
    • Should it be modeled similar to mobile applications, where there is a fallback behavior?
    • Should there be specific actions taken on failure?
    • Need the ability to run in audit mode to find errors
  • Meeting again within 2 weeks

Thursday AM Meeting

I wanted to get a chance to talk to as many people as possible so I’m having another session Thursday morning for folks in other time zones. In the future, I’ll try to schedule meetings such that we can have a single group, however for this first one, I want to give everyone a chance to talk about what their working on.

Thursday, 2018/10/18 @ 07:00 PDT / 14:00 GMT

You have been invited to an online meeting, powered by Amazon Chime.

  1. Click to join the meeting:

https://chime.aws/5568191908

Meeting ID: 5568 19 1908

  1. You can use your computer’s microphone and speakers, however, a headset is recommended. Or, call in using your phone:

United States Toll-Free: +1 855-552-4463
Meeting PIN: 5568 19 1908

One-click Mobile Dial-in (United States (1)): +1 206-462-5569,5568191908#

United States (1): +1 206-462-5569
International: https://chime.aws/dialinnumbers/

  1. To connect from an in-room video system, use one of the following Amazon Chime bridges:

SIP video system: meet.chime.in
or
H.323 system: 52.23.133.56

Meeting PIN: 5568191908#

5 Likes

I have both the presentation and a recording of the meeting available.

Meeting Recording
Meeting Intro Presentation

2 Likes

Thanks @coleray for uploading the recording and the notes from the meeting. See you in the next one!

We had a great second meeting for the folks in other time zones. In attendance were people from Amazon, RTI, Alias Robotics, UCSD, and Acutronic Robotics. Unfortunately I completely forgot to record the meeting so the only artifact is the summary below.

I’m tentatively going to schedule the next meeting for October 30th @ 08:00 AM PDT. Please let me know in the next couple of days if this is not a convenient time, otherwise I will post here with the meeting details.

Summary

  • Alias

    • Current in assessment phase for ROS2
    • General check for vulnerabilities
    • Interest in collaborating on threat model
  • RTI

    • Not working specifically on security for ROS2
    • Should parts of DDS need augmentation, happy to collaborate on them
  • Threat model

    • Collaborate via a wiki on SROS2 repo
    • Want to start with a less complex, publicly available system to model as an example
    • Could use the Turtlebot3
    • Victor @ Acutronic offered to use https://acutronicrobotics.com/modularity/mara/ as a possible alternative
  • Should security be exclusive with performance?

    • Need to balance security and performance
    • May want to have subset of nodes secure
    • May only sign or could be sensitive data
    • Publicly known data not very sensitive
    • High performance, high through put topics may not tolerate problem
  • Does the sensitivity of the data merit the performance hit (tf or odometry)

    • Someone could reconstruct sensitive information from non-sensitive data
    • Reconstruct context based on partial information
    • Default should be total security
    • Model how does partial disclosure affect the system
    • There is a paper in the SROS2 tutorial about security, latency, throughput
  • Realtime systems

    • Security on realtime systems could impact the realtime aspects
    • Various security related functions that will need to happen
    • Handshake could cause some non-deterministic elements which would be detrimental to realtime
    • Are there other non-deterministic security related functions that could affect realtime systems?
  • How do we deal with security failures?

    • Extend lifecycle state related to safety of the component
    • Allow system to recover by fixing the issue
    • Could have mediator that fixes the issue
    • This could have problems if nodes begin requesting permissions not needed before
    • Nodes/messages could be marked as critical and cause an error if those messages are not able to be processed due to permission errors
    • Would require the CA to live close to the system
    • Have specific error modes when permission
  • SROS2 tutorial has a walkthrough on securing Turtlebot3

    • Compilation has problems since there’s not a 32-bit build of ROS2
    • Use QEMU to cross-compile
    • Problems getting the XRCE agent with security enabled, could not communicate with the XRCE node
    • Ended up with insecure XRCE nodes and using the RTI router to connect it to the rest of the secure graph
    • Need agent to be able to relay the XRCE traffic under it’s own GUID potentially?

Thanks for everyone for attending!

4 Likes