Hi all, I’m an engineer at Amazon working on ROS2 and wanted to get in touch with people working on SROS2 and the Crystal release of ROS2. I’ve met with a few folks in the community and want to make security intuitive, easy to configure, and performant in ROS2. There were some great talks at RosCon regarding ROS2 and security and I would like to join forces with people working on security-related items for ROS2.
Some gaps to be addressed for ROS2 Crystal:
Secure services and parameters
Secure key storage
Automated security recommendations and configuration
Secure, signed configurations management
Auditing and logging
External network connectivity
Security best practices
Promoting security-driven tests
This is by no means an exhaustive list, purely just what could be the minimum bar for a system based on ROS2. I would really like to get input from folks working on security and ROS2 and want to host an online meeting on October 15th @ 17:00 PDT.
It’s not realistic for ROS2 Crystal as well however worth to be considered for the long time roadmap:
integration of fuzzy testing in to the CI environment
There is a nice read (blog post of a Security Engineer) about how to integrate public repositories into Google OSS-Fuzz (“continous open source software fuzzying as a service”) and about how to make OSS-Fuzz work for private repositories. Google tries to motivate people to integrate projects into OSS-Fuzz with patch rewards… probably an interesting model to get people like aliasrobotics.com (@EndikaGu) involved into ROS2 security improvement . However OSS-Fuzz based Fuzzy Testing addresses low levels of abstraction (source code like rclcpp, rclc, rmw) the priority in comparison to the other point in the list (higher levels of abstraction like features, “security by design”) is quite low. Nevertheless worth to being mention here I guess.
Sounds good, count me in!
I could start earlier though, as I’ll have to leave for another meeting after 18:30 PDT.
Can you post a link to the online meeting?
I completely agree, fuzz testing would be a great thing to add. There’s quite a few more things like HSMs and other ideas that people have thrown out which would be very useful.
I want to try to capture all of this, however I would also like to primarily focus on what could be there for Crystal as well.
I’d like to see some type of threat scenarios listed with the security measures listed for each.
For example:
Scenario 1: Robot running in a public place, connected to wifi with other users on it.
Threat - user can potentially start publishing to ROS2 topics, how do we ensure no user can publish to CMD_VEL topic for instance and start driving our robot?
Threat 2 - instead of publishing to a topic, what if they try to make service requests over and over to create a DoS attack?
Those are some admittedly simple examples. I would like to see a more comprehensive list and some type of security answer for each as to how to defend against the threat.
@coleray, it’ll be great if you could share the notes after the meeting (or even better, record it)
I’m sure there’re several individuals and groups that like myself, would love to join however 17:00 PDT is a bit late in Europe.
Good call @vmayoral I’ll make sure to record the meeting and try to have it available. At a minimum, I’ll make sure to post notes and what we covered here.
@ruffsl there is a lot of great content in this presentation. Are you actively working on all of the items in here? It appears there’s some overlap here in the parts we’re targeting. Specifically:
Assistive permission policy generation
Descriptive connectivity manifests
Procedural provisioning security artifacts
Expressive security policy definitions
Generation, deployment, revocation of PKI
Distributed logging over networks
Recording Security Events levels
Adding additional automated CI tests
I’d be really interested to see your how you’re thinking about these items and if there’s some way we could collaborate on them.
@EndikaGu and I will try to also attend the meeting, even if it’s a bit later for us here in Europe.
We wanted to point out that the RCTF(rctf.aliasrobotics.com) is already available and open for contributions. As we pointed out on ROSCon, it can be played both online and offline, as the containers for the scenarios are available at GitHub, they are also open for modification and contribution too.
It would be very interesting to propose new scenarios that align with the security strategies of ROS2, so we can both train the security researchers to find weaknesses in misconfigured ROS2 systems, as well as to train developers to take care of the security aspects in ROS2 so they actively enforce them.
Right now the available scenarios only cover the basic aspects, but we are working to include more complex scenarios, and specially, more focus on ROS2. Feel free to point out any feedback or improvements that you would like to see, and of course, feel free to create new scenarios that you would like to be included!
Thanks @olaldiko I appreciate you taking the time out to make it, even though it’s a very inconvenient time. I think it would probably be good to schedule a time more amenable to folks in Europe very soon.
Thanks to everyone that attended last night! It was a great discussion and I’m happy to find out what people are building related to security. In addition to the summary, I have a recording of the session and will post it as well once I’ve got the logistics worked out. Unfortunately since I did not have anything on the screen for most of the meeting, the video is completely black, however the audio is all there.
We decided to meet again within 2 weeks and I’ll post again once I’ve verified an appropriate time. All future meetings will be held in morning US time so we can make sure to include as wide an audience as possible. If you have problems making the schedule, please let me know.
I am also posting a separate meeting on Thursday AM PDT to have all the folks I unintentionally excluded from Europe due to the timing of the meeting.
Summary
Reviewed security-related tasks Amazon is delivering for ROS2 Crystal
Focusing on simplifying configuration, logging, security development, and community education
Review attached presentation for details
ROS2 Threat Model
Security specific integration tests for eProsima and RTI
Security file generator for configuration
CMake target for generating configuration for testing
Snapshot tool to generate access control (“secure my system”)
Recommendations for key/config security
Security event logging
Ruffin / @ruffsl presented several key items related to SROS2
Focusing on several different areas: anomaly detection, data integrity, and static analysis
Ament plugin for pclint and colcon build package to show code coverage
Security concerns have been around QNX
Preconfiguring the entire system (baked, signed, and shipped)
A couple of PRs are out there now for improving how security artifacts are retrieved
Currently the keystore directory matches the name
PR to traverse the namespace to allow multiple packages with the same name to have separate security artifacts
Open question: How do we deal with security failures?
What should be the behavior when a node failed to authenticate/authorize?
Depends heavily on the implementation, it may be ok to have reduced functionality or could be a critical safety issue
Should it be modeled similar to mobile applications, where there is a fallback behavior?
Should there be specific actions taken on failure?
Need the ability to run in audit mode to find errors
Meeting again within 2 weeks
Thursday AM Meeting
I wanted to get a chance to talk to as many people as possible so I’m having another session Thursday morning for folks in other time zones. In the future, I’ll try to schedule meetings such that we can have a single group, however for this first one, I want to give everyone a chance to talk about what their working on.
Thursday, 2018/10/18 @ 07:00 PDT / 14:00 GMT
You have been invited to an online meeting, powered by Amazon Chime.
We had a great second meeting for the folks in other time zones. In attendance were people from Amazon, RTI, Alias Robotics, UCSD, and Acutronic Robotics. Unfortunately I completely forgot to record the meeting so the only artifact is the summary below.
I’m tentatively going to schedule the next meeting for October 30th @ 08:00 AM PDT. Please let me know in the next couple of days if this is not a convenient time, otherwise I will post here with the meeting details.
Summary
Alias
Current in assessment phase for ROS2
General check for vulnerabilities
Interest in collaborating on threat model
RTI
Not working specifically on security for ROS2
Should parts of DDS need augmentation, happy to collaborate on them
Threat model
Collaborate via a wiki on SROS2 repo
Want to start with a less complex, publicly available system to model as an example