Thanks to everyone that attended last night! It was a great discussion and I’m happy to find out what people are building related to security. In addition to the summary, I have a recording of the session and will post it as well once I’ve got the logistics worked out. Unfortunately since I did not have anything on the screen for most of the meeting, the video is completely black, however the audio is all there.
We decided to meet again within 2 weeks and I’ll post again once I’ve verified an appropriate time. All future meetings will be held in morning US time so we can make sure to include as wide an audience as possible. If you have problems making the schedule, please let me know.
I am also posting a separate meeting on Thursday AM PDT to have all the folks I unintentionally excluded from Europe due to the timing of the meeting.
Reviewed security-related tasks Amazon is delivering for ROS2 Crystal
Focusing on simplifying configuration, logging, security development, and community education
Review attached presentation for details
- ROS2 Threat Model
- Security specific integration tests for eProsima and RTI
- Security file generator for configuration
- CMake target for generating configuration for testing
- Snapshot tool to generate access control (“secure my system”)
- Recommendations for key/config security
- Security event logging
Ruffin / @ruffsl presented several key items related to SROS2
- Procedurally Provisioned Access Control for Robotics Systems - https://github.com/ruffsl/PPAC_ROS2
- Candidate frameworks for automation and testing
- Keymint - Meta-build system key generation and signed artifacts - https://github.com/keymint/
- Abstract communication language (ComArmor) - graph of subjects and objects and generate artifacts at compile time
- Maps object or service to DDS mechanisms
- Scrape metadata about DDS at runtime and build security artifacts for compilation
- Want to use static verification and include results in security manifest
- Include all elements, topics/messages/services in the manifest
Dynamic topic names - could potentially impact security configuration, are teams doing things like this?
- Do we need wildcarding or something else to handle salt in topic names?
- Typical configurations have static connections between nodes along known topic names
starting point for creating their own threat model
Gerardo / @GerardoPardo presented what RTI is currently working regarding ROS security
- No outstanding plans for ROS2 right now
- Believe existing patterns can be used for services and parameters
- Will depend on design of how these elements are implemented on top of DDS
- If use cases are not covered by existing DDS security specifications, additional support could be needed
- Data tags could be used by the identity layer / constrains on security
- Service mapping is using topics and not DDS service names, which means its unclear if changes are necessary
- What granularity is needed for parameters, all-or-nothing or more granular permissions
ROS2 Threat Model
- Are there existing threat models for ROS2 out there?
- Will not target a specific robot but be a “cookbook” to enumerate possible threats and provide someone building a specific system
- Will use a document on github for collaborating on the threat model
- Come up with a basic template for a threat model
- Possibly multiple templates because the domain is so large
- Start with small number of concrete scenarios and try to expand from there
- SROS2 issue tracker has several long standing issues on the topic
- Many security papers are already out there to draw upon
- Impossible to get a single threat model
- Use STRIDE for modeling threats https://en.wikipedia.org/wiki/STRIDE_(security)
- Focusing on several different areas: anomaly detection, data integrity, and static analysis
- Ament plugin for pclint and colcon build package to show code coverage
- Security concerns have been around QNX
- Preconfiguring the entire system (baked, signed, and shipped)
A couple of PRs are out there now for improving how security artifacts are retrieved
- Currently the keystore directory matches the name
- PR to traverse the namespace to allow multiple packages with the same name to have separate security artifacts
Open question: How do we deal with security failures?
- What should be the behavior when a node failed to authenticate/authorize?
- Depends heavily on the implementation, it may be ok to have reduced functionality or could be a critical safety issue
- Should it be modeled similar to mobile applications, where there is a fallback behavior?
- Should there be specific actions taken on failure?
- Need the ability to run in audit mode to find errors
Meeting again within 2 weeks
Thursday AM Meeting
I wanted to get a chance to talk to as many people as possible so I’m having another session Thursday morning for folks in other time zones. In the future, I’ll try to schedule meetings such that we can have a single group, however for this first one, I want to give everyone a chance to talk about what their working on.
Thursday, 2018/10/18 @ 07:00 PDT / 14:00 GMT
You have been invited to an online meeting, powered by Amazon Chime.
- Click to join the meeting:
Meeting ID: 5568 19 1908
- You can use your computer’s microphone and speakers, however, a headset is recommended. Or, call in using your phone:
United States Toll-Free: +1 855-552-4463
Meeting PIN: 5568 19 1908
One-click Mobile Dial-in (United States (1)): +1 206-462-5569,5568191908#
United States (1): +1 206-462-5569
- To connect from an in-room video system, use one of the following Amazon Chime bridges:
SIP video system: meet.chime.in
H.323 system: 184.108.40.206
Meeting PIN: 5568191908#