►
From YouTube: ROS 2 Security Working Group (2020-12-15)
Description
Invited talk on Privaros.
B
A
A
Our
paper
concerns
the
problem
of
privacy
in
the
age
of
drones.
End
user
drones
are
now
commonly
available
for
few
hundred
dollars
and
it
is
predicted
that
this
use
case
will
grow
even
more
in
the
future.
Drones
are
equipped
with
sensors
such
as
camera
and
gps,
which
poses
threat
to
individual
privacy.
A
A
A
However,
even
in
this
setting,
we
need
mechanisms
to
enforce
a
privacy.
This
is
because
delivery
drones
visit
various
host
airspaces
as
a
part
of
their
delivery
route.
Each
host
airspace
may
have
different
privacy
needs.
The
responsibility
lies
on
the
guest
delivery
drone
to
prove
to
the
host
airspace
that
they
are
in
compliance
with
the
privacy
requirements
of
the
host.
A
A
In
this
paper,
we
contribute
privacy,
which
is
a
drone.
Software
stack
with
mechanism
to
enforce
privacy
policies
specified
by
the
host
airspaces
privacy
adds
mandatory
access
control
policy
enforcement
to
ross,
which
is
a
middleware
in
robotics
and
drone
platform.
Priveros
runs
on
the
guest
delivery
drones
and
enforces
the
host
privacy
policies.
A
It
uses
hardware
attestation
on
the
guest
drone
to
prove
to
the
host
space
that
the
drone
is
in
compliance.
Trusted
hardware
is
not
a
far-fetched
idea.
In
fact,
many
upcoming
regulations,
such
as
a
digital
sky,
which
is
proposed
by
the
government
of
india,
requires
commercial
drones
to
be
equipped
with
trusted,
hardwares
and
associate
cryptographic
keys.
A
When
a
drone
fleet
operator
wishes
to
send
a
drone
on
a
delivery
route,
the
drone
contacts,
the
aviation
authority
with
its
identity
and
a
proposed
drone
a
delivery
route
and
also
presents
a
hardware
based
attestation
to
its
software
stack.
In
particular.
A
drone
must
prove
to
the
avsn
authority
that
it
is
running
preveros,
enable
software
stack.
A
A
A
A
A
A
In
privacy,
we
use
trusted
application
to
declassify
sensitive
information.
In
this
case,
we,
the
trusted
blood,
filter
application,
is
entrusted
with
the
task
of
identifying
sensitive
objects
such
as
faces
and
blurring
them
suitably.
We
rely
on
host
to
identify
these
applications
to
perform
the
job
of
declassification.
A
A
A
A
Applications
running
on
a
ros
platform
publishes
a
message
under
a
topic
such
as
camera.
In
this
case
publishing
to
a
topic.
Camera
output
applications
such
as
navigator
can
subscribe
to
this
topic.
Ross
uses
a
dynamically
a
dynamic
discovery
protocol
offered
by
the
dds
to
match
up
the
publisher,
and
subscribers
once
the
match
up
has
happened.
Raw
establishes
direct
a
network
socket-based
communication
via
the
underlying
operating
system.
A
As
it
stands,
vanilla
ross
does
not
perform
any
security
checks.
It
is
easy
to
spoof
message
messages,
impersonate
application
and
inject
a
message
to
address
this
issue.
Secure
ros
is
developed
which
encrypts
the
communication
between
applications
also
prevent
obvious
attacks,
such
as
message,
spoofing
message,
injection
and
also
authenticates
application.
A
A
A
A
A
I
remember
the
problem
of
network
checks
where,
at
the
level
of
lsm,
socket,
send
and
receive
message.
The
recipient
information
is
not
available
in
order
to
solve
this
problem.
What
we
did
is
we
attached
a
process
identifier
and
we
propagated
it
down
to
the
network
stack
and
then,
while
receiving
at
the
receiving
end,
we
performed
the
check.
A
A
A
A
A
In
the
sros
manifest,
if
topics
are
not
present,
then
application
cannot
publish
or
subscribe
to
it.
So
so
without
any
change,
we
cannot
perform
the
redirection.
Therefore,
what
we
did
was
we
over
a
provisioned
application
with
the
temporary
topics
so
that
the
so
that
we
can
redirect
flows
by
the
trusted
applications.
A
A
So
the
main
thing
is
how
to
change
publisher
and
subscribers,
which
are
bound
to
topic
once
they
are
created
in
the
application
in
the
application
layer.
We
need
to
modify
code
in
order
to
change
this,
so
this
is
obviously
not
a
feasible
approach
in
the
dds
layer.
We
simply
cannot
replace
the
publishers
and
subscribers
by
creating
a
new
one.
A
So,
therefore,
in
in
order
to
change
so
the
so
the
application
still
so,
if,
if
you
want
to
perform
the
redirection,
we
cannot
modify
the
publisher
and
subscribers
of
the
application
application
doesn't
know
the
topics
are
changed,
but
still
the
redirection
happens.
This
we
were
able
to
achieve
this
by
modifying
the
our
readers
and
the
writers.
A
So
if
the
application
themself,
I
won't
reestablish
the
connection,
then
that
connection
won't
happen.
So
the
the
problem
here
is,
if
the
connection
is
terminated,
then
who
will
initiate
the
means
connection
to
solve
this
problem?
We
leverage
the
dds
discovery
protocol
so
which
is
means
advertised
periodically,
so
that
new
connections
will
be
formed
whenever
we
replace
a
data
writer
with
a
new
one.
F
So
roger
may
I
answer
that
question.
This
is
yeah,
so
it's
it's
a
very
good
question.
So
and
you
know
if
you
were
to
consider
essentially
like
cylindrical
zones
in
some
sense,
this
problem
would
arise
where
in
some
sense
you
know
you
just
have
a
cylinder
rising
up
from
the
from
the
boundaries
of
the
area.
But
so
you
know
different
countries
have
different
regulations.
F
One
of
the
things
that
digital
sky,
which
is
the
one
that
we
have
studied
a
little
bit,
is
proposing
digital
sky
is
the
is
a
standard
proposed
in
india.
Is
that
around
certain
regions,
for
example,
airports
they're,
proposing
conical
regions?
Okay,
so
it's
like,
so
what
so?
The
the
air
space
the
restricted
airspace
rises
like
a
cone
from
from
the
from
the
you
know,
the
location
that's
to
be
protected,
so
you
know,
as
you
approach
you
know,
you'll
have
to
go
down
the
boundary
of
the
coal.
F
E
Yeah,
I
I
I
see
perfectly
what
you're
talking
about
there,
which
that
leads
to
the
second
thing
that
I'm
wondering,
because
if
you
do
have
that
capability,
then
that
means
that
you
know
adjacent
places
could
potentially
have
overlapping
areas
that
would
be
subject
to
both
policies.
Absolutely
is
there
any
problem
with
contradictory
policies.
F
Excellent
question:
this
is
not
something
that
we
have
investigated
yet
you
know
our
first.
Our
first
attempt
here
was
to
provide
the
basic
capability
to
enforce
mac.
I
think
there's
a
lot
of
potential
here
to
investigate
you,
know,
policy
languages
and
how
to
investigate
conflicts
between
policies.
You
know:
can
policy
should
policies
just
be
described
in
terms
of
gps
coordinates,
or
should
you
consider
pitching
the
yaw
of
the
drone?
All
of
these
things
are
questions
worth
investigating.
We
haven't
yet
looked
at
them,
so
I
don't
have
good
answers
for
you
right
now.
A
B
B
The
the
other
thing
is
here:
you
describe
a
scenario
where
yeah
you're
correct
that
in
dds
you
could
use,
you
could
reuse
the
same
topic
name
and
it
could
be
po
and
over
that
topic
could
be
published.
Multiple
idl
types
or
different
topic
types,
so
you're,
correct.
There's
there's
nothing
that
like
enforces
you
what
the
topic
type
has
to
be
over
a
certain
topic
name,
but
that
would
be
considered
abnormal.
B
B
I
think
like
ross
speak,
because
it's
all
it's
all
distributed
now.
I
think
you
know
ross
kind
of
work,
but
I'm
not
sure
a
single
camera
process.
Node
could
publish
over
the
same
topic
of
two
different
types.
Imagine
it
it
might
issue
an
error,
but
the
subscribers
could
sort
of
work
it
out,
but
yeah.
That's
that's
just
something
that
maybe
maybe
a
remark
but
cool.
B
B
A
So
yeah,
so
the
main
problem
in
a
vanilla,
app
armor
is
it's
not
means
expressive.
So
basically,
you
can
just
specify
whether
an
application
can
communicate
by
the
network
or
not
so
here
in
in
our
settings.
Since
we
are
dealing
with
stopping
the
communication
among
a
different
processes
so
and
a
ros
uses
a
socket-based
connection,
it
can
be
a
udp
or
tcp.
So
we've
wanted
a
method
in
which
we
can
specify
to
which
applications
current
process
can
communicate
to
even
by
the
network.
Sockets.
A
E
A
F
No,
so
so,
actually
let
me
answer
that
so
in
this
particular
platform,
which
is
a
mandatory
access
control
based
platform,
the
owners
of
I
of
rejecting
bad
flows,
falls
on
the
policy
developer.
So
you
know,
when
you
have
a
platform
like
this
you're
expected
to
have
written
down
these
these
policies,
almost
like
an
essay
linux
policy
and
look
for
bad
instances
of
flows,
so
in
some
sense
the
the
onus
of
of
ensuring
that
no
such
leaks
exist
comes
via
policy
analysis.
F
Now
we
are
working
on
an
extension
to
ross
that
allows
you
to
do
this
dynamically.
That's
what
rakesh
is
saying
which
allows
you
to
do
information
flow
control
by
tracking
labels
at
runtime,
but
that
system
is
not
yet
ready.
So
as
it
stands,
you
will
have
to
analyze
the
policy
ensure
that
there
are
no
such
applications
that
leak
data
like
this,
without
going
through
a
trusted
application,
but
you're
right
I
mean
if
there
was
a
node
between
the
camera
and
the
navigation
software
that
didn't
go
through
the
trusted
blood
filter.
B
B
B
A
So
I
just
do
again
just
to
be
a
clear
on
the
question.
A
dds
itself
is
just
not
like
enough
for
the
protection
right,
because
these
are,
I
means
at
the
end
processes
and
they
can,
let's
say
open
up
a
socket
connection,
and
if
they
are
written
in
such
a
way
that
they
can
directly
communicate
among
themselves,
then
they
can
still
use
the
network
sockets
to
communicate.
B
F
F
Design
consideration
was
to
ensure
that
the
trusted
computing
base
is
the
os
alone,
so
that
you
know
the
only
functionality
that
we
leave
to
ross
is
actually,
you
know,
deny
any
flows
that
already
exist,
but
so
sorry,
the
the
os
can
deny
flows
even
if
they
are
allowed
in
draws.
So
ultimately,
the
os
says
no,
even
if
ross
allows
the
flow
that's
not
allowed.
F
B
A
Right
so
moving
on
to
our
evaluation,
we
now
present
a
snippet
where
we
illustrate
the
performance
impact
of
redirecting
flows
through
a
trusted
application,
as
required,
for
instance,
to
enforce
blood
exported
policy.
Our
evaluation
platform
is
nvidia,
jetson
tx2,
which
is
equipped
with
arm
dress
zone.
A
A
A
A
We
now
consider
a
blur
filter
application
that
performs
some
computation
on
the
input
image
stream.
As
a
result,
the
latency
further
increases
and
power
consumption
goes
up
by
8.1
percent
compared
to
the
base
case.
Note
that
this
is
highly
domain
specific,
depending
upon
the
nature
of
the
computation
that
happens
within
the
trusted
application.
B
B
B
D
F
C
F
F
So
so
that
motivated
us
to
work
on
this
dynamic
information,
flow
control,
based
approach
for
ros,
and
we
are
working
on
top
of
a
system
called
cam
query
for
that
which
provides
you
know
such
tracking
within
the
linux
kernel,
and
we
are
extending
it
into
the
ros
layer
also.
So
we
want
to
bring
the
notion
of
ros
topics
together
with
the
notion
of
information
flow
labels
at
the
os
level.
So
that's
the
project,
but
we
are
still
a
ways
off
from
completing
it.
F
B
F
So
you
know
the
the
the
base
system
is
just
a
label
propagation
system
right
and
your
labels
are
64-bit
values.
You
can
feel
free
to
assign
semantics
to
them.
So
it's
it's
going
to
propagate
labels
at
the
level
of
os
level,
artifacts
things
like
processes,
sockets
files
and
so
on.
So
that's
what
that
is.
C
B
F
No,
no,
no,
no.
The
linux
project
is
just
basic
infrastructure
for
label
propagation.
Now
you
can
sort
of
bless
certain
applications
for
declassification
and
that's
what
we
are
doing
right
I
mean
we
want
to
bring
this
notion
of
trusted
applications
that
that
we
refer
to
in
this
talk
to
also
that
problem
there.
First
of
all,
we
want
to
understand
the
problem
of
label
creep
in
a
practical
raw
space
system.
You
know
maybe
like
a
real
robot.
You
know.
F
To
what
extent
is
their
label
creep
and
then
sort
of
figure
out
how
to
design
these
trusted
applications
where
to
place
them,
and
so
on,
so
that
you
know
we
can
declassify
the
the
data
flows.
So
all
of
those
will
be
part
of
the
empirical
evaluation
of
this
work
once
it's
ready,
but
that's
an
excellent
point.
Yes,.
C
D
Actually,
I
have
another
question
since
I
was
going
through
the
github
repo
and
I've
seen
a
lot
of
notification
on
the
kernel,
which
you
know
it's
it's
pretty
pretty
hard
if
you,
if
you
have
update
on
the
kernel-
and
you
need
to
bring
the
code
here
and
there
so
about
the
code,
how
much
of
it
is,
you
know
necessary
to
be
there
or
has
been
incorporated.
That
has
not
been
completely
written
by
you
with
you
guys.
D
Yeah,
because
I've
seen
that
a
lot
of
modifications
are
embedded
inside
the
kernel
and
I'm
always
concerned
about
those
kind
of
modification.
You
know
if
something
is
modified
at
the
kernel
level,
you
need
to
bring
everything
in
the
new
version
and
such
you
know,
you're
having
a
lot
of
code
base.
That
is,
you
know.
Hardcoded
is
usually
a
pain
in
he
has
to
manage.
That's
that's
a
question.
If
it's
all
necessary
or
it's
something
that
you
included,
then
you
learn
some
somewhere
else
or
something
yeah.
C
Yeah,
absolutely
I
understand
that
concern
I
mean
that's
why
we
tried
our
level
best
to
make
all
our
modifications
within
the
security
module
itself.
So
I
mean
you
know
the
the
lsm
infrastructure
allows
you
to
create
modules
right,
I
mean
in
the
sense
it's
not
we're,
not
touching
the
core
kernel
components
like
you
know
the
memory
of
the
sec,
the
networking
subsystem,
but
we
had
to
make
a
slight
exception
for
the
networking
component
because
it
was
necessary
to
you
know,
propagate
the
pid
of
processes
through
the
network
stack.
C
So,
for
example,
we
tried
doing
this
via
net
filter
hooks,
but
to
our
understanding
the
net
filter
hooks
aren't
in
process
context
in
the
sense
that
at
the
let's
say,
the
ip
4
output
hook,
you
don't
know
which
process
actually
sent
that
packet.
So
we
had
to
you
know,
sort
of
create
a
workaround
which
involved
modifying
the
network
stack,
and
that
was
very
little.
Actually
it
was
just
about.
C
B
And
so
we
have
something
a
prototype
where
you
can
have
an
existing
running
system
and
then
audit
that
system
by
taking
a
snapshot
of
the
connectivity,
topic
connectivity
and
then
translating
that
into
a
yep.
So
jeremy,
let's
put
up
the
node.idl
docket
and
then
that's
something
that
that
srs
would
would
consume,
generate
the
minimum
spanning
policy
that
they
would
translate
to
the
dds
security
artifacts.
B
F
B
B
This
manifests
either
through
static
analysis
of
the
code
to
figure
out
what
topics
it's
using
or
again
through
runtime
measurements,
but
that
might
be
a
more
advanced
topic.
I
think
right
now
we're
just
thinking
about
where
library
maintainers,
who
are
domain
experts
for
the
sub
application,
that
they're
that
they're
designing,
would
then
provide
sort
of
default,
sane,
idl
files
or
node.edl
files.
That
would
then
be
appropriate
for
end
users
to
incorporate
when
generating
their
unique
security.
Artifacts.
F
B
B
F
Yeah,
so
you
know
this
is
so
one
of
the
things
that
we
were
trying
to
work,
one
of
the
constraints
that
we
were
trying
to
work
within
was
you
know
if
you
had
a
commodity
or
off
the
shelf,
sros
application
with
a
with
a
manifest
that
was
baked
in
then
you
know:
how
do
we
get
everything
to
still
work?
If
you
had
the
ability
to,
let's
say,
tailor
the
manifest
files
to
a
particular.
F
F
B
F
So
so
that
was
a
design
consideration
as
well.
That
went
into
the
system.
I
mean
clean
slate
right
yeah,
you
can
just
say
look,
this
is
the
communication
graph
I
want
and
then
go
top
down
generate
all
the
manifest
files
and
that's
all,
and
then
you
know
you
issue
the
certificates
for
the
applications.
It
all
works
within
the
sros
framework.
F
But
of
course
you
know
you
still
have
to
do
os
level
enforcement
in
case
there
are
any
malicious
applications
that
try
to
communicate
outside
of
the
the
dds
and
ros
framework,
but
that's
the
app
armor
stuff
so
ross
alone.
If
you
had
the
ability
to
go
top
down,
that's
what
we
would
have
done,
but
we
also
wanted
to
have
the
ability
to
support
existing
ros
applications,
while
only
probably
minimally
requiring
this
additional
topic.
B
F
So
one
thing
I
must
clarify
is
that
our
use
of
the
trust
zone
was.
It
was
only
for
the
purposes
of
attestation
in
the
sense
of
testing
the
normal
world.
Where
you
know
ross
and
everything
runs,
we
didn't
build
anything.
We
didn't
incorporate
any
ros
components
inside
the
secure
world.
If
that's
what
you
are
you're
you're
asking.
C
A
B
F
F
So
we
took
the
bare
minimum
route
of
trust
and
date,
attestations
which
are
tpm-like.
Of
course,
you
know
that
has
known
problems.
Also,
time
of
check
to
time
of
use,
you
might
measure
everything
and
then
the
adversary
may
replace
the
software
stack
of
the
drone.
So
as
it
stands
as
described
in
the
paper,
we
are
vulnerable
to
that,
but
samsung
knocks
like
enhancements,
which
is
basically
a
bunch
of
current
enhancements,
would
allow
you
to
prevent
that,
to
a
larger
extent
that
we
currently
do
so
even
samsung
knox
is
not
perfect,
though.
F
Yeah,
so
I
don't
know
if
that,
if
that
explanation
made
sense,
but
the
nox
technology
is
also
described
in
another
paper
from
2014,
it's
called
hypervision
across
worlds,
so
they
describe
how
kernel
modifications
can
extend
to
beyond
just
spot
checks
that
are
obtained
from
attestations.
You
can
extend
it
to
kernel
lifetime
integrity,
module
or
certain
characters.
F
It
was
called
hypervision
across
worlds
that
describes
the
basic
technology
that
goes
into
samsung
knox,
which
is
what
is
found
in
all
our
phones
now,
so
it's
called
hypervision
across
words,
and
then
there
was
something
else
in
the
title.
I
think
real-time
kernel
integrity,
protection
or
something
like
that,
but
it
was
from
a
team
from
samsung
at
ccs
2014.
B
B
Well,
it's
a
little
past
the
hour,
so
I
don't
want
to
keep
people
for
too
long
but
feel
free
to
contact
the
speakers.
If
you
have
follow-up
questions,
I
wanna
thanks
the
speakers
for
coming
and
giving
this
awesome
talk
and
then
you
guys
are
also
presenting
so
thursday
or
friday
at
the
cyber
security
robotics
conference.