Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
ROS 2 / Security Working Group / 23 Feb 2021
ROS 2 / Security Working Group / 23 Feb 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: ROS 2 Security Working Group (23 Feb 2021)

Description

Regular meeting of the ROS 2 Security Working Group. Meeting minutes can be found at https://github.com/ros-security/community

A

Okay, um yeah so uh no comments on the meeting minutes from last uh from our last meeting, that was on the ninth february.

A

um So.

B

um

A

Go ahead, looks good to me. Okay, consider those approved, um I'm gonna wait. I I actually added an item on uh that. Ruffin pointed out yesterday about the default rmw. I'm gonna table that for just a minute to see if he joins us, uh we'll come back to that um so and also um uh uh yeah. So we'll start uh with uh marco. Do you have an update on the use case uh that you're working on or uh you know, using uh uh security for rmf.

C

Yeah.

B

So I I mostly compile uh a list of needs that I think the rmf has. Let me see if I can share it.

C

Here I did.

D

um

C

Yeah, oh I do anyone.

E

ah Not this one.

B

Not my calendar.

C

Yeah that one, hopefully it works.

A

Yeah.

B

I can see it alright, so basically, um as I I said last uh last time, the support for uh certificate revocation- it's, uh I would say it's one of the most important that s ross should could help rmf, uh because currently I I only the only way I see it's to go down to robots and change their certificate manually and these robots will be spread out in a facility that is probably quite big, so currently we're doing hospitals.

B

So um it can take you a few hours until you reach all the robots and and change certificates, and apparently this is already supported at the dds level. So um I guess it's only on us to expose this at the ros level.

B

um Then then also another thing that I realized is that it's um the the the common line, interface tools of ros, cannot be used with the security uh when the security is on, so that makes it very difficult to debug when you are deploying a system, a large system like rmf, uh we also talked about certificate authorities hierarchies.

B

um I don't I'm not sure how how much I haven't looked into this too much. I just put it here because we talked about it, so I'm not sure how much we need this or how much it will help, but I'll just leave it there for now. So we can keep it in mind. um We also talked about a bit about uh some third-party verification ways. At least um uh one of my biggest concerns with rms are third parties, because they're um they're not um they're, not managed by the system.

B

Integrator, do not you don't know uh how they're gonna be secured, so maybe some some some ways of of of uh verifying that they have some level of security or or that you can, or at least a guideline for for the vendors. uh Something like that also the setup uh setup test. That is. That is another thing that I thought of like when when you, when you run uh you, you set up the whole security environment, you run it and then there's no uh guidelines or tools on on I mean there's.

B

I guess, there's ways on on how to check, but um maybe there's we should have some some guidelines on on how you can check that your setup is correct. Like I mean everything is working in my setup and everything, but how do I know the security is working right? My my demo or my my whole setup is working, but the security- I don't know if it's working right and and there might be like the you're using a vendor, uh dds vendor, underneath that is in fact the one providing the security.

B

uh But you don't know if it's actually working or it's not properly done, or it has some leaks or something so ways to test and verify that the security is on. The encryption is being done and all that that that will be very interesting.

B

um I also put there the ros launch, support, which um uh I think it's on its way uh and also the the the option to generate the policy.

B

So I I know right now: there's a generation policy through that uses the ros graph, but uh that is only representative of the communications being done at a certain point of time. I guess so. I think that it would be interesting if we could do that uh and maybe using the nodel description.

B

I don't know how detailed it is. I think it should have the description of the communications there, but I'm not too sure. That's why I put the question mark there yeah and then the rest of the issues are mostly like on on the rmf.

A

Side, a few, a few reactions to that. I think uh working from the bottom up. uh I believe the plan for node dl- you can check with ted when he's here later next meeting, but the plan for no dl should be to actually generate eventually generate some more detailed policy. You know to create things like read-only notes and so on.

A

I know the initial implementation doesn't do that, um but I think that is yeah the plan, um so we just have to track those uh pull requests in that project as a kind of gross um yeah- and I haven't heard much about raw's launch since we last spoke. um Let me ask for the setup test and verification that actually sounds uh like there's a possibility with logs there.

A

Jeremy do you have any thoughts like when marco is describing? What he's looking for is that what the log logging plugins will provide for us.

D

Well to some to some extents, um so we we're working on enabling one of the missing security feature in dds in fast dds at the moment, which is security logging. That's not one of the three mandatory security plugin as per uh rost2.

A

But that's.

D

When we are eager to see uh implemented and this, uh this plugin will essentially logs every uh security event uh with different. You know granularity of uh logging and they will be logged in both in file and and over the dds graph.

D

uh The difficulty at the moment is that it's not going to be immediately available to the ros graph and for a very stupid reason that the.

A

The security, the tds security topic.

D

uh The topic name is using characters that are not recognized by by rost2. We raised this issue to uh well to open, robotics and, and at the moment they are not planning on. You know, supporting those special characters so that.

A

Will take.

D

Some simple, uh you know bridge that simply translate from.

E

From dds message.

B

To.

E

A.

B

Ros.

D

Message anyway, the point here is that, to some extent, you will get uh an idea of what's going on from the security perspective uh through logs and we are aiming at. uh You know, integrating that into the.

A

System logs to.

D

Integrate that as.

A

Well, with.

D

The cm cm tools so that you can use all of your usual security surveillance tools with.

A

Dds as well.

D

But of course you only see what's being logged, so that's that's. I guess that doesn't cover the full extent of what you are mentioning here.

A

Making sure.

D

That everything works and that everything is set up correctly. You only get to see what's what's there on what's.

A

Actually, logging anything.

D

While I'm on the floor just a quick note on the cli tools, uh we are aware about the the limitation that they are not working with with srs2 and the the difficulty here is that uh those tools the by default, I mean by design they are able to access any any topic, any parameter any such thing. So it's very difficult to set to set rules, security rules that would allow to use them while keeping a secure system.

D

um That would take some dynamic aspect in the world generation and that's something we hope uh no dl will cover as well.

D

We have discussed other uh ways of doing that in the past, but at the moment it's not clear how that would integrate with with dds. So, hopefully, no dl will alleviate this pain.

D

That's it for me.

A

So it seems like my prayer, you might have some test case this week- kind of matures of the logging and some of the dl stuff. I think uh we definitely want to work together on that. um Does anybody have any other reactions, particularly about the crl? Is anybody uh be working that problem at all.

A

So it sounds like not at least for who we have here right now, um so I think, uh marco. I think this is a really nice list. um I I I I'm feeling our next steps. Probably are. um You know, uh jeremy you've heard what mark is working on if there's opportunities for you to kind of toss, some stuff over the fence at marco, so he could try it out for logging and whatnot. um You know there's an opportunity there same with marco.

A

um You know if you have questions about how that's working, that's for the logging, that's jeremy and then for um for the node dl. I know ted has been working that um and I think those pull requests are actually still open, still waiting review, um so um yeah yeah.

D

Unfortunately, no deal is moving rather slowly, but that's.

A

Because it's.

D

You know it's being integrated in the main rep design of ros2, so everybody wants to be sure that it is done correctly from a design perspective.

D

um Just a quick note about the the seventh point: the generate policy, uh so you you mentioned the the tool from sros 2. That, indeed captures only a you know a ros graph at the at the moment in time, and that's precisely why we we got started with no dl. uh We needed something that would you know capture the entire graph uh at any time. That would make it as easy and automatic as possible to generate those policy and that that's yeah precisely why we're working on nodel and the secure.

A

Launch.

D

As well,.

B

Yeah, so that everything sounds great um I'll, be happy to to give it a try, a test or whatever you have um yeah just. Let me know.

D

Sure thing.

A

So it sounds good, we'll just keep probably keep you on the menu and the agenda for the working group meetings, marco, just to give us updates when you're here and call out for any help. If you need it so then I'm going to move on to uh move it to discussion, um not as long. I don't think I'm going to present a slide here for you suck in.

A

Here.

A

All right, hopefully, you can see uh just one slide here, related to um movement, um so this is from the discussion I have with the folks that presented uh to us. uh I guess that was back last year now, but um um we were talking about what our best uh initial use case is um and uh this. So this is a the typical design is kind of like just a sketchbook. We started out with um where uh the the move itself, with the support nodes, the the green and the blue.

A

um They actually exist all exist today in a lxd container that you just download and run.

A

So that's all already built out without security. So actually our next step is to implement this read-only robot state. That's actually just an arvis view into the robot. So if you take the green and blue.

A

uh Boxes, if you will um run them in lexi in a simulator, and that is essentially your your robot right. uh The intent is to simulate this read-only robot state, which is our visualization of what the robot is actually doing.

A

um So, just simply to take those you know, use the lxd container um that exists for the running robot make a copy of it for that read, only robot state and kick off an arviz visualization into the running robot and then make sure that one is read only so uh so next step here is to take the pre-built container, implement security on the container and then clone it off to create a read-only container as well. So we end up with two luxe d, so it kind of makes sense so kind of.

A

I don't feel like I'm explaining that terribly well, but I think the drawing kind of shows you that it's a very simple use case where you have uh our biz reaching into a running robot. um That should have read-only view of what the robot state is.

A

So that's all we're going to look at implementing is if anybody else is interested in working on this again, I think all the setup is done, because we can start with the pre-built xd container and it's just a matter of applying security uh to that container, one for the actual running robot and then one for the read-only view into the other robot.

A

So.

A

No comments on that. It sounds like um so I'm gonna move on. I have um looks like um cali. uh First of all, did I get your name right. Kelly, yeah, yeah.

E

That's that's. That's uh well pronounced. Yes, it's a finnish name, so I'm used to very different ways. But I say myself.

A

Okay, all right.

E

So thanks a lot.

A

For joining us, I think you had some uh questions that you post up into uh the the matrix chat. um If you want to throw them out here, hopefully somebody will pick them up. It doesn't seem like you got too much traction on the on the chat.

E

Yeah yeah, that's right. I think it's more just like a sort of like a new big question. I've been trying to educate myself a little bit with sros, and um so I basically work in a drone project um as a security engineer, and we have like existing ros 2 nodes there and we use that for the different drone components to communicate with each other, but also the drone drones communicate with each other in the fleet through rush too, and basically, we are now thinking to add uh security.

E

On top of that, and I have been trying to figure out like what are the um different encryption and authentication schemas that are supported and how much uh control we have to change them and one one big thing is also that um we would like to have a centralized key management uh for basically all the cryptography happening on the on board on a drone. So I was wondering: is it possible for esros to fetch the keys somewhere else than than in this file system on that on the same same box?

E

Basically so they're like a bunch of questions- and I was just hoping if, if there is a pointer to some kind of documentation around it, we don't need to go through all questions, probably right now, but I was unable to find like uh very detailed documentation on crypto and authentication. I understand the high level concept of all these, including the access control lists and all, but but when it comes to a little bit about what algorithms are used, how does the authentication process look like and and so forth,.

A

Did we lose marco? Oh no, there you go marco, hey marco, I don't know if you would mind feeling this just sounds like like he's working on something very similar to what you've been uh working with on.

C

Rmf yeah, I guess the use case could be similar um yeah, uh for I mean the authentication and the encryption happens at the year's level. So it would. It would be based on the dds framework that you use in there.

C

So for documentation on that, you, you can check it out on the yeah there you go on the dds security specifications, okay got it. um I don't know. um To be honest, I don't know personally how much uh each vendor of dds would support, um so you might have to check on whatever you're, using if you're, using fast rtbs or if you're, using cyclone dds.

E

Yeah right now we are using the fast rtp.

C

Yeah so then you might have to check on the yeah on the documentation from them, and then I would say that um we also we to be honest.

C

We haven't defined yet how we plan to do it, but we also, um we also are in a need of having like some some kind of centralized location or some some way to manage keys from different robots, and that is not supported as far as I know, by esros, and the only way that we have right now is basically you have to deploy those keys manually, and that was my point with the revocation uh of certificates that we need, because there's no way to if you have a one of these uh drones, get uh the key is stolen or someone takes over there's no way you can replicate the key unless you you have to like, go and fetch the drone.

C

Somehow.

E

Yeah yeah yeah exactly- and this is one of the concerns like we- we are planning to create an enclave on on board and hoping that we would do if not all most of the encryption in in that enclave and whatever components need to use cryptographic. They just make requests over any- let's say cryptographic, interface, maybe pkcs11 or or soft. But I think this is. This is not properly supported. Based on what you are saying, but but on the other hand, certificates are supported.

E

So so I think we could work around that by key hierarchies, so the root key being in enclave and then just signing keys for for esros outside of enclave. But.

E

Yeah, I I was going through those uh sample samples on on esros uh in github, and um I didn't see much about certificates there like when you create keys and whatnot. I was uh like I thought that those are just raw keys there, but is there some kind of certificates like signed automatically when I, when I create a keystore and key.

D

Yes, indeed, everything is created automatically with some very or rather permissive.

D

Policies so that your wall craft, can, you know, spawn and just work, um but nothing prevents you from you know creating your own keys, your own policy, your own access control and everything, uh this kind of granularity.

D

Of course, that's only for a power user, I'd say which, which you probably are- and you may find more information on the fast dds documentation.

A

As well as the secure.

D

Dds specifications.

E

Yeah yeah thanks thanks yeah. This was pretty much the pointer. I was looking for so I'll read through the specs and uh yeah. I'm sure I get forward with that.

D

I mean from from our perspective, we are not. We are not trying, you know to show how a power user could suit their tune, his own system, but we are taking the.

D

We are going. The other way around how the most beginner user could easily secure its its robot with rush 2 so trying to have everything.

C

As.

D

Automatic as possible, while not preventing the power user from you, know doing its these things um right right. So that's.

C

Why.

D

The defrost to documentation may seem a little light.

E

Yeah yeah, I understood thanks jeremy.

A

So great, hopefully that helped you out a little bit got you started and feel free to uh you know, drop in on the meetings or try again uh out on the matrix chat and we'll.

E

Yeah yeah definitely.

A

Yeah, because one of the things too, that we're you know we're talking about uh these use cases and whatnot, what we're trying to do is actually find those good use cases that can be used as tutorials and update our documentation.

E

Yeah yeah and maybe, as our project goes forward, I can maybe at some point prepare a demo demo for you guys if you are interested to see how we ended up using sros, of course, now it's a bit early, but but still gonna. If you're interested. I I was also an earlier earlier call with you guys, and I saw saw a demo- also, maybe something similar. I could.

A

Yeah that'd be great that'd be great, I mean, I think I think it benefits everybody to see uh some of the more real-world uses of the security, so we can continue maturing the offering so cool.

A

So I did have one more thing, uh although we're running a little bit long, um there's a issue that uh was just posted yesterday.

A

uh Let's see if I can pull that up the uh that the default rmw no longer ships with security features. um Did everybody see that? Does anybody have any comments on that.

D

I.

A

Kyle posted.

D

A comment already bringing ibrozima and asking if they haven't, you know, simply compile it without the feature.

A

Yeah, so I'll just leave that out there if everybody, if anybody gets a chance uh to make a comment on that, um that's definitely something we'll want to track. I don't know you don't have any more insights into it. Jeremy, I know I I don't.

D

No, no, no yeah, that's probably on the pros side. Yeah.

A

But hopefully it's just something in the built form: uh they can enable security, but okay, all right. So um that's all I have for today. Does anybody else have anything else.

A

All right, if not, then we'll go ahead and call it. Thank you very much thanks a lot for the update marco um and uh we'll see y'all, and I think it's about two weeks.

D

Yeah, thank you have a good one.

C

Thank you.