►
From YouTube: ROS 2 Security Working Group (2020-08-25)
Description
Meeting notes: https://wiki.ros.org/ROS2/WorkingGroups/Security
A
Alrighty,
hey
everybody.
Welcome
to
this
week's
version
of
the
security
working
group
meeting
joe
is
in
a
meeting
that's
running
over,
so
I
I
will
be
the
the
coordinator
today,
marco
welcome
I'm
glad
you
could
make
it.
I
don't
know
what
time
it
is
there.
A
B
I
can
I
can
give
a
bit
of
introduction
of
why
I'm
here,
maybe
yeah.
Please
do
yeah
yeah,
so
hello
guys.
My
name
is
marco,
I'm
from
open
robotics
and
I'm
working
in
the
in
the
singapore
office,
and
here
we
were
working
in
making
basically.
B
Fleet
manager
so
we're
working
on
an
open
version,
it's
basically
a
manager
of
fleet
managers
and
it's
based
on
ros
and
we're
now
working
on
on
getting
some
security
into
it
and
yeah
I'm
just
joining
to
see.
If,
if
I
can
understand
a
bit
of
the
state
of
the
security
in
ross,
that's
most
mostly
why
I'm
here.
A
B
Oh,
it's
it's
open
source
already.
There
was
a
talk
in
roscon
last
year
there
was
a
few
talks
about
all
right
main
keynote
by
morgan
at
some
point
and
and
we're
mainly
working
with
hospitals
right
now,
so
we're
doing
like
fleet
management
like
robot
fleet
management,
at
hospitals,
but
also
working
with
airports
and
and
we
hopefully
make
it
usable
for
other
environments,.
A
Yeah,
that's
awesome,
okay!
I
I
am
I'm
familiar
with
that
project.
I
just
didn't
put
two
and
two
together,
so
that
makes
more
sense.
Thank
you
so
so
to
to
give
you
kind
of
a
current
current
state
of
things
in
security.
We
do.
B
A
A
B
Yeah
I
see
I
I've
seen
this
a
bit
there's
a
bit
of
challenges
on
this
mapping.
Yeah.
A
C
So
the
the
generator
is
working
is
just
very
verbose.
I
I
might
encourage
you
to
take
a
look
at
the
the
turtlebot
security
demo,
turtlemap
3
security
demo
we
have
on
I
can.
I
can
drop
a
link
into
it,
but
basically,
what
I've
done
there
is
sort
of
take.
The
turtlebot
stack
apply
our
autogenerating
tool,
which
basically
just
takes
a
snapshot
of
the
computation
graph
and
then
generates
the
policy
set
in
a
single
context
for
those
permissions
or
enclave,
and
then
I
have
some
commits
that
kind
of
show.
C
My
progress
on
how
I
may
be
like,
simplify
that
in
using
the
the
policy
import
abstractions
like
an
xml,
you
can
reference
something
to
include
it
and
that
significantly
simplifies
the
policy
just
to
the
topics
rather
than
all
the
subsystem.
C
Dds
topics
that
ross
nodes
inherently
need
that
are
like
common
among
all
nodes,
and
I
I
imagine
that's
you
probably
need
to
go
through
a
similar
process
of
taking
the
snapshot,
condensing
the
policy
to
what
you
minimally
required
that
run
time
and
then
go
expanding
from
there.
If
you,
if
you
end
up
adding
additional
features
or
services
and.
A
C
Yeah
we're
we're
working
towards
something
where
we
can
do
logging,
so
we
can
capture
ephemeral,
graph
exchanges,
sometimes
like,
like
you,
might
instantiate
a
action,
client
temporally
like
one
off
thing
and
then
destroy
it.
So
if
that
wasn't
captured
at
the
moment
of
the
snapshot,
then
you
didn't
see
it,
whereas
if
we
saw
we
could,
if
we
could
record
these
log
events,
then
we'd
be
much
more
capable
to
audit
all
these
actions
over
time.
B
D
A
B
Well,
it
it's
something
that
we
need
to
enable
sometime
soon,
but
I
mean
we
have
we
have.
Let
me
see
we
would
have
at
least
a
few
months,
so
we
have
different
different
stages
of
the
project,
so
we're
doing
a
project.
Now
that
is
focused
on
research
and
it's
focused
on
the
hospital
we're
also
doing
on
the
site
project
on
the
airport
and
then
we're
planning
also
to
to
do
to
have
some
deployment
projects.
B
So
I
guess
until
we
get
to
those
deployment
projects,
it's
not
very
critical,
but
we
just,
I
think,
with
it's
something
that
we
should
have
been
working,
maybe
a
bit
before,
but
I
guess
we
we
still
have
time
to
to
get
working
on
it.
A
A
A
The
rost2
launch
system
recently
got
rid
of
assuming
that
if
a
namespace
isn't
specified,
then
it's
the
route
and
we're
not
sure.
Why
do
you
do
you
know.
C
A
E
Yeah
so
you're
familiar
with
the
the
templated
name
like
the
final
node
name,
that
a
node
has
as
like
a
property,
yeah
yeah.
So
at
some
point,
like
two
months
ago,
on
top
of
having
node
name
unspecified,
they
also
added
a
new
templated
part
that
was
node,
namespace
unspecified
and
yeah.
Now
the
final
node
name
always
has
node
namespace
unspecified.
Unless
a
specific
namespace
push
or
namespace
argument
was
passed.
C
I'm
saying
like,
if
you
start
up
a
node
and
you
left
them
the
node
namespace
unspecified,
but
you
had
parameters
what
what
ros
topic
mapping
does
it
actually
attach
to
it
at
runtime?
Are.
E
Yeah-
and
you
know,
there's
a
little
bit
of
logging
logic
that
if
the
node
namespace
is
fully
specified,
it
prints
out
that
there
is
now
x
many
nodes
with
this
exact
name
and
because
of
that
or
because
this
change
to
node
space
unspecified
in
order
to
have
a
fully
defined
node.
You
also
need
to
have
passed
in
the
namespace
now,
which
is
strange
and
seems
to
imply
to
me
that
you
know
if
you
didn't
specify
the
namespace
they're
explicitly
removing
the
assumption
that
the
node
name
is
fully
constrained.
A
Well,
anyway,
I
don't
want
to
derail
our
conversation
too
far.
My
the
point
of
my
bringing
that
up
is
that
we
have.
We
have
code
written
we've,
we've
rewritten
it
to
to
continue
making
the
assumption
that
used
to
be
there,
but
it
was
removed
for
a
reason,
and
we
want
to
make
sure
we
understand
what
that
is.
A
So
we've
got
an
email
out
to
to
yvonne
to
understand
that
a
bit
more,
but
if
you're
interested
in
testing
that
branch
out,
we
do
have
it
marco
and
that
will
at
least
get
you
to
the
encryption
stage
using
nodel
as
opposed
to
having
to
manage
all
your
key
material
on
your
own.
B
I
think
I'm
fine
managing
the
key
material
for
now
and
I
guess
we're
gonna
need
access
control,
so
I
think
for
now
it
it
it's
fine.
I
think
it
will
be
okay
for
us
to,
but
I'm
happy
to
to
test,
if
you
guys
want.
A
C
Yeah
are:
are
you
on
our
our
element
or
matrix
channel.
C
Paste
the
link
for
you
here
on
their
security
working
group.
D
A
A
Okay,
well,
marco,
as
you
as
you
need
any,
please
do
take
a
look
at
the
the
turtle
butt
wait
did
ruffin.
Did
you
find
the
link
for
that
yep?
A
Okay,
please
do
take
a
look
at
that
and
any
other
questions
please
feel
free
to
to
ping
us
in
matrix
or
you
know
if
you
want
to
have
an
ad
hoc
meeting,
we're
always
up
for
that
as
well.
A
Yeah
all
right,
so
the
the
next
thing
I
want
to
talk
about
was
this.
This
global
parameter
events.
This
is
something
that
mikhail
noticed
happening
in
in
more
the
rest
of
of
ross
too,
and
ended
up
making
a
a
pull
request
that
that
ruffin
ended
up
raising
a
flag
on
rightly
about
the
risk
of
adding
more
more
topics
to
the
global
namespace,
especially
ones
that
are
that
are
full
duplex
like
this.
D
A
But
yeah
not
not
trying
not
trying
to
preach,
I
I
I
I
want
to
make
sure
that
I
fully
understand
what
this
thing
does
and
and
make
sure
that
the
others
understand
what's
going
on
here
as
well
and
and
rough,
and
I'm
gonna
lean
on
you
here.
This
parameter
events
thing
I
my
understanding
of
it
is
that
every
time
a
a
parameter
is
changed
or
a
new
one
is
made,
etc.
A
That's
the
type
of
thing
that,
like
basically
notifications,
are
sent
along
this
thing
right
and-
and
this
happens
from
a
node,
which
means
every
time
a
node
changes,
a
parameter.
It
needs
to
be
able
to
write
to
this
thing
and
anyone
who's
interested
in
those
changes
needs
to
be
able
to
read
from
this
thing
and-
and
it's
only
one
topic,
which
means
any
parameter.
Changes
for
for
any
node
in
the
entire
system
ends
up
being.
A
C
So
I
think
parameters
are
kind
of
a
they
have
a
long
history.
You
know
in
ross
one
ross
one
had
parameters
but
nodes
right.
They
the
there
was
a
parameter
server
and
that
was
sort
of
bundled
into
the
ros
master
roscore.
It's
basically
a
key
value
store.
C
And
that
was
really
hard
to
secure
in
sros
one
basically
having
some
complicated
sanitization
logic,
where
it
would
check
the
credentials
of
the
node
to
see
if
it
had
read
and
write
access
to
this
particular
key
value
or
whether
it
had
access
to
the
namespace
of
those
keys,
and
there
was
some
a
collision
in
that.
Sometimes
you
might
have
a
key
of
an
of
a
parameter
and
the
key
of
a
sometimes
there's
ambiguous
and
whether
the
name
spacing
within
the
node
collided,
with
the
name
spacing
of
the
node,
the
difference.
C
So
through
all
these
really
complicated
logic.
In
ross2
we
decided
to
we,
we
had
the
every
node
like
host
its
own
parameter
interface,
and
that's
the
way
you
you
would
connect
to
the
node
directly.
If
you
want
to
re,
read,
write
or
list
parameters
and
those
were
those
the
subsystem
level
parameter.
C
One
particular
common
use
case
for
parameters
like
in
in
like
every
day
would
be
like
sim
time
so,
regardless
of
whether
your
node
naturally
used
added
any
parameters
likely
pay
attention
to
the
same
time,
so
it
could
set
the
clock
appropriately
yeah,
depending
on
whether
you're
using
gazebo
or
real
life
robot,
and
usually
you
set
that
kind
of
globally
like
convent
in
ros1.
C
You
would
just
set
that
maybe
at
the
top
of
your
launch
file,
so
you
could
easily
switch
between
the
two
and
that
would
propagate
through
all
the
nodes.
And
similarly,
I
think
that
would
be
a
parameter.
I'm
not
I'm
not
exactly
sure
what
the
current
state
is
like.
There
was
a
push
to
make
that
easier
to
do
by
having
a
global
parameter
server
like
a
dedicated
node
that
just
that's
all
it
did
that
just
hosted
parameters
that
other
nodes
could
read
and
write
to
right.
C
I've
seen
that
api
yeah
to
to
to
enable
that
kind
of
convenience
of
this
global
sim
time
control.
I
think
those
those
aren't
too
bad
and
that
if
it
was
just
everyone
had
read,
access
only
had
read
access
and
he
had
one
node
that
it
wouldn't
necessarily
need
right
axes.
It
would
just
it
would
because
it
was
a
parameter
that
it
owned.
Well,.
A
C
Namespace
and
all
would
be
fine.
The
issue,
I
think
there
was
a
bit
where,
through
some
caveat
of
the
api,
to
to
change
a
parameter
that
you
owned,
you
also
needed
to
have
right
access,
because
I
think
it
was
the
way
you
changed.
The
node
in
rcl
was
that
you
use
the
set
parameter
service
on
yourself.
C
And
that
is
what
I
think
also
inherently
required.
Every
node
have
read
and
write
permissions,
or
it
has
both
server
and
client
permissions
for
its
node
services,
which
I
think
is
an
additional
it's
it's
some
related
here
and
that
it's
an
excessive
permission
set.
A
C
Right
where
I
I
think,
I
think
every
node
is
allowed
to
maybe
have
client
permissions
for
its
own
node
services,
but
does
it
really
need
server
access
if
it
already
owns
the
see
that
that
that
the
requirement
of
using
the
set
parameter
api
over
dds
on
itself,
I
think,
is
unnecessary
and
leads
to
excessive
permissions,
but
the
the
story
on.
Why,
like
this,
wasn't
an
issue
before
I'm,
not
I'm
not
quite
sure
on
yeah,
because
previously
the
parameter
services
was
this
parameter.
Events
topic
specifically
was
was
within.
A
C
Yeah
and-
and
I
think
I
think
that
may
have
not
caught
very
many
people,
because
maybe
a
lot
of
people
just
run
nodes
without
namespaces
and
so
the
the
reactions
yeah
everything
was
started.
So
let's
say
we.
A
D
A
D
A
It
private
to
each
individual
node.
Does
that
mean
that
that
a
given
a
given
node
that
wants
to
listen
to
another
node's
parameter
changes
would
actually
need
or
would
actually
need
to
know.
Then
let
me
try
this
again.
A
given
node
that
wants
to
figure
out
a
a
parameter
change
would
need
to
understand
the
node
that
it
owned
it
and
subscribed
specifically
to
those.
C
Yeah
the
if,
like
with
totally
suggestion
you
know
if
we
on
the
on
the
discourse
thread.
If
we
made
the
parameter
events
private,
we
could
and
you
wanted
to
listen
to
parameters
of
arbitrary
namespaces.
You
might
have
some
kind
of
aggregator
approach
where
maybe
this
aggregator
is
just
like
ross
out
we're
listening
to
for
all
these
upcoming
perimeter
events
and
then
consolidating
them.
And
then
everyone
just
subscribes
to
the
consolidated
result.
C
A
question
I
have
is:
if
I
have
node
fubar
bars,
the
node
name.
Foo
is
the
namespace
and
the
node
foobar
has
a
topic.
It
has
a
parameter,
slash
baz,
is
that
allowed
or
does
it
have
or
are?
Does
it
have?
It
can
only
contain
parameters?
C
So
so
I
was
wondering
if,
if
there
was
a
restriction
on
parameters,
you
could
that
the
parameter
events
topic
would
only
contain
parameters
actual
global
parameters.
C
If
the
parameter
events
topic
for
whatever
name
space,
it
was
located
only
contained
parameters
that
was
within
that
namespace.
A
C
So
so
so
that
then
the
sense
there
might
be
multiple
parameter
level
topics
within
the
graph,
but
under
different
name
spaces,
and
then
I
would
you
could
allow
every
node
to
have
read
access
to
the
global
parameter,
events
topic
and
a
specific
configuration
or
administration
tool
to
or
are
a
central
node
parameter
server
to
have
right
back
or
set.
C
C
Yeah,
I'm
just
wondering
like
what.
What
are
the
use
cases
and
where
we
every
node
would
need
a
client.
C
Or
sorry
would
need
write
access
to
a
global
parameter
space,
because
that
that's
what
we
that's,
what
I
think
the
full
duplex
communication
is
what
is
very
scary
about
it.
The
the
that
differential.
C
There
there's
there's
something
that
I
think
that
currently
in
in
the
design
pattern
in
rasa,
I
think,
is
hard
to
avoid,
like
we
talked
about
the
global
talk,
a
global
clock
topic
and
the
tf
topic,
and
I
think
those
are
admissible
in
that
that
those
can
also
be
immune.
Spaced,
sometimes
like
people
will
have
different
tf
topics
to
if
they're
bandwidth
constrained
or
have
high
frequency
or
something
or
they're
for
static
versus
dynamic
tfs
clocks.
I
haven't
seen
any
use
cases
where
they
have
different
clock
top.
C
It's
always
just
clock,
but
those
are
those
are
either
only
read
or
the
read
and
write
are
not
are
not
usually
required
simultaneously,
you
might
have
like
hardware
drivers
that
are
publishing
tfs
and
then
you
might
have
algorithm
nodes
that
are
subscribing
to
those
dfs,
but
very
rarely
in
case
you
have
some
kind
of
custom
transformers
of
both
reading
and
writing
to
the
tf
topics,
so
the
newsletters
are
usually
okay.
I
would
say.
A
C
Yeah
yeah
and.
A
C
I
think
so
I
I
I
think
I
think
I
I
I
want
to
something
I'm
going
to
try
and
push
is
about
the
requirement
that
the
node
has
both
server
and
client
permissions
to
its
own
parameter
services
and
subsequently,
maybe
read
and
write
access
to
its
own
parameters.
Events
topic:
if
it
was
only
read
by
default
like
I
could,
I
could
create
a
node
and
all
it
would
require,
is
read
access
and
I
think
that'd
be
a
better
situation.
C
If,
if,
if
you
want
to
write
something,
we
could
we
could
sync,
do
it
together?
Okay,
on
the
on
the
matrix
on
what
we
want
to
say
exactly:
okay,.
A
A
Okay,
sorry,
everybody
we're!
We
ran
a
little
bit
over,
but
any
any
last
minute
things.
We
can
kick
my
last
agenda
item
to
to
next
next
meeting.
A
D
D
C
On
the
hacker
news
about
security
mindset
and
how
to
teach
it,
I
think
I'll
take
that
up
and
put
it
on
the
on
the
matrix.
D
C
We
in
in
ros
one
we
did
have
a
couple
pen,
testing
tools,
let's
do
like
ross
chaos
and
whatnot,
and
so
you
just
you'd,
run
your
system
and
then
you'd
run
this
node
that
was
intentionally
malicious
and
then
just
try
and
mess
with
your
graph.
Like
disconnecting
topics,
it
was
partly
because
it
could
control
the
master
api,
but
I'm
wondering
if
we
could
do
something.
Similarly,
that
sounds
really.
C
It
was
like
a
pen
testing
tool
you
might
like
use
run
against
your
own
system.
D
D
Hang
on
okay
yeah!
D
It's
it's
sometimes
difficult
to
take
some
of
these
concepts
and
figure
out
how
to
apply
them
to
the
larger
scope
that
I
think
that
the
gvsc
stuff
typically
is
on,
but
yeah
and
I'm
still
getting
spun
up
on
a
lot
of
it.
But
yeah,
I'm
very
interested
in
seeing
how
we
can
tie
the
stuff
together,
yeah,
because
I'm
currently
part
of
the
analysis
team-
and
this
sounds
like
something
that
would
be
very
useful
for
us.
D
A
Well,
if
that's
something
you're
thinking
of
of
taking
on
jacob,
let's,
let's
chat,
let's
you
know
we
can.
We
can
chat
in
matrix
and
then
put
a,
maybe
put
a
design
together
and
see
what
it
turns
into
on
paper,
at
least
if
it
see
if
it
looks
cool.
D
I'll
have
to
first
I'll
have
to
get
on
matrix
and
then
I'll
have
to
talk
with
my
bosses
and
see
what
they
think.
D
A
I
just
shared
a
link
to
the
our
the
ross
security
community
page
as
well,
that
has
that
has
several
links
for
communication
channels
etc,
including
matrix.