Background
Robotics Operating System 2 (ROS 2) is an open-source software development kit intended for standardized development of robotics applications. It plays a significant role in robotics within a wide variety of industries including manufacturing and autonomous systems that are a part of national infrastructure.
Recently there has been an increased focus on ensuring that that infrastructure is not only reliable, but also secure; however, there is currently a lack of tools and methodologies available to ensure that ROS 2 implementations are secured. By engaging in the development of fuzzing methodologies to identify security weaknesses, SwRI is able to strengthen its already significant involvement in the ROS/ROS 2 community in the areas of industrial robotics and autonomous vehicles.
Approach
This research centered around developing the ability to identify vulnerabilities within ROS 2 implementations. Four different threats to the security of a ROS 2 ecosystem were considered: invalid inputs, improper authorization, replay, and spoofing. A vulnerability discovery tool was developed based off of an existing open-source tool and work was done to implement each threat category with that tool. The first threat, invalid inputs, was implemented by creating a publisher that would send messages to a topic that were filled with unexpected characters and other contents. The other three threats dealt with sending messages that shouldn’t have been accepted by the system because of permissions issues. To test the success of the tool in detecting vulnerabilities, a small-scale ROS 2 implementation was created to mimick existing ROS 2 projects within the institute consisting of two nodes and one component. The vulnerability discovery tool was run against this implementation in two series. The first series was against an implementation free of vulnerabilities. The second was against an implementation with inserted vulnerabilities.
Accomplishments
Southwest Research Institute was able to execute each of the attacks successfully against the test implementation. Success of an attack was measured in two different ways. For the invalid input attacks, which included buffer overflows and integer overflows, success was defined by causing the target node to cease functioning. This was measured by a subscriber node that tracked the activity of the nodes in the implementation. Success of the other three attacks was measured differently because of the lack of security measures in the target implementation. Because a successful attack in those three categories would not break the rules set forth in ROS 2, the nodes did not crash on attack success. Instead, success was determined by manual examination of the different messages received by each node. In the invalid input case, the attack was successfully able to shut down the node. For the other three attack types, the attack messages were successfully received by the target node and showed the expected behavior.