Formal Analysis and Detection for ROS2 Communication Security Vulnerability
Abstract
:1. Introduction
- •
- For the different communication mechanisms of ROS2, we formally modeled and analyzed the potential vulnerabilities in it and, at the same time, formally expressed the CIA properties as the security properties;
- •
- Based on the established vulnerability model and security properties, we designed and developed an ROS2 vulnerability detection tool. The tool detects vulnerabilities in the ROS2 system by means of a reachability analysis and analyzes which properties in the ROS2 CIA are damaged by the detected vulnerabilities.
2. Related Work
3. ROS2 Communication Security Vulnerability
3.1. Security Vulnerability of Topic Communication
- (1)
- Stealing basic data of the topicIn addition to the sensitive data contained within the message, the topic itself has information with some data used for publication or subscription, such as topic name, topic type, and so on. According to the DDS discovery protocol, any other node in the same communication domain can access the data information of the topic without additional protection for ROS2 communication. Therefore, as long as the intruder node is able to join the communication domain where the target is located, it is able to steal the information of the target topic. Then, the intruder can steal the data like the ROS2 network structure, and may carry out further intrusion into the ROS2 communication based on the obtained data.
- (2)
- Unauthorized subscriptionIn the ROS2 topic communication mechanism, any node can subscribe to any topic without authorization to obtain the message data. An intruder can use this vulnerability to steal messages from an application, resulting in the disclosure of important system data or user’s privacy data. Since any node can subscribe to any topic without authorization, an intruder can create a malicious node to impersonate a subscriber after obtaining the data related to the target topic so as to obtain the data in the topic.
- (3)
- Unauthorized publicationSimilar to unauthorized subscription, nodes in ROS2 are able to publish messages to any topic without authorization, which may be used by intruders to inject false data or commands into applications, thus interfering with their normal operation and causing undesirable consequences. Before carrying out the attack, the intruder first needs to obtain the relevant parameters of the target topic, such as topic name and topic type. Then, the intruder creates a malicious node in the domain where the target topic is located and creates a publisher on that node. Finally, based on the obtained topic name and topic type, the intruder can forge false messages recognizable to the target topic, which the target topic will publish to all the nodes subscribed to the topic.
3.2. Security Vulnerability of Service Communication
- (1)
- Stealing basic service dataIn addition to the sensitive data contained within the ROS2 service, the service itself has some data information, such as the service name, service type, etc., based on which the client node can send a request to the specified service. According to the DDS discovery protocol, any other node in the same communication domain can access the data information of the service without the additional protection of ROS2 communication. Therefore, as long as the intruder node joins the communication domain where the target is located, it can steal the information of the target service. Then, the intruder may realize the theft of data, such as of the ROS2 network structure, and carry out further intrusion into the service communication.
- (2)
- Unauthorized service callIn ROS2 communication, any node in the same communication domain can make calls to services in the domain and receive responses. Therefore, on the basis of stealing the basic data of a service, the intruder can also communicate with the target service based on these data and send malicious requests to the target service, thus successfully stealing the sensitive ROS2 data or issuing malicious commands to the ROS2 nodes, which can cause serious consequences.
3.3. Security Vulnerability of Action Communication
- (1)
- Stealing basic action dataIn addition to the sensitive data contained within the ROS2 service, the action itself has some data information, such as the action name, action type, etc., based on which the client node can send a request to the specified service. According to the DDS discovery protocol, any other node in the same communication domain can access the information of the action without the additional protection. Therefore, the intruder node is able to join the communication domain and steal the data of the target’s actions, thus realizing the stealing of basic data, and may carry out further intrusion into the action communication.
- (2)
- Unauthorized action callIn ROS2 communication, any node in the same communication domain can make calls to actions in the domain and receive responses and feedback. Therefore, the intruder can also communicate with the target action based on these data and send malicious requests to the target action based on stealing the basic data of the action, successfully stealing sensitive ROS2 data or issuing malicious commands to the ROS2 nodes.
4. Modeling of Security Vulnerability
- S is the set of all states in the system;
- is the set of actions, representing all the actions in the system;
- denotes the transition relationship between the states in the system;
- I denotes the set of initial states of the system.
- a: a holds at the current time, and in the trajectory, it behaves as if it holds at the first position.
- : holds at the next time point and holds at the second position in the trajectory.
- : holds until holds.
- : , which means that holds sometime in the future.
- : , which means that always holds in the future.
4.1. Modeling of Topic Security Vulnerability
4.1.1. Vulnerability Model
- .There are eight states in . In these states, denotes the initial state of the vulnerability model; denotes the state to check about whether the intruder can be authorized; denotes that the intruder node can be an authorized node; denotes that the intruder node is already able to communicate with the target; indicates that the intruder node waits to receive information about the target topic; denotes the state to check about whether the intruder can obtain the basic data of the topic; and and represent whether the topic information has been successfully obtained or not, respectively.
- .denotes to determine whether the node is an authorized node; denotes to get the communication domain where the target topic is located; and denotes to get the information of the target topic. , and are channels that are used to communicate with the ROS2 communication model.
- The initial state set .
- The transition relationship between the states is shown in Figure 1.
- .There are ten states in . In these states, indicates that the intruder node can subscribe to the target topic; indicates that the intruder node waits for the topic that has been subscribed to; and and represent whether or not it successfully subscribed to and received the messages in the topic, respectively. The rest of the states have the same meaning as in .
- .and are channels. The intruder node sends a request to the subscribe topic through channel and receives the topic through channel . If it cannot receive a message for a long time, it will receive a timeout response through channel . The rest of the states have the same meaning as in .
- The initial state set .
- The transition relationship between the states is shown in Figure 2.
- .There are ten states in . In these states, indicates that the intruder node publishes a message to the target topic; and represent whether it has successfully published a fake message to the topic or not, respectively. The meanings of the remaining states are the same as in .
- .means to fake a fake message based on the topic information obtained, and means to publish a message to the target topic. The rest of the actions have the same meaning as .
- The initial state set .
- The transition relationship between states is shown in Figure 3.
4.1.2. Security Specification
- Only authorized nodes can access the information (topic name, topic type) of topics in the communication domain. The ROS2 node should satisfy
- Only authorized subscriber nodes can successfully subscribe to the target topic. The ROS2 subscriber node should satisfy
4.2. Modeling of Service Security Vulnerability
4.2.1. Vulnerability Model
- .There are eight states in . In these states, denotes the initial state of the vulnerability model; denotes that the intruder node used to detect the vulnerability is an authorized node; denotes that the intruder node has been able to communicate with the target; denotes that the intruder node waits to receive a message from the target’s service; and and denote, respectively, whether the message in the service is successfully acquired or not.
- .denotes to make the intruder node be an authorized node; denotes to get the communication domain where the target service is located; denotes to get the information of the target service, and the intruder can obtain the data of the service through channel .
- The initial state set .
- The transition relationship between the states is shown in Figure 4.
- .There are ten states in . In these states, denotes that the intruder has obtained the data of the service; denotes that the intruder has sent a service request to the ROS2 system; and and represent whether the response was successfully received or not, respectively.
- .means to send the service request, and means to receive the service response. The rest of the actions have the same meaning as in ;
- The initial state set .
- The transition relationship between the states is shown in Figure 5.
4.2.2. Security Specification
- Only authorized nodes can access the basic information (service name, service type) of the service in the communication domain. So, the ROS2 node should satisfy
- Only authorized client nodes can receive service responses sent by the server, and only authorized server nodes can receive service requests sent by the client. So, the ROS2 service client should satisfy
4.3. Modeling of Action Security Vulnerability
4.3.1. Vulnerability Model
- .There are eight states in . In these states, denotes the initial state of the vulnerability model; denotes to check whether the intruder is authorized; denotes that the intruder node used to detect the vulnerability is an authorized node; denotes that the intruder node is ready to communicate with the target; denotes that the intruder node waits to receive the message from the target’s action; denotes whether the message of action is null; and and denote, respectively, whether the response is successfully received or not.
- .indicates whether the node is an authorized node or not; indicates the communication domain where the target action is located; indicates that the intruder requests to get the information of the target action; and indicates that the intruder has received the information.
- The initial state set .
- The transition relationship between the states is shown in Figure 6.
- .There are ten states in . In these states, denotes that the intruder node is ready to send a request; indicates that the intruder has finished sending the request and is waiting for a response from the server; and and represent whether or not the response was successfully received, respectively. And the other states are the same as in .
- .means to send a request for the action, and means to receive the response of the action.
- The initial state set .
- The transition relationship between the states is shown in Figure 7.
4.3.2. Security Specification
- Only authorized nodes can access the basic information (action name, action type) of actions in the communication domain, so the ROS2 node should satisfy
- Only authorized client nodes can receive action responses and feedback sent by the server, and only authorized server nodes can receive action requests sent by the client. So, the action client should satisfy
5. ROS2 Communication Security Vulnerability Detection Method
5.1. Framework of Method
5.2. Domain Scanning Module
5.3. Vulnerability Detection Module
5.3.1. Topic Vulnerability Detection Module
5.3.2. Service Vulnerability Detection Module
5.3.3. Action Vulnerability Detection Module
6. Experiment
6.1. Experiment Environment
6.2. Results and Analysis
6.2.1. Runtime Verification Results
6.2.2. Vulnerability Detection Result
6.2.3. Tool Performance
6.3. Comparison of Related Tools
7. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Gonzalez-Aguirre, J.A.; Osorio-Oliveros, R.; Rodríguez-Hernández, K.L.; Lizárraga-Iturralde, J.; Morales Menendez, R.; Ramírez-Mendoza, R.A.; Ramírez-Moreno, M.A.; Lozoya-Santos, J.d.J. Service robots: Trends and technology. Appl. Sci. 2021, 11, 10702. [Google Scholar] [CrossRef]
- Wang, Z.; Tian, G.; Shao, X. Home service robot task planning using semantic knowledge and probabilistic inference. Knowl.-Based Syst. 2020, 204, 106174. [Google Scholar] [CrossRef]
- Belanche, D.; Casaló, L.V.; Flavián, C.; Schepers, J. Service robot implementation: A theoretical framework and research agenda. Serv. Ind. J. 2020, 40, 203–225. [Google Scholar] [CrossRef]
- Kyrarini, M.; Lygerakis, F.; Rajavenkatanarayanan, A.; Sevastopoulos, C.; Nambiappan, H.R.; Chaitanya, K.K.; Babu, A.R.; Mathew, J.; Makedon, F. A survey of robots in healthcare. Technologies 2021, 9, 8. [Google Scholar] [CrossRef]
- Kazanzides, P.; Chen, Z.; Deguet, A.; Fischer, G.S.; Taylor, R.H.; DiMaio, S.P. An open-source research kit for the da Vinci® Surgical System. In Proceedings of the 2014 IEEE International Conference on Robotics and Automation (ICRA), Hong Kong, China, 31 May–7 June 2014; pp. 6434–6439. [Google Scholar]
- He, W.; Ge, S.S.; Li, Y.; Chew, E.; Ng, Y.S. Neural network control of a rehabilitation robot by state and output feedback. J. Intell. Robot. Syst. 2015, 80, 15–31. [Google Scholar] [CrossRef]
- Mintrom, M.; Sumartojo, S.; Kulić, D.; Tian, L.; Carreno-Medrano, P.; Allen, A. Robots in public spaces: Implications for policy design. Policy Des. Pract. 2022, 5, 123–139. [Google Scholar] [CrossRef]
- Luo, R.C.; Chou, Y.T.; Liao, C.T.; Lai, C.C.; Tsai, A.C. NCCU security warrior: An intelligent security robot system. In Proceedings of the IECON 2007-33rd Annual Conference of the IEEE Industrial Electronics Society, Taipei, Taiwan, 5–8 November 2007; pp. 2960–2965. [Google Scholar]
- International Federation of Robotics. Top 5 Robot Trends 2021. 2022. Available online: https://ifr.org/ifr-press-releases/news/top-5-robot-trends-2021 (accessed on 29 April 2024).
- Plósz, S.; Schmittner, C.; Varga, P. Combining safety and security analysis for industrial collaborative automation systems. In Proceedings of the Computer Safety, Reliability, and Security: SAFECOMP 2017 Workshops, ASSURE, DECSoS, SASSUR, TELERISE, and TIPS, Trento, Italy, 12 September 2017; Proceedings 36. Springer: Berlin/Heidelberg, Germany, 2017; pp. 187–198. [Google Scholar]
- Kirschgens, L.A.; Ugarte, I.Z.; Uriarte, E.G.; Rosas, A.M.; Vilches, V.M. Robot hazards: From safety to security. arXiv 2018, arXiv:1806.06681. [Google Scholar]
- Lacava, G.; Marotta, A.; Martinelli, F.; Saracino, A.; La Marra, A.; Gil-Uriarte, E.; Vilches, V.M. Cybsersecurity Issues in Robotics. J. Wirel. Mob. Netw. Ubiquitous Comput. Dependable Appl. 2021, 12, 1–28. [Google Scholar]
- Quigley, M.; Conley, K.; Gerkey, B.; Faust, J.; Foote, T.; Leibs, J.; Wheeler, R.; Ng, A.Y. ROS: An open-source Robot Operating System. In Proceedings of the ICRA Workshop on Open Source Software, Kobe, Japan, 12–17 May 2009; Volume 3, p. 5. [Google Scholar]
- Değirmenci, E.; Kirca, Y.S.; Yolaçan, E.N.; Yazici, A. An Analysis of DoS Attack on Robot Operating System. Gazi Univ. J. Sci. 2023, 36, 1050–1069. [Google Scholar] [CrossRef]
- Zhai, G.; Zhang, W.; Hu, W.; Ji, Z. Coal mine rescue robots based on binocular vision: A review of the state of the art. IEEE Access 2020, 8, 130561–130575. [Google Scholar] [CrossRef]
- Vuong, T.; Filippoupolitis, A.; Loukas, G.; Gan, D. Physical indicators of cyber attacks against a rescue robot. In Proceedings of the 2014 IEEE International Conference on Pervasive Computing and Communication Workshops (PERCOM WORKSHOPS), Budapest, Hungary, 24–28 March 2014; pp. 338–343. [Google Scholar]
- Khan, A.T.; Li, S.; Cao, X. Human guided cooperative robotic agents in smart home using beetle antennae search. Sci. China Inf. Sci. 2022, 65, 122204. [Google Scholar] [CrossRef]
- Brondi, S.; Pivetti, M.; Di Battista, S.; Sarrica, M. What do we expect from robots? Social representations, attitudes and evaluations of robots in daily life. Technol. Soc. 2021, 66, 101663. [Google Scholar] [CrossRef]
- Coble, K.; Wang, W.; Chu, B.; Li, Z. Secure software attestation for military telesurgical robot systems. In Proceedings of the 2010-Milcom 2010 Military Communications Conference, San Jose, CA, USA, 31 October–3 November 2010; pp. 965–970. [Google Scholar]
- Jang, S.M.; Hong, Y.J.; Lee, K.; Kim, S.; Chiến, B.V.; Kim, J. Assessment of user needs for telemedicine robots in a developing nation hospital setting. Telemed. E-RHealth 2021, 27, 670–678. [Google Scholar] [CrossRef] [PubMed]
- Javaid, A.Y.; Sun, W.; Devabhaktuni, V.K.; Alam, M. Cyber security threat analysis and modeling of an unmanned aerial vehicle system. In Proceedings of the 2012 IEEE Conference on Technologies for Homeland Security (HST), Waltham, MA, USA, 13–15 November 2012; pp. 585–590. [Google Scholar]
- Groza, B.; Dragomir, T.L. Using a cryptographic authentication protocol for the secure control of a robot over TCP/IP. In Proceedings of the 2008 IEEE International Conference on Automation, Quality and Testing, Robotics, Cluj-Napoca, Romania, 22–25 May 2008; Volume 1, pp. 184–189. [Google Scholar]
- Lee, G.S.; Thuraisingham, B. Cyberphysical systems security applied to telesurgical robotics. Comput. Stand. Interfaces 2012, 34, 225–229. [Google Scholar] [CrossRef]
- GvdHoorn. Security about ROS. 2020. Available online: http://wiki.ros.org/Security (accessed on 29 April 2024).
- Breiling, B.; Dieber, B.; Schartner, P. Secure communication for the robot operating system. In Proceedings of the 2017 Annual IEEE International Systems Conference (SysCon), Montreal, QC, Canada, 24–27 April 2017; pp. 1–6. [Google Scholar]
- Arkin, B.; Stender, S.; McGraw, G. Software penetration testing. IEEE Secur. Priv. 2005, 3, 84–87. [Google Scholar] [CrossRef]
- Dieber, B.; White, R.; Taurer, S.; Breiling, B.; Caiazza, G.; Christensen, H.; Cortesi, A. Penetration Testing ROS. In Robot Operating System (ROS): The Complete Reference; Koubaa, A., Ed.; Studies in Computational Intelligence; Springer International Publishing: Cham, Switzerland, 2020; Volume 4, pp. 183–225. [Google Scholar]
- Rivera, S.; Lagraa, S.; State, R. ROSploit: Cybersecurity Tool for ROS. In Proceedings of the 2019 Third IEEE International Conference on Robotic Computing (IRC), Naples, Italy, 25–27 February 2019; pp. 415–416. [Google Scholar]
- Dieber, B.; Breiling, B.; Taurer, S.; Kacianka, S.; Rass, S.; Schartner, P. Security for the robot operating system. Robot. Auton. Syst. 2017, 98, 192–203. [Google Scholar] [CrossRef]
- Halder, R.; Proença, J.; Macedo, N.; Santos, A. Formal Verification of ROS-Based Robotic Applications Using Timed-Automata. In Proceedings of the 2017 IEEE/ACM 5th International FME Workshop on Formal Methods in Software Engineering (FormaliSE), Buenos Aires, Argentina, 27 May 2017; pp. 44–50. [Google Scholar]
- Huang, J.; Erdogan, C.; Zhang, Y.; Moore, B.; Luo, Q.; Sundaresan, A.; Rosu, G. ROSRV: Runtime Verification for Robots. In Runtime Verification; Bonakdarpour, B., Smolka, S.A., Eds.; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2014; pp. 247–254. [Google Scholar]
- Rivera, S.; State, R. Securing Robots: An Integrated Approach for Security Challenges and Monitoring for the Robotic Operating System (ROS). In Proceedings of the 2021 IFIP/IEEE International Symposium on Integrated Network Management (IM), Bordeaux, France, 17–21 May 2021; pp. 754–759. [Google Scholar]
- Sundaresan, A.; Gerard, L.; Kim, M. Secure ROS. Available online: http://secure-ros.csl.sri.com/ (accessed on 29 April 2024).
- Mayoral-Vilches, V.; White, R.; Caiazza, G.; Arguedas, M. Sros2: Usable cyber security tools for ros 2. In Proceedings of the 2022 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS), Kyoto, Japan, 23–27 October 2022; pp. 11253–11259. [Google Scholar]
- Open Source Robotics Foundation. ROS2 Robotic Systems Threat Model. 2019. Available online: http://design.ros2.org/articles/ros2_threat_model.html (accessed on 29 April 2024).
- Kim, J.; Smereka, J.M.; Cheung, C.; Nepal, S.; Grobler, M. Security and Performance Considerations in ROS 2: A Balancing Act. arXiv 2018, arXiv:1809.09566. [Google Scholar]
- Maruyama, Y.; Kato, S.; Azumi, T. Exploring the performance of ROS2. In Proceedings of the 13th International Conference on Embedded Software, Pittsburgh, PA, USA, 2–7 October 2016; pp. 1–10. [Google Scholar]
- Deng, G.; Xu, G.; Zhou, Y.; Zhang, T.; Liu, Y. On the (In) Security of Secure ROS2. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, Los Angeles, CA, USA, 7–11 November 2022; pp. 739–753. [Google Scholar]
- Camacho, A.; Icarte, R.T.; Klassen, T.Q.; Valenzano, R.A.; McIlraith, S.A. LTL and Beyond: Formal Languages for Reward Function Specification in Reinforcement Learning. In Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence (IJCAI-19), Macao, China, 10–16 August 2019; Volume 19, pp. 6065–6073. [Google Scholar]
- Bacudio, A.G.; Yuan, X.; Chu, B.T.B.; Jones, M. An overview of penetration testing. Int. J. Netw. Secur. Its Appl. 2011, 3, 19. [Google Scholar] [CrossRef]
- Orebaugh, A.; Pinkard, B. Nmap in the Enterprise: Your Guide to Network Scanning; Elsevier: Amsterdam, The Netherlands, 2011. [Google Scholar]
Security Property | Confidentiality | Integrity | Availability | |
---|---|---|---|---|
Type of Vulnerability | ||||
stealing basic data of the topic | ✕ | ✔ | ✔ | |
unauthorized subscription | ✕ | ✔ | ✕ | |
unauthorized publication | ✕ | ✕ | ✕ | |
stealing basic data of service | ✕ | ✔ | ✔ | |
unauthorized service call | ✕ | ✕ | ✕ | |
stealing basic data of action | ✕ | ✔ | ✔ | |
unauthorized action service | ✕ | ✕ | ✕ |
Attacker Node | Type of Attack | ROS2 | SROS2 |
---|---|---|---|
unauthorized node | stealing basic data of the topic | ✔ | ✕ |
unauthorized subscription | ✔ | ✕ | |
unauthorized publication | ✔ | ✕ | |
stealing basic data of service | ✔ | ✕ | |
unauthorized service call | ✔ | ✕ | |
stealing basic data of action | ✔ | ✕ | |
unauthorized action call | ✔ | ✕ | |
authorized node | stealing basic data of the topic | ✔ | ✔ |
unauthorized subscription | ✔ | ✔ | |
unauthorized publication | ✔ | ✔ | |
stealing basic data of service | ✔ | ✔ | |
unauthorized service call | ✔ | ✔ | |
stealing basic data of action | ✔ | ✔ | |
unauthorized action call | ✔ | ✔ |
Tool Name | ROS2Tester | ROSPenTo | ROSploit | |
---|---|---|---|---|
Vulnerability Type | ||||
stealing basic data of node | ✔ | ✔ | ✔ | |
Impersonating node identity | ✔ | |||
stealing basic data of the topic | ✔ | ✔ | ✔ | |
unauthorized subscription | ✔ | ✔ | ✔ | |
unauthorized publication | ✔ | ✔ | ✔ | |
stealing basic data of service | ✔ | ✔ | ||
unauthorized service call | ✔ | |||
stealing basic data of action | ✔ | |||
unauthorized action call | ✔ | |||
stealing basic data of parameter | ✔ | ✔ | ||
modify node parameter information | ✔ | ✔ |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Yang, S.; Guo, J.; Rui, X. Formal Analysis and Detection for ROS2 Communication Security Vulnerability. Electronics 2024, 13, 1762. https://doi.org/10.3390/electronics13091762
Yang S, Guo J, Rui X. Formal Analysis and Detection for ROS2 Communication Security Vulnerability. Electronics. 2024; 13(9):1762. https://doi.org/10.3390/electronics13091762
Chicago/Turabian StyleYang, Shuo, Jian Guo, and Xue Rui. 2024. "Formal Analysis and Detection for ROS2 Communication Security Vulnerability" Electronics 13, no. 9: 1762. https://doi.org/10.3390/electronics13091762
APA StyleYang, S., Guo, J., & Rui, X. (2024). Formal Analysis and Detection for ROS2 Communication Security Vulnerability. Electronics, 13(9), 1762. https://doi.org/10.3390/electronics13091762