[prev in list] [next in list] [prev in thread] [next in thread]
List: ros-users
Subject: [ros-users] Announcing SROS! Security enhancements for ROS
From: matthew.k.hansen () intel ! com (Hansen, Matthew K)
Date: 2016-10-05 0:03:29
Message-ID: 0014E18907F1D4468FA922BC9B7452D93F7CE53C () FMSMSX112 ! amr ! corp ! intel ! com
[Download RAW message or body]
Hi Ruffin,
It?s great to see that you?re working on this. I?m looking forward to your talk next \
week.
Matt
From: ros-users [mailto:ros-users-bounces at lists.ros.org] On Behalf Of Ruffin White \
via ros-users
Sent: Tuesday, October 04, 2016 2:01 PM
To: User discussions <ros-users at lists.ros.org>
Subject: [ros-users] Announcing SROS! Security enhancements for ROS
TL;DR:
Secure ROS (SROS) is a set of proposed enhancements to ROS, enabling secure \
communications over networks, access control in the computation graph, and policy \
profile templates for linux security modules. To read more: http://wiki.ros.org/SROS
Hello everyone,
I'm happy to announce a set of proposed enhancements to Secure ROS, duly named SROS \
[1].
You may remember me from last year, myself being that one Docker enthusiast that \
wished to make ROS more repeatable, reproducible, and deployable using linux \
containers [2]. Following my ambition to help make existing ROS code even more \
reusable and relevant in the greater robotics community, I've again worked with OSRF \
this summer to help found the beginning of SROS.
Obligatory Disclaimer:
SROS is currently highly experimental and under heavy development
At time of writing, this effort is highly experimental and must not be considered \
production-grade. Rather, it is currently an exploration of various strategies for \
mitigating some of the most obvious ways that ROS systems would be compromised by \
"bad actors" of various sorts
SROS is intended to secure ROS across three main fronts:
? Transport Encryption
Verify the identity of nodes, the integrity of the traffic, and the privacy of the \
connection. o Native TLS support for all socket level communication
o X.509 PKI certificates for chains of trust, authenticity and integrity
o Keyserver for key pair generation and certificate customisation
? Access Control
Restrict a node's scope of access within the ROS graph to only what is necessary.
o Definable namespace globbing for node restrictions and actions
o Audit graph network through security logs and events
o User constructed and/or auto trained access control policies
? Process Profiles
Restrict a node's scope of access within the host machine to only what is necessary.
o Harden node processes on using Linux Security Modules in kernel
o Quarantine a node?s file, device, signal, and networking access
o Reusable AppArmor profile component library for ROS
Now that we have a working prototype, we'd like to formalize a REP for SROS to \
standardize some of the finer details [3]. If you happen to have an expertise in \
cybersecurity or an interest in securing ROS, you are welcome to review and \
contribute to the developing REP. Visit the cross-post on discourse for discussion \
[6].
And as another plug for ROSCon 2016 [4], I'll also be giving a talk on this subject:
?{,S}ROS: Securing ROS over the wire, in the graph, and through the kernel
So if you'd like to meet up and talk about securing ROS for robotic systems out in \
the wild, I'll see you there.
Special thanks to OSRF for making this possible,
Ruffin White
[1] http://wiki.ros.org/SROS
[2] https://vimeo.com/142150815
[3] https://github.com/ros-infrastructure/rep/pull/121
[4] http://roscon.ros.org/2016/
[5] http://wiki.ros.org/SROS/Installation/Docker
[6] http://discourse.ros.org/t/announcing-sros-security-enhancements-for-ros/536
P.S. If you'd like to play with SROS right away, be sure to try out the SROS docker \
image available from OSRF [5]: $ docker run --rm -it \
osrf/sros \
bash -c "source /ros_entrypoint.sh && \
sroskeyserver & \
sleep 3 && \
sroslaunch rospy_tutorials talker_listener.launch"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ros.org/pipermail/ros-users/attachments/20161005/58844f03/attachment.html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic