Elsevier

Robotics and Autonomous Systems

Volume 98, December 2017, Pages 192-203
Robotics and Autonomous Systems

Security for the Robot Operating System

https://doi.org/10.1016/j.robot.2017.09.017Get rights and content

Highlights

  • Evaluation of ROS security and detailed description of possible attacks.

  • Light-Weight precautions to harden ROS at application-level.

  • Minimally invasive changes towards hardening the ROS core.

  • Penetration testing tool support for ROS.

  • Usable security and key-management in ROS.

Abstract

Future robotic systems will be situated in highly networked environments where they communicate with industrial control systems, cloud services or other systems at remote locations. In this trend of strong digitization of industrial systems (also sometimes referred to as Industry 4.0), cyber attacks are an increasing threat to the integrity of the robotic systems at the core of this new development. It is expected, that the Robot Operating System (ROS) will play an important role in robotics outside of pure research-oriented scenarios. ROS however has significant security issues which need to be addressed before such products should reach mass markets. In this paper we present the most common vulnerabilities of ROS, attack vectors to exploit those and several approaches to secure ROS and similar systems. We show how to secure ROS on an application level and describe a solution which is integrated directly into the ROS core. Our proposed solution has been implemented and tested with recent versions of ROS, and adds security to all communication channels without being invasive to the system kernel itself.

Introduction

The shift towards industry 4.0 implies stronger automatization and hence increased relevance and use of robots. An Industrial Control System (ICS) is inherently distributed and connects a potentially huge number of sensors and actors, whose orchestration exhibits complex dynamics that are typically fragile and hence vulnerable to attacks. This new technology and the tight integration and interconnection of components leads to new vulnerabilities and thus a heightened focus on the security concerns. The particular evolution of the Robot Operating System (ROS) happened under time-pressure of industry,1 which has assigned a secondary (if not ternary) role to security.

In ICS, the traditional information security triad of Confidentiality, Integrity and Availability (Confidentiality, Integrity, Availability (CIA)) will often be assigned different priorities [[1], [2]]. When thinking of user data in information systems, it is usually more important to keep them confidential than available. Thus, taking a service offline in response to an attack is often a reasonable reaction.2 In information systems, lost data can often be restored from backups. However, actions taken by an ICS (e.g., an actuator damaging its surroundings) cannot simply be undone by “restoring from the last known good backup”. To give two examples, if a drone or a hydro dam is under attack, simply shutting them down is not a valid response. Above all other considerations, such systems’ basic functionality must be available until they reach a safe state (e.g., the drone has landed or the water reservoir held back by the dam was drained).

The development of ICS has been paralleled by the attack strategies adapting themselves to the increasing complexity of the victim systems. The resulting highly complex and extremely well coordinated attacks known as Advanced Persistent Threats (APTs) [[3], [4]] dramatically demonstrate the need for security to become an intrinsic part of the design of a distributed system, rather than a subsequent add-on that is considered once the availability goal has been reached.

In fact, even though safety beats security in terms of priority, there is no reliable safety without security. Just imagine the safety precautions of a robot to depend on reliable sensor data. Injecting malicious packets to mimic some dangerous situation that forces a robot to react can already cause harm by itself. Blocking messages can be equally dangerous, if the dropout message was a notification of a human being in the robot’s way. These two examples (among more to follow in Section 3) already exhibit security as a necessity for safety, and indirectly, also for availability, since accidents typically induce temporal shutdowns of the production system (and hence economic damages).

This article discusses a series of proposed improvements to ROS, which have been motivated by the reported vulnerabilities and insufficiency of ROS regarding security [[5], [6], [7], [8]]. Specifically, we will develop our discussion along the following skeleton: we let a brief survey of related work motivate our work by showing the recognition and interest of the community (industrial and scientific) to the problem of securing ROS. In Section 3, we provide an analysis of ROS vulnerabilities along with a detailed description on how an attacker would perform a manipulation of a ROS application. We then review prior work concerning a security architecture to harden ROS on the application level (OSI layer 7), and to harden the ROS core (in OSI layer 4), described in Sections 4 Hardening ROS on the application level, 5 Securing the ROS communication channel.

To validate the efficacy of the security added to ROS, we use Section 6 to compare the behavior of a “plain” ROS and a hardened version thereof against a fixed attack pattern. That is, we describe a practical testbed including a dedicated tool for penetration testing ROS where messages are injected to see how easy the system can be manipulated, unless cryptographic precautions are implemented. In fact, their implementation is neither heavy weight nor difficult, and our findings are that even a cryptographic light-weight armory can do quite well already.

Cryptography, however, is insufficient by itself and depends on proper and especially simple key-management. Most legacy systems, up to ones under construction today, are designed to be repaired quickly and easily. For example, if a module needs to be replaced, the service staff should not be required to do more than unplug the malfunctioning module and replace it with the new one. If cryptography comes into play, keys are stored all over the system, and replacing a module with a new one requires refreshing the keys inside the whole system. A proper key management is far from trivial and can make cryptography cumbersome (if not infeasible) to apply.

Our proposed security enhancements for usable key-management (see Section 7.1) therefore heavily rely on smart cards and tamper proof (sub-)modules to handle the key management transparently for the engineers. This is to the end of designing modules so that they, upon replacement, are capable of automatically registering themselves with the system, while the required level of authenticity, genuineness and secure logging are all assured.

The latter is a particularly important matter of forensic investigation in case of system failures (in the worst case, involving harm to humans). This leads to accountability as an independent requirement beyond CIA (or better “AIC” in industrial systems), and must be considered separately. We discuss the matter as part of the outlook and follow up work to this article (in Section 7.2).

Our work proposes a security architecture on the application layer, along with a practical implementation and validation thereof. Since plain ROS offers only limited native security, and changes to the operating system (i.e., below the application layer) are usually nontrivial and expensive, the question of how much security can be added “on top” arises. The main message and novelty of this work is the finding that (first) ROS can be hardened on the application layer to a wide extent, and that only a relatively thin layer of (cryptographic) security implemented below layer 7 already thwarts many known attacks (at the appeal of using existing “off-the-shelf” mechanisms and technology). The contribution of this work is complemented by the verification of the additional security, by demonstrating the newly gained resilience of our hardened ROS against attacks reported in the related literature, and a demarcation of the line between what can be done on the application layer and which security aspects must be rooted deeper or even outside the operating system. This discussion constitutes the outlook in Section 7. We believe this matter to be an important one besides purely technical aspects, and hope to stipulate related research along these lines, motivated by the new findings in this paper.

Section snippets

Related work

The typical divide and combination between proactive and reactive security measures is clearly biased strongly towards preventive actions to preserve safety in our context. While there has been considerable progress on intrusion detection in ICS [[9], [10], [11]], these measures inevitably come with false-negative rates that may be unacceptable for human safety. The strong assurances provided by cryptographic techniques must, however, be considered carefully while avoiding ad hoc solutions with

Security issues in the Robot Operating System

We address several possible attack vectors on a ROS-application:

  • Unauthorized Publishing (Injections)

  • Unauthorized Data Access

  • Denial of Service (DoS) attacks on specific ROS nodes.

As an example, we consider the following application (see Fig. 1): a collaborative robot is working alongside humans to perform a certain manipulation action (e.g., pick-and-place, assembly, etc.). Whenever a human comes close to the robot, it is supposed to slow down or even stop if the

Hardening ROS on the application level

A first approach to securing ROS can be realized at the application level. We introduce a dedicated Authentication Server (AS) which keeps track which ROS node may subscribe to or publish to a topic. In addition, the AS manages the authentication of nodes and generates the topic-specific encryption keys. We assume the AS to be subject of strong physical and logical access control, i.e., it can be mounted and running in a high(er) security domain. The respective security precautions are

Securing the ROS communication channel

While the application-level approach already mitigates many security risks in ROS, it also requires each ROS node to implement the security functions thus requiring all modules to be recompiled. To make the security function transparent to application-level modules, we need to modify the ROS communication itself. To overcome the limitations that a purely application-level approach inherently has, we present a modified version of the ROS communication between nodes which has been extended with

Penetration testing

Penetration testing [34] is a very popular method to test the vulnerability of a system to certain attacks. In this section we present steps to penetration test a ROS system and what the resulting consequences are for applications with and without security. Note that we do not describe a penetration test for the network security but just for the ROS application itself. Also, note that we do not test the vulnerabilities in the XMLRPC API, since at the moment, this can only be secured using SROS

Usable key management

When securing an IT system, the process that establishes cryptographic keys whenever they are needed is crucial for the overall security. Hence we describe essential steps in the so called key management process in the remainder of this section. These steps include

  • The enrollment of new ROS components,

  • The de-registration of (old or broken) components, and

  • The remote and on-site maintenance

Additionally to these steps we will briefly discuss the prerequisites and

Conclusion

In this paper we have given an overview of security issues in ROS and have presented approaches to solve them. We have shown how easy an attacker can make use of weaknesses in the ROS design. Our application-level approach secures small ROS applications without the need to dig deep into the ROS source code.A transparent solution to secure roscpp-based nodes has been presented. Here, we modify the source code of ROS to establish (D)TLS channels ensuring authentication, authorization and

Acknowledgments

The work reported in this article has been supported by the Austrian Ministry for Transport, Innovation and Technology (BMVIT) within the project framework Collaborative Robotics and by the Munich Center for Internet Research (MCIR) .

Acronyms

    AS

    Authentication Server

    ROS

    Robot Operating System

    TPM

    Trusted Platform Module

    MAC

    Message Authentication Code

    DoS

    Denial of Service

    DDS

    Data Distribution System

    ICS

    Industrial Control System

    API

    Advanced Persistent Threat

    CIA

    Confidentiality, Integrity,

Bernhard Dieber is heading the research group ‘Robotic Systems’ at the Institute for Robotics and Mechatronics of JOANNEUM RESEARCH. He received his Master’s degree in applied computer science and Ph.D. in information technology from the Alpen-Adria Universität Klagenfurt. His research interests include robotics software, security and dependability of robotic systems, visual sensor networks and middleware.

References (39)

  • E. Byres, P.E. Dr, D. Hoffman, The myths and facts behind cyber security risks for industrial control systems, in:...
  • ShinS. et al.

    An experimental study of hierarchical intrusion detection for wireless industrial sensor networks

    IEEE Trans. Ind. Inf.

    (2010)
  • L. Maglaras, J. Jiang, Intrusion detection in scada systems using machine learning techniques, in: Science and...
  • FairleyP.

    Cybersecurity at U.S utilities due for an upgrade: Tech to detect intrusions into industrial control systems will be mandatory [news]

    IEEE Spectr.

    (2016)
  • R. Toris, C. Shue, S. Chernova, Message authentication codes for secure remote non-native client connections to ROS...
  • AdiW.

    Mechatronic security and robot authentication

  • DzungD. et al.

    Security for industrial communication systems

    Proc. IEEE

    (2005)
  • C. Wang, A. Carzaniga, D. Evans, A. Wolf, Security issues and requirements for internet-scale publish–subscribe...
  • EspositoC. et al.

    On security in publish/subscribe services: A survey

    IEEE Commun. Surv. Tutor.

    (2015)

    • Cited by (0)

    Bernhard Dieber is heading the research group ‘Robotic Systems’ at the Institute for Robotics and Mechatronics of JOANNEUM RESEARCH. He received his Master’s degree in applied computer science and Ph.D. in information technology from the Alpen-Adria Universität Klagenfurt. His research interests include robotics software, security and dependability of robotic systems, visual sensor networks and middleware.

    Benjamin Breiling is a Junior Researcher at the Robotic Systems group at the Institute of Robotics and Mechatronics at JOANNEUM RESEARCH. He received his Master’s degree from Alpen-Adria Universität Klagenfurt. His research interests include security architectures, robotic security and security of middleware systems.

    Sebastian Taurer is a Research Intern at the Robotic Systems group at the Institute of Robotics and Mechatronics at JOANNEUM RESEARCH. His research interests include penetration testing of robotic security, security architectures and ROS security.

    Severin Kacianka received his Master’s degree from the Alpen-Adria-University Klagenfurt in 2014. In his thesis he worked on video streaming for Unmanned Aerial Vehicle networks. In 2015 he joined the Chair of Software Engineering at the Technical University of Munich as a Ph.D. student. In his work he focuses on the security and accountability of Cyber-Physical Systems.

    Stefan Rass graduated with a double master degree in mathematics and computer science from the Alpen-Adria Universität Klagenfurt (AAU) in 2005. He received a Ph.D. degree in mathematics in 2009, and habilitated on applied computer science and system security in 2014. His research interests include applied system security, as well as complexity theory, statistics, decision theory and game-theory. He authored numerous papers related to security and applied statistics and decision theory in security. Closely related to the project is his (co-authored) book Cryptography for Security and Privacy in Cloud Computing, published by Artech House. He participated in various nationally and internationally funded research projects. Currently, he is an associate professor at the AAU, teaching courses on theoretical computer science, complexity theory, security and cryptography.

    Peter Schartner received the master’s degree in Telematics from the Technical University of Graz in 1997 with a focus on information security and the Ph.D. degree in computer science from the Alpen-Adria-Universität Klagenfurt in 2001 with a focus on security tokens. He participated in various nationally and internationally funded research projects. He is currently an Associate Professor with the System Security Research Group, Alpen-Adria-Universität Klagenfurt, where he is involved in theoretical computer science, algorithms and data structures, security, and cryptography. He is also a Lecturer with the Trier University of Applied Sciences. His research interests include applied system security, key management, security infrastructures, and applications for security tokens, especially smartcards.

    View full text
    © 2017 Elsevier B.V. All rights reserved.