Introduction and objectives:
ROS 2 is to be adopted by industry progressively. Porting efforts from ROS to ROS 2 are a potential source of software malfunctions, flaws, bugs and vulnerabilities. Just as novel ROS vulnerabilities are being increasingly revealed, we expect a number of ROS 2 security vulnerabilities in potentially vulnerable ROS 2 software implementations (C, C++, Python). At an early stage of ROS 2 adoption we present a project to Red Team ROS 2 aiming to enumerate vulnerabilities and propose relevant mitigations. The proposed workflow will favor community awareness and prompt and secure ROS 2 transition by ROS-Industrial.
Update 1 (July 19′)
Milestone 1 includes the supporting tools for RedROS2-I development:
– An Aztarna extension for footprinting ROS2 systems:
For the ongoing piece research, a new aztarna adapter has been developed to detect hosts running ROS 2. This adapter is capable of scanning a local network for hosts running ROS 2 nodes, as to mimick the scan of a real industrial environment bearing ROS2 robots. If detected, the host information is stored or presented to the user.
– ROS2 fuzzer:
Fuzz testing or Fuzzing is a “Black Box” software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.2 With that definition in mind, a ROS2_fuzzer has been created specifically for ROS2, grounded on the work and expertise of Alias Robotics in fuzz testing for robots.
Tool Proof of Concept have yielded positive results in virtualized simulated environments:
- Aztarna is suited for a reconaissance phase of the auditing.
- Fuzz testing have been performed satisfactorily. Virtualized settings are recommended for ROS2_fuzzer due to serious safety and integrity risks.
Work in progress.
Upcoming releases will examine the security of the ROS2 core software stack making use of the ROS2_fuzzer and aztarna.
Alias Robotics supports original robot manufacturers assessing their security and improving their quality of software. By no means we encourage or promote the unauthorized tampering with running robotic systems. This can cause serious human harm and material damages.