Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

REQUEST: Add project Robot Vulnerability Scoring System (RVSS) #5

Closed
4 tasks
vmayoral opened this issue Mar 18, 2020 · 9 comments
Closed
4 tasks

REQUEST: Add project Robot Vulnerability Scoring System (RVSS) #5

vmayoral opened this issue Mar 18, 2020 · 9 comments

Comments

@vmayoral
Copy link
Member

Description

  • What is this project?

The present project focuses upon creating an open and free to access Robot Vulnerability Scoring System (RVSS) that considers major relevant issues in robotics including a) robot safety aspects, b) assessment of downstream implications of a given vulnerability, c) library and third-party scoring assessments and d) environmental variables such as time since vulnerability disclosure or exposure on the web.

  • What is your motivation for wanting it under the Security Working Group?

See mikaelarguedas/rep#1 (comment).

Shortly, empower roboticists with better, more adequante (in the robotics context) severity scoring mechanisms.

See https://arxiv.org/pdf/1807.10357.pdf for more.

Existing URL

https://github.com/aliasrobotics/RVSS

Requirements

  • Builds on ROS 2 master with no warnings, not built as a ROS package ATM
  • Has linters enabled
  • colcon test runs successfully
  • Test coverage is greated than 50%

Sponsors (if applicable)

@vmayoral
Copy link
Member Author

vmayoral commented Mar 18, 2020

Builds on ROS 2 master with no warnings, not built as a ROS package ATM

I don't mind extending the existing source code and rossifying it (ROS 2) however I'd first prefer to receive approval that the request is sound and fits within the goals of the WG.

In fact @ros-security/approvers and @ros-security/reviewers, would it maybe be more appropriate to build it within the ROS 2 CLI in the following form?

ros2 security rvss <vector>
ros2 security cvss <vector>

@mikaelarguedas
Copy link
Contributor

I don't mind extending the existing source code and rossifying it (ROS 2) however I'd first prefer to receive approval that the request is sound and fits within the goals of the WG.

👍 to that.

Chatting with @kyrofa there is definitely interest in looking closer at all the work you guys have been doing and particularly RVSS.

Would you (Alias) be interested in presenting the RVSS project in more details during a WG meeting ?
Ideally we'd get all WG members to read the white paper ahead of time, but direct presentation and live Q&A is always a very welcome addition.
Would a dedicated 30min meeting work for presentation + Q&A?

In fact @ros-security/approvers and @ros-security/reviewers, would it maybe be more appropriate to build it within the ROS 2 CLI in the following form?

A ros2cli integration would be a nice way to bring it in the ROS 2 ecosystem 👍
If we want to avoid conflating too many notions under the blanket ros2 security we could consider a dedicated command like ros2 security-scoring. It could also stay a standalone library with an extensions for sros2 (implementation details we can think about this later in the process)

@vmayoral
Copy link
Member Author

Great to hear that @mikaelarguedas!

Would you (Alias) be interested in presenting the RVSS project in more details during a WG meeting ?
Ideally we'd get all WG members to read the white paper ahead of time, but direct presentation and live Q&A is always a very welcome addition.
Would a dedicated 30min meeting work for presentation + Q&A?

No problem! I think 15-20 mins will do including a few demonstrations with real vectors. Added it to the agenda next 31st. Resources available at https://github.com/aliasrobotics/RVSS (paper).

It could also stay a standalone library with an extensions for sros2 (implementation details we can think about this later in the process)

Can you elaborate more on this @mikaelarguedas? This sounds like the easiest way to go. Can you walk me through what's on your mind for the sros2 extensions? Do you have sketch or prototype? Happy to work together on this.

Thinking about this though, the following questions popped:

  • What are or will be the key semantic difference between sros <extensions> and ros2 security <whatever>?
  • When should we use one and when the other?
  • Do we have any particular preference (e.g. the cycle of iterating in ros2 tooling might be longer)?

@mikaelarguedas
Copy link
Contributor

No problem! I think 15-20 mins will do including a few demonstrations with real vectors. Added it to the agenda next 31st. Resources available at https://github.com/aliasrobotics/RVSS (paper).

As the meeting on the 31st is the last one before feature freeze for Foxy, we may have a LOT of stuff to discuss to make sure we wrap up all the pending development in time (sros2 changes for rmw_contexts, secure logging plugin for Fast-RTPS, support for security in cyclonedds, API cleanup for sros2...). So it may be better to schedule it after Foxy wrap-up to make sure to leave enough time and brainspace to have a meaningful discussion. I'm actually leaning towards a dedicated meeting to make sure other items don't come cutting this discussion short.

Can you elaborate more on this @mikaelarguedas? This sounds like the easiest way to go. Can you walk me through what's on your mind for the sros2 extensions? Do you have sketch or prototype?

To be fair I haven't though about how a plugin system for sros2 would look like yet. The idea came up when discussing switch to contexts issue as now some RMW may need to be able to influence how sros2 is generating files.

I think in either cases the goal would be to not have a separate sros2 <something>.
What seems to be the simpler way forward would be to make it a ros2cli extension the same way sros2 is a ros2cli extension (registering itself as security). It would register itself as security-scoring or something similar.
As said above, I don't have enough insight yet to form a clear opinion about if this should be integrated in sros2 (as an extension or directly in it) or in the ROS2 ecosystem at all. If it works standalone and doesnt have a strong requirement for depending on any ROS package it may be better to keep it dissociated and just release it in ROS distributions as a pure python package (TBD)

@vmayoral
Copy link
Member Author

As the meeting on the 31st is the last one before feature freeze for Foxy, we may have a LOT of stuff to discuss to make sure we wrap up all the pending development in time (sros2 changes for rmw_contexts, secure logging plugin for Fast-RTPS, support for security in cyclonedds, API cleanup for sros2...). So it may be better to schedule it after Foxy wrap-up to make sure to leave enough time and brainspace to have a meaningful discussion. I'm actually leaning towards a dedicated meeting to make sure other items don't come cutting this discussion short.

All right, let's plan for a later session then :).

@kyrofa
Copy link
Member

kyrofa commented Jun 17, 2020

@vmayoral now that Foxy is out the door, would you be up for presenting RVSS at the next Security WG meeting (June 23rd)? To be clear, no vote will be happening at that meeting, we're just looking to learn more about it to inform such a vote.

@vmayoral
Copy link
Member Author

Thanks @kyrofa, we'd prefer to push this after summer and instead focus first on #6. I can allocate some time into RVD in the upcoming meeting. Can you please advise what's required to get that accepted as one of the maintained projects?

@kyrofa
Copy link
Member

kyrofa commented Jun 19, 2020

Very well, let's move the conversation over there.

@vmayoral
Copy link
Member Author

This hasn't been udpated since last year. Things that have happened:

  • tech documents of RVSS were shared
  • a short presentation of RVSS was given within one of the WG meetings (see meeting notes)
  • a short follow up discussion happened in Matrix

No updates on this so far so I'm temporarily closing this ticket to keep things tidy.
Ping me if there's interest in the future, happy to consider re-kicking this off.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants