Add ROS 2 Threat Model article

ros2 / design

Design documentation for ROS 2.0 effort

http://design.ros2.org/

Apache License 2.0

224 stars 192 forks source link

Add ROS 2 Threat Model article #218

Closed thomas-moulard closed 5 years ago

thomas-moulard commented 5 years ago

This adds an article describing a threat model for ROS 2 robotic applications.

The objective of this work is to drive ROS 2 security work and define, end-to-end, what it takes for a robotic company to build a secure ROS 2 robotic application.

Signed-off-by: Thomas Moulard tmoulard@amazon.com

gbiggs commented 5 years ago

Wow.

gavanderhoorn commented 5 years ago

@thomas-moulard: nice article. I notice however that there is just a single reference to related/existing work. Was there really no usable literature available, or was it all non-applicable? Grounding these sort of articles in the existing body of knowledge -- also (or preferably?) from outside the ROS community -- would significantly increase the value of them. Edit: oops, I should scroll to the right.

Perhaps a References section would be a good idea?

olaldiko commented 5 years ago

Great work @thomas-moulard! We have reviewed it and it looks very promising. I think that most of the attack vectors have been covered. Just a small concern, several risks for physical attacks to the OpenCR controller and the Raspberry Pi have been taken as acceptable for this architecture. Shouldn't we advise at least for physically protecting access to sensitive components? I would suggest a combination of shields or covers + usage of the ZimKey perimeter breach detection mechanisms. In our experience with commercial robots, this is the way to go.

vmayoral commented 5 years ago

That was very nice reading @thomas-moulard! Thanks a lot for the contribution. Very, very nice.

A few further comments:

I'd support @gavanderhoorn above about a references section. It'll help many of us get the references across the document into a single place for further reading. I'm happy drafting a first Pull Request if needed.
I find the first part of the article particularly well suited for the title of the document however the Threat Analysis that follows (the TurtleBot 3 one) is only of of many we could (and I hope we) produce. May I suggest to bring that second part of the article to yet another article? I can envision having a dedicated section in http://design.ros2.org to "Security" (at the same level as "Overview" or "Middleware"). @jacobperron, @nuclearsandwich, @dirk-thomas, @wjwwood is this actually feasible? It will certainly boost the contributions on security IMHO.

thomas-moulard commented 5 years ago

Thanks a lot everyone for the feedback - I'll integrate all of those points and push an update to this PR ASAP.

thomas-moulard commented 5 years ago

@gavanderhoorn @vmayoral I added a references section - open for ideas there if you feel it could be improved.

I think splitting the doc could be a good idea, but it could also probably be done after this first pass.

All feedback is not addressed yet and I'll take care of that tomorrow.

ruffsl commented 5 years ago

I think the tables are a bit too wide to reasonably read with one screen:

Perhaps we could collapse the columns for:

Threat Category (STRIDE)
Threat Risk Assessment (DREAD)
Impacted Assets
Impacted Entry Points
Impacted Business Goals

And use a fixed width encoding of flags and values, e.g:

Threat Category	Threat Risk Assessment	...
S✓ T✘ R✘ I✓ D✓ E✓	D3 R1 E1 A2 D3 = 10	...
...	..	...

gbiggs commented 5 years ago

I think the tables are a bit too wide to reasonably read with one screen

You should try reviewing the document on an iPad.

tfoote commented 5 years ago

With the first round of comments resolved and the structure laid out. This has been marked as a draft. Please open new PRs to discuss specific areas of the document so we can have deeper threaded discussions on this document.