Open vmayoral opened 2 years ago
Hi @vmayoral, thanks for this contrib!
I haven't reviewed the code per se and I'm still going through the paper (mind adding a link once available?) but here are my 2 cents:
My understanding is that both verbs introduce a dependency on secdev/scapy. Since sros2
is part of REP 2005, I'm wondering if it is appropriate to introduce this dependency to ROS 2 as a whole. It might be preferable to create a satellite package.
Concerning the verbs themselves, purely from a lexical perspective, I'm not a fan of introspection
and especially not monitor
. While I don't really have a better suggestion than scan
to replace introspection
, and thus no strong feeling, I definitely see a discrepancy between monitor
, what one may expect from that and what it actually does. Imho a more explicit keyword would be better suited (cve
/ check-cve
or such). Futur proofing, a more generic approach could look like ros2doctor which runs a bunch of heterogeneous checks and is expandable.
Edit:
Not to mention that this would require some tests and documentation to be merged.
Thanks for the comments @artivis, I'm open to those changes. Feel free to contribute on top proposing the modifications that are appropriate to fit with community guidelines and policies.
For completeness, this was announced at https://discourse.ros.org/t/sros2-usable-cyber-security-tools-for-ros-2/24719. All material's now public.
This PR adds two new capabilities to the SROS 2 tools: 1️⃣
introspection
(of RTPS) for modeling purposes and 2️⃣monitor
ing capabilities to detect security vulnerable endpoints in the computational graph. The two verbs build on top of prior work creating a dissector for RTPS (https://github.com/secdev/scapy/pull/3403).⚠️ both of these capabilities require privileges to run since they sniff networking traffic ⚠️
1️⃣
introspection
(of RTPS) for modeling purposesintrospection sniffs traffic and detects unique endpoints, reporting them in the stdout:
2️⃣
monitor
ing capabilities to detect security vulnerable endpointsmonitoring continuously sniffs traffic in search for RTPS packages. When found, unique endpoints are identified and dissected. From the information dissected 1) RTPS
vendorId
and 2) the RTPS protocol version are used to determine DDS version candidates and map these to publicly disclosed vulnerabilities.(tested
Signed-off-by: Víctor Mayoral Vilches v.mayoralv@gmail.com