Robot Operating System Security Assessment

Assessing the Security and Compliancy of ROS-M Applications

 

Partners: US Army

Duration: 12 month

Status: completed

 

Abstract

ROS-M is used in building critical cyber-physical systems for government and defence applications. Hence, ROS-M applications require proper testing of its security conformance and standards compliance.  This project extends the US Army static code analysis framework with methods to orchestrate the existing static analysis and CSIRO Data61’s novel ML-based solutions to check if bugs are resembling known vulnerability classes.

This 12-month project delivers a software platform, named as buGFinder, which consists of structured methods to orchestrate CSIRO Data61’s solutions as well as the existing static code analysis tools to assure that implementations of ROS-M applications conform to the security requirements and contain no bugs resembling the known software vulnerabilities. The buGFinder platform is capable of connecting ROS-M registry, fetch applications for security assessment, complete the assessment and push the assessments reports to the registry. Hence, the project aids ROS-M software developers and testers to maximize their benefits from the existing and future code analysis and machine learning solutions. The project team envision that the machine learning and natural language processing based tools can be further enhanced to cover wide spectrum of vulnerabilities as well as conformance checks by only using public security intelligence information such as NIST’s NVD and terrabytes of regularly updated source codes in public software repositories.

Our modular platform approach with state-of-the-art technologies such as docker images and containers help integrate a tool once and use many times to automate it over a series of ROS-M applications pulled from the registry. Aggregated output of the applicable tools can give much stronger insights and can aid human experts by effectively eliminating many false results.

The project duration was 12 months. For the basic period, the project team has delivered the followings:

  • A machine learning (ML) and natural language processing (NLP) based approach and tool to learn potential vulnerabilities from large C/C++ codebases and to develop a classifier for ROS-M applications.
  • A machine learning approach and tool to assess authorized and correct use of cryptographic primitives within the ROS-M applications.
  • A platform that orchestrates the existing static analysis tools and our machine learning tools on ROS-M applications.