Security and Performance Considerations in ROS 2: A Balancing Act

Security and Performance Considerations in ROS 2: A Balancing Act

Jongkil Kim, Jonathon M. Smereka, Calvin Cheung, Surya Nepal and Marthie Grobler *This work was sponsored by the U.S. Army Tank Automotive Research, Development, and Engineering Center (TARDEC)Jongkil Kim, Surya Nepal and Marthie Grobler are with the Commonwealth Scientific and Industrial Research Organization (CSIRO) Data61, Marsfield NSW 2122, Docklands VIC 3008, Australia jongkil.kim@data61.csiro.au, surya.nepal@data61.csiro.au, marthie.grobler@data61.csiro.au (Jongkil Kim is also affiliated with University of Wollongong.)Jonathon M. Smereka and Calvin Cheung are with U.S. Army TARDEC Ground Vehicle Robotics, Warren, MI 48397 USA jonathon.m.smereka.civ@mail.mil, calvin.m.cheung.civ@mail.mil
Abstract

Robot Operating System (ROS) 2 is a ground-up re-design of ROS 1 to support performance critical cyber-physical systems (CPSs) using the Data Distribution Service (DDS) middleware. Accordingly, the security of ROS 2 is highly reliant on the security of its DDS communication protocol. However, finding a balance between the performance and security is non-trivial task. Inappropriate security implementations may cause not only significant loss on performance of the system, but also security failures in the system. In this paper, we provide an analysis of the DDS security protocol as well as an overview on how to find the balance between performance and security. To accomplish this, we evaluate the latency and throughput of the communication protocols of ROS 2 in both wired and wireless networks, and measure the efficiency loss caused by the enabling of security protocols such as Virtual Private Network (VPN) and DDS security protocol in ROS 2 in both network setups. The result can be directly used by robotics developers to find the optimal and balanced settings of ROS 2 applications. Additionally, we analyzed the security specification of DDS using existing security standards and tested the implementation of the DDS protocol by performing static analysis. The results of this work can be used to enhance the security of ROS 2.

I Introduction

The Robot Operating System (ROS) [1] is one of most popular frameworks to develop robotics and drones, which are types of Cyber Physical Systems (CPSs) [2]. ROS 2 is a ground-up re-design of ROS 1 to support the expanded scope of robotics that utilize ROS. It moves away from a design for ideal conditions and move towards middleware that can support production environments (real-time systems, non-ideal networks, small embedded platforms, etc.). The most significant change in design is the abstraction of the communications middleware implementation. That is, rather than implementing communication through custom protocols (e.g., ROSTCP and ROSUDP communicating via XML-RPC), ROS 2 is built on top of existing middlewares, namely the Data Distribution Service (DDS) [3].

The DDS protocol is developed for fast communication, and therefore latency and throughput are critical performance parameters within the service. ROS 2 performance without security (i.e., clear text communication) is already well observed and documented by eProsima [4], whilst the performance with the enabled security functions have not been thoroughly assessed. As ROS 2 matures into a product for real world applications, the CPSs that utilize ROS 2 have significant real world concerns regarding cybersecurity [5, 6]. Hence, it is important to understand the trade-offs and risks involved with sacrificing security for performance [7]. The Object Management Group (OMG), who maintains the standard for DDS, already considers the security of DDS by providing in-depth security specifications [3]. However, as we show in this work, there are still inconsistencies between the specification and resulting implementation in ROS 2.

This research focuses on investigating and characterizing the performance of ROS 2 with the recently implemented security mechanisms. We assess the cryptographic algorithms and their implementations using the standards derived from NIST SP 800-53 [8], and Federal Information Processing Standards (FIPS) 140-2 [9] and FIPS 140-2 DTR [10]. Our tests and analysis mainly focus on the correctness of the implementation and the key management aspect of the DDS protocol. In addition, we provide recommendations from our assessment such as forward secrecy. Finally, we detail aspects that can potentially make the system vulnerable, e.g., inconsistencies between the specification and implementation.

In this work we:

  • Perform physical experiments by implementing ROS 2 to measure the latency and throughput performance of the DDS security functions.

  • Build a secure network to compare the performance effects with the use of a Virtual Private Network (VPN) versus with the performance effects of the DDS security protocol, testing in wired and wireless settings.

  • Perform static analysis of the eProsima Real Time Publish Subscribe (RTPS) communication standard, the default middleware in ROS 2.

  • Provide recommendations in terms of specific actions in the DDS implementation that will resolve the presented security assessment failures.

An overview of the DDS protocol security specification is presented in Section II-B. The approach used for physical analysis and implementation over both wired and wireless networks is discussed in Section III, while experiments and results are detailed in Section IV. Finally, static analysis of the eProsima RTPS middleware for ROS 2 and DDS implementation recommendations are provided in Section V.

Ii Background

ROS was initially designed for academic and hobbyist communities with the intent to create software tools to enable robotic development that could be easily shared and reused [11]. Accordingly, cybersecurity protections were not a focus (i.e., flawed security is worse than no security) so previous efforts sought to examine how to include security protections and their impact [5, 6, 12, 13, 14, 15, 16, 17].

Ii-a ROS and its Security Posture

Despite the lack of built-in cybersecurity protections into ROS 1, many parties have been keenly intersted in the adapation of ROS, namely the U.S. Army, with the goal of improving the cybersecurity posture of the entire framework and to ensure it is viable for military use [18]. The primary driver for this adaptation is Department of Defense (DoD) level guidance pushing for the use of a modular and open system approach to development and acquisition across all programs [19]. Given the need for modularity, reuse, and open architectures [20], ROS meets many of the needs for Army robotics development, with the important exception of cybersecurity. Due to the highly sensitive nature of information transferred and stored on DoD information systems, all CPSs that connect to the Global Information Grid must be extensively reviewed for cybersecurity risks [21]. In order to leverage the modularity benefits of ROS while maintaining an acceptable level of cybersecurity risk, ROS-Military (ROS-M) is being established to have a military ecosystem for ROS 1 and 2 applications that takes advantage of current cybersecurity improvement efforts and funding further development in that domain.

The new version of ROS aims to address the issue of cybersecurity through two core efforts; connection-oriented security and application-oriented security (i.e., access control and auditing). The focus of this work is on the implementation and performance of ROS 2 based on the developed connection-oriented security measures. Although, unlike previous work [17, 14, 12, 22] which aims to analyze or develop methods of securing communication between ROS 1 nodes, this effort focuses on investigating the security measures built into ROS 2, which relies on third party communication middleware using DDS.

Ii-B DDS and its Security

The security of ROS 2 is highly reliant on the security of its DSS communication protocol; hence, our analysis focuses heavily on evaluating the implementation and efficiency of DDS in ROS 2. The DDS protocol aims to realize a fast publish-subscribe system between multiple ROS 2 nodes. Historically, the DDS specification relied on secure networks, i.e., there was no authentication, encryption, or access control measures in place. OMG has recently produced a security standard [3] to add new security compliance points to the DDS specification, however, as we show, there are still some inconsistencies between that specification and resulting applications for at least one implementation.

The security standard for DDS implements a three-way handshake consisting of HandshakeRequest, HandshakeReply and HandshakeFinal messages. It identifies participants based on certificates using Public Key Infrastructure (PKI) and uses the Diffie-Hellman (DH) key exchange protocol. As an example, consider two participants where a handshake is made in the following way:

  1. HandshakeRequest message is sent by Participant 1 to initiate the key agreement protocol. It contains Participant 1’s certificate information, a DH public key, and a random nonce.

  2. HandshakeReply message is sent by Participant 2 in response to the HandshakeRequest message. It contains Participant 2’s certificate information, a DH public key, Participant 1’s random nonce, as well as another random nonce. The message is used to verify Participant 2’s receipt since the whole message is signed by Participant 2.

  3. HandshakeFinal message is sent by Participant 1 to confirm the receipt of HandshakeReply. It contains both nonces and is signed by Participant 1.

After the handshake, the DDS protocol uses AES-GCM to encrypt and decrypt the data on a secure channel. It may also provide additional reader-specific message authentication codes using Galois MAC (AES-GMAC) [23]. The AES-GCM transformation produces both the ciphertext and a Message Authentication Code (MAC) using the same secret key. After a shared secret is established and both nonces were exchanged between two participants using the handshake protocol, participants can build master secrets using the HMAC-Based Key Derivation Function (HKDF) recommended by IETF RFC 5869 [24]. When implemented to the specification, this is sufficient to protect clear text and ensure data integrity. However, when not implemented to the specification, there is a looming question of data integrity. In this work, we show that both ROS 2 and the default DDS middleware could benefit from additional security considerations to better protect data integrity.

Iii Evaluation Framework

The DDS protocol offers a local publish/subscribe system into ROS 2 applications for low latency communication. However, the performance of the DDS protocol may vary depending on its implementation. According to eProsima [4], one can achieve a high throughput and a low latency, both desirable properties for the real-time operations. In this section, we provide a framework for performing the benchmark evaluation in various combinations of network and security settings to reflect the real word applications. We used two machines, called MPub and MSub. Their specifications are summarized in Table I, in the experiments in Section IV to test throughput and latency performance.

Machine names MPub MSub
Host OS Windows 10 Windows 10
Guest OS Ubuntu 16.04 LTS Ubuntu 16.04 LTS
Memory (Total(Guest)) 16 GB (4GB) 4 GB (2GB)
Total CPUs Intel i5-7740HQ Intel N4200
2.80 GHz (8 Cores) 1.10 GHz (8 Cores)
Guest CPUs 2.80 GHz (4 Cores) 1.10 GHz (4 Cores)
Installed VPN module Client Server
TABLE I: Specification of test machines

Iii-a Performance Metrics

To measure the communication efficiency, we define two performance metrics:

  1. Estimated Latency is a delay based on a round-trip time of a packet. Algorithms 1 and 2 show pseudocode to measure the Estimated Latency. A publisher measures the time taken from publishing the message () to subscribing the same message (), and computes the latency by calculating . The subscriber is a simple node that publishes the subscribed message to the other channel as soon as it is received. We use a round trip latency since measuring one-way latency requires two machines with highly synchronized clocks, which is quite difficult to build and verify when there is a very small latency ( 1 ms).

  2. Estimated Throughput is the number of bits per second measured by a publisher. A publisher node sends a certain number of packets to a subscriber node without receiving any reply and measures the time it takes to send all those packets. After sending the packets, the publisher receives the number of successfully received packets from the sender. The throughput is then calculated using the ratio of the number of received packets the size of a packet and the time taken to send all of the packets. Due to the difficulty of synchronizing the clocks on two machines, we measure the throughput for only the publisher. However, we also consider packet loss since the DDS protocol has a ‘UDP-like’ property. That is, it does not guarantee packet delivery since the data on this pub/sub system is designed for multicast real-time transmission.

To avoid packet loss caused by the traffic congestion, we have included a ‘cooling-off’ period after sending a packet. For example, in Algorithm 3, we include a sleep cycle for each transmission to avoid congestion. Setting this value is critical to the measurement of throughput since a long cooling-off period will guarantee almost 100% delivery of packets, but will cause the throughput to decrease. A short cooling-off period will also decrease the throughput as more packets will be dropped. We set the cooling-off period at 1 ms based on our experimental observation. With this cooling-off period, the small packets (16 bytes) are almost always delivered successfully, whilst the larger packets are dropped more frequently, but not often. Moreover, to measure the exact throughput, the publisher has to know the number of packets that are successfully delivered to the subscriber. A publisher sending “START” and “DONE” messages allows a subscriber to count the number of packets successfully subscribed as shown in Algorithms 3 and 4.

1:procedure Latency_pub(, , )
2:     Generate an sized random message
3:     
4:     Publish on
5:     Subscribe on
6:     if  ==  then
7:               
8:     return
Algorithm 1 Latency (Publish)
1:procedure Latency_sub(, )
2:     while TRUE do
3:         Subscribe on
4:         Publish on      
Algorithm 2 Latency (Subscribe)

Iii-B Performance Benchmark Scenarios

We test the latency and throughput performance on two network settings:

  • Wired: We connect two machines directly using an Ethernet cable. Each ROS 2 implementation is on a virtual machine in VirtualBox. We use a “Bridged adapter”, attached to the Ethernet Network Interface Card (NIC), to allow for the network connections.

  • Wireless: We connect two machines wirelessly without using an extra access point. For the connection, we set MPub as an access point and MSub as a device connected to MPub using the “Mobile Hostpot” function. We could not use the ad-hoc protocol since this feature is deleted in Windows 10. We turned on “Network discovery” to allow the bidirectional communication in the Windows network setting. “Bridged adapters” to the wireless NICs are used for both machines.

We estimate the performances using various forms of communication security, which cover most of the remote access situations:

  1. No Security: In this scenario, ROS 2 and its publish and subscribe system (i.e., DDS system) do not use any security functions to protect communications. Therefore, all communications between the nodes in two different machines are plain text and can be monitored by other nodes or adversaries.

  2. Cryptographic Algorithms: In this scenario, Secure ROS 2 (SROS2) [22] is used to encrypt its communication channel as guided by OMG [3]. SROS is a package that provides the tools and instructions to use ROS 2 on top of DDS-Security (i.e., any DDS middleware). The intent of SROS2 is to provide a reasonable security infrastructure while minimizing user disruptions such as computational overhead and API breakage (note that SROS1 is proposed to be included in the ROS 1 API [25]). Accordingly, SROS2 with eProsima’s Fast RTPS are evaluated to measure the overhead by encrypting/decrypting communication traffic.

  3. SSL/TLS: In this scenario, an encrypted channel between two nodes is established in advance through OpenVPN. The setting similar to Scenario 1 (No Security), but the communication is secured using VPN technology. The VPN connection uses “AES-128-CBC” for “cipher” and “SHA256” for “auth” options.

1:procedure Throughput_pub(, , , )
2:     
3:     Generate an sized random message
4:     Publish “START” on and Sleep()
5:      and
6:     while  do
7:         Publish on
8:          and Sleep()      
9:     
10:     Sleep() and Publish “DONE” on
11:     Subscribe to on
12:      =
13:     return
Algorithm 3 Throughput (Publish)
1:procedure Throughput_sub(, )
2:     
3:     while TRUE do
4:         Subscribe on
5:         if  == “Start” then
6:              
7:         else if  == “Done” then
8:              Publish on
9:              
10:         else
11:                             
Algorithm 4 Throughput (Subscribe)

Iv Benchmark Result and Analysis

In the first experiment, the two nodes are connected via an Ethernet cable, while in the second experiment they are connected using Wi-Fi. The ways in which the estimated latency and estimated throughput is measured are identical in these scenarios. For the latency test, we generated various sized packets, from 16 bytes to 12,000 bytes, and repeated each test 1,000 times to obtain the estimated latency. The throughput is measured in a similar way to that of latency over varying packet sizes. We sent 100 packets per test and repeated the tests 100 times for the estimation.

Iv-a Performance on Wired Network

Iv-A1 Estimated Latency

Figure (a)a displays the estimated latency for our scenarios. The DDS service (i.e., eProsima Fast RTPS) shows a low latency even when two nodes are remotely connected. Also, the latency is almost independent to the size of the packet if it is not encrypted. However, the encryption causes a delay that increases with the size of the packet. The most dramatic change is observed when using SROS2, where the latency is almost doubled in some instances. The use of a VPN can reduce this by more than half in the best case.

(a) Wired Network
(b) Wireless Network
Fig. 1: Latency per packet size in wired and wireless networks.

Iv-A2 Estimated Throughput

Figures (a)a and (a)a show the throughput of the ROS 2 application in a wired network. The figures show that the encryption in a ROS 2 application using SROS2 may cause a significant loss in throughput when compared to a connection with no security. It can also be seen that the VPN connection significantly outperforms SROS2 in most cases, and this performance gap can increase with packet size.

Iv-B Performance on Wireless Network

Iv-B1 Estimated Latency

Figure (b)b shows the results from latency testing on a wireless network. We observed that using SROS2 can cause a significant delay in the network that increases with packet size, whilst the use of a VPN merely affects the latency of the packet delivery.

(a) Wired Network
(b) Wireless Network
Fig. 2: Throughput per packet size in wired and wireless networks.
(a) Wired Network
(b) Wireless Network
Fig. 3: Throughput ratio against No Security in wired and wireless networks. Here the y-axis shows the ratio between using cryptographic algorithms and SSL/TLS to secure the communication with the throughput from no security.

Iv-B2 Estimated Throughput

Figure (b)b shows the throughput of the ROS 2 application in a wireless network. Similar to the latency results, we observed that using a VPN does not seriously affect the throughput in DDS, however using SROS2 causes a significant delay.

Figure (b)b shows the loss of throughput caused by a VPN and SROS2 when compared to the no security scenario. The overhead associated with the use of a VPN vanished by end of the cooling-off period between packets sent (any loss is relatively small). Similar to the wired network, the overhead associated with the use of cryptographich algorithms reduces the throughput almost by half.

Iv-C Discussion

Our results show that using a VPN is more efficient when two machines are connected, securely. It should be noted that the experiments only look at the connection between two machines, which may be used for emulating the communication between a controller and a CPS or between two CPSs. Unlike the DDS security protocol, a traditional VPN system has a server and client structure. All clients are connected to a server for the secure communication and therefore, the traffic is centralized to the VPN server. The DDS Security protocol does not have a server, but is instead designed for the secure connection between multiple distributed nodes. So it provides more decentralized features than a VPN. Each node has equal privilege, therefore the security communication cannot be disabled by compromising only a single machine in the system. Accordingly, SROS can be effective at providing communication security and resilience over multiple ROS 2 nodes when the use of a VPN is not desirable.

V Further Security Analysis in Implementation

In addition to the benchmark results on DDS and VPN security, we consider how the security functions of ROS 2 are properly implemented. Although the ROS community has released the non-beta version of ROS 2, the implementation of DDS Security of ROS 2 is still not mature. We performed a static code analysis on the DDS security implementation of ROS 2 (Ardent Apalone), particularly on eProsima’s RTPS (the default installed with ROS 2). We found some notable problems in DDS Security specification and implementation.

V-a Forward Secrecy

In the DDS protocol, only two types of algorithms, “DH+MODP-2048-256” and “ECDH+prime256v1-CEUM”, are supported. These handshake algorithms (DH and ECDH) do not support forward secrecy (FS). In cryptography, FS is a property of secure communication protocols in which the compromise of any long-term keys also compromises past session keys. Since the DH public key is fixed in the certificate and its corresponding private key is also fixed, all past session keys can be computed by an adversary if a long-term private key is compromised and all past traffic was recorded by the adversary.

An easy way to support FS is to not use DH parameters as a long-term key. This is usually denoted as “DHE” in the SSL and TLS protocol, where DH parameters are generated for every new connection. The adversary then cannot compute the key used in past communications. Applying this protocol does not change a program much because DDS already supports all cryptographic algorithms that the change requires, but adopting this protocol certainly improves ROS 2 security. This lack of stronger security option does not belong to the specific eProsima implementation, rather, the deficiency exists in the OMG DDS security specification [3].

V-B Static Code Analysis

We used Cppcheck [26] as a static analysis tool to report any notable errors within the ROS 2 Ardent Apalone source code. The resulting report detailed 19 errors with 12 false positives and only the remaining seven errors requiring closer observation to be fixed.

  • Two errors are found in the eProsima RTPS. One error is caused by skipping initialization of a variable while the other is caused by skipping the freeing of a variable.

  • An error is found in the ROS Middleware Interface (RMW) which potentially prints out a NULL pointer.

  • Four errors are found in RViz which relate to problems in memory management and can potentially cause a memory leakage.

While the specifics of the errors are not particularly notable, the process of employing a static code analysis tool is an important part of verifying the security of a CPS. Recently, DeMarinis et al. [6] showed that they were able to find over 100 publicly-accessible hosts running ROS while scanning for open IP addresses. They even unintentionally found two of their own robots as part of the scan (one Baxter robot and one drone). Similar to their study, this study echos the necessity of understanding the security settings when deploying a robot so that an adversary cannot access or control a robot capable of being remotely moved in ways dangerous both to the robot and the objects around it.

V-C Inconsistency between DDS Specification and RTPS

We found two main inconsistencies between the DDS specification [3] and its implementation:

  1. There is a mandated 96 bit sized initial vector (IV) to be used in the implementation of AES-GCM (leaving the right-most 32 bits for a counter), while the actual size in RTPS is 128 bits. Some implementations may not accept this parameterization by default.

  2. A random number generator to generate challenges for master keys must be compliant with the NIST recommendation [27]. However, we observed that the current implementation relies only on the BN_rand function that is provided by the OpenSSL library and does not comply with [27].

V-D Discussion

We observed that the eProsima RTPS relies highly on the OpenSSL library. The OpenSSL community already provides a reliably secure version of the library, which is the OpenSSL FIPS objective module. Replacing the general OpenSSL library with the FIPS validated module may greatly improve the security of the current implementation and also provide the security functions which is currently deficient such as zeroization of secret data.

We also formally verified DDS handshake protocol using ProVerif [28], which is automated protocol verifier. We could not find any problems on the protocol. It means that the correctness of the security protocol is verifiable.

Vi Conclusion

In this paper, we discuss the ROS 2 security features and evaluate them in terms of impact on performance. We discussed two possible settings that ROS 2 can use to protect their communication in practice and measure their effects on latency and throughput performances. Particularly, we build our own ROS 2 applications to test those parameters over various settings by combining wired and wireless networks.

Our results show that using a reliable VPN application is a better choice so far if an application of ROS 2 requires a simple system architecture, such as a CPS with a controller or a centralized server-client architecture. In addition to the poor performance when compared to the VPN, we also observe that the accuracy of the DDS security implementation to the specification should not be assumed as correct. After analyzing the default DDS middleware with ROS 2 we found that it did not conform to the security specification by OMG. This can cause a CPS to be left in vulnerable situations.

ROS 2 is still under rapid development with updated versions being published every few months. Continuously monitoring the implementation of ROS 2 to check violations to the relevant security specifications and logical errors, which can be linked to potential vulnerabilities is greatly beneficial to enhance the security of ROS 2. Since ROS 2 is a software library, its applications may vary; therefore the heterogeneity of ROS 2 applications makes confirming the security of applications difficult. Developing the tools and procedures that enable developers to deploy during and after the development process will reduce the risk of security vulnerabilities of resulting CPS systems.

Legal

DISTRIBUTION A. Approved for public release: distribution unlimited. This material is based upon work funded and supported by the Department of Defense under Contract No. FA5209-17-P-0007 with the Commonwealth Scientific and Industrial Research Organization (CSIRO).

References

  • [1] M. Quigley, K. Conley, B. Gerkey, J. Faust, T. Foote, J. Leibs, R. Wheeler, and A. Y. Ng, “ROS: An Open-Source Robot Operating System,” in ICRA workshop on open source software, vol. 3, 2009.
  • [2] K. Ahmad Yousef, A. AlMajali, S. Ghalyon, W. Dweik, and B. Mohd, “Analyzing Cyber-Physical Threats on Robotic Platforms,” Sensors, vol. 18, no. 5, p. 1643, May 2018.
  • [3] DDS Security, Object Management Group (OMG) Std. ptc/17-09-20, Rev. 1.1, Sept. 2017. [Online]. Available: http://www.omg.org/spec/DDS-SECURITY/1.1/
  • [4] (2018, June) eProsima Fast RTPS Performance. eProsima. [Online]. Available: http://www.eprosima.com/index.php/resources-all/performance/40-eprosima-fast-rtps-performance
  • [5] J. McClean, C. Stull, C. Farrar, and D. Mascareñas, “A Preliminary Cyber-Physical Security Assessment of the Robot Operating System (ROS),” in Proc. SPIE Defense, Security, and Sensing, ser. Unmanned Systems Technology XV, vol. 8741, May 2013, p. 8.
  • [6] N. DeMarinis, S. Tellex, V. Kemerlis, G. Konidaris, and R. Fonseca, “Scanning the Internet for ROS: A View of Security in Robotics Research,” ArXiv e-prints, vol. 1808.03322, July 2018.
  • [7] F. J. R. Lera, C. F. Llamas, A. M. Guerrero, and V. M. Olivera, “Cybersecurity of Robotics and Autonomous Systems: Privacy and Safety,” in Robotics - Legal, Ethical and Socioeconomic Impacts, G. Dekoulis, Ed.   IntechOpen, 2017, ch. 5.
  • [8] NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations, NIST Std. 800-53, Rev. 4, 2013.
  • [9] FIPS PUB 140-2: Security Requirements for Cryptographic Modules, NIST Std. 140-2, May 2001.
  • [10] Derived Test Requirements for FIPS PUB 140-2: Security Requirements for Cryptographic Modules, NIST Draft 140-2, Jan. 2011. [Online]. Available: https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Module-Validation-Program/documents/fips140-2/FIPS1402DTR.pdf
  • [11] B. Gerkey. (2018, Aug.) Why ROS 2.0? Open Source Robotics Foundation, Inc. San Francisco, CA, USA. [Online]. Available: https://design.ros2.org/articles/why_ros2.html
  • [12] B. Dieber, S. Kacianka, S. Rass, and P. Schartner, “Application-level Security for ROS-based Applications,” in IEEE/RSJ Int. Conf. on Intelligent Robots and Systems (IROS), Oct. 2016, pp. 4477–4482.
  • [13] D. Portugal, M. A. Santos, S. Pereira, and M. S. Couceiro, On the Security of Robotic Applications Using ROS, 1st ed.   CRC Press, Taylor & Francis, Aug. 2018, ch. 20, pp. 273–289.
  • [14] B. Dieber, B. Breiling, S. Taurer, S. Kacianka, S. Rass, and P. Schartner, “Security for the Robot Operating System,” Robotics and Autonomous Systems, vol. 98, pp. 192–203, Dec. 2017.
  • [15] D. Portugal, S. Pereira, and M. S. Couceiro, “The Role of Security in Human-Robot Shared Environments: A Case Study in ROS-based Surveillance Robots,” in IEEE Int. Symp. on Robot and Human Interactive Communication (RO-MAN), Aug. 2017, pp. 981–986.
  • [16] I. Abeykoon and X. Feng, “A Forensic Investigation of the Robot Operating System,” in IEEE Int. Conf. on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), June 2017, pp. 851–857.
  • [17] B. Breiling, B. Dieber, and P. Schartner, “Secure Communication for the Robot Operating System,” in Annual IEEE Int. Systems Conf. (SysCon), April 2017, pp. 1–6.
  • [18] G. I. Seffers. (2016, July) Robotic Systems May Take a Bullet for Soldiers. AFCEA Int. Fairfax, VA, USA. [Online]. Available: https://www.afcea.org/content/Article-robotic-systems-may-take-bullet-soldiers
  • [19] DoD Open Systems Architecture Data Rights Team, DoD Open Systems Architecture Contract Guidebook for Program Managers.   Department of Defense (DoD), June 2013, vol. 1.1. [Online]. Available: http://www.acqnotes.com/Attachments/Open%20System%20Architecture%20(OSA)%20Contract%20Guidebook%20for%20Program%20Managers%20June%2013.pdf
  • [20] Army Capabilities Integration Center Maneuver, Aviation, and Soldier Division, The U.S. Army Robotic and Autonomous Systems Strategy, U.S. Army Training and Doctrine Command, Fort Eustis, VA, USA, March 2017. [Online]. Available: http://www.arcic.army.mil/App_Documents/RAS_Strategy.pdf
  • [21] Risk Management Framework (RMF) for DoD Information Technology (IT), Department of Defense (DoD) Std. DoD 8510.01, July 2017. [Online]. Available: http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/851001_2014.pdf
  • [22] R. White, H. I. Christensen, Dr., and M. Quigley, Dr., “SROS: Securing ROS Over the Wire, in the Graph, and Through the Kernel,” ArXiv e-prints, vol. 1611.07060, Nov. 2016.
  • [23] M. Dworkin, NIST SP 800-38D: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, NIST Std. 800-38D, Nov. 2007.
  • [24] H. Krawczyk and P. Eronen. (2010, May) Hmac-based extract-and-expand key derivation function (hkdf). Internet Engineering Task Force (IETF). [Online]. Available: https://tools.ietf.org/html/rfc5869
  • [25] R. White, G. Caiazza, H. Christensen, and A. Cortesi, Robot Operating System (ROS): The Complete Reference, 3rd ed., ser. Studies in Computational Intelligence.   Springer, 2019, vol. 778, ch. SROS1: Using and Developing Secure ROS1 Systems, pp. 373–405.
  • [26] D. Marjamäki. (2018) Cppcheck - A Tool for Static C/C++ Code Analysis. [Online]. Available: http://cppcheck.sourceforge.net/
  • [27] E. B. Barker and J. M. Kelsey, “SP 800-90A. Recommendation for Random Number Generation Using Deterministic Random Bit Generators,” U.S. Department of Commerce, Gaithersburg, MD, United States, Tech. Rep., 2012.
  • [28] B. Blanchet, M. Abadi, and C. Fournet, “Automated verification of selected equivalences for security protocols,” J. Log. Algebr. Program., vol. 75, no. 1, pp. 3–51, 2008.
Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
""
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
   
Add comment
Cancel
Loading ...
283372
This is a comment super asjknd jkasnjk adsnkj
Upvote
Downvote
""
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters
Submit
Cancel

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test
Test description