[Discourse.ros.org] [Next Generation ROS] ROS2 and DDS Security enhancement on arm platforms

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

[Discourse.ros.org] [Next Generation ROS] ROS2 and DDS Security enhancement on arm platforms

Ian McMahon via ros-users


Hi,

I'm from arm. I'd like to share our enhancement of ROS2 and DDS security based on arm platforms.

In arm V7/V8 core architecture, we have **TrustZone** support (please take a look at this [link](https://www.arm.com/products/security-on-arm/trustzone)) which can enhance the DDS Security Plugins currently implemented based on OpenSSL.

Through the use of arm TrustZone feature, we can switch the system execution states into:
        a _Normal World_ (rich OS environment is executing here) and
        a physically isolated _Secure World_ (here a trusted OS is running which protects many ROS2 security assets, like root keys through hardware protection).
As shown in below figure, the ROS2 runs in Normal World (Non Trusted) and the security assets are protected in Secure World (Trusted). Since Secure World is physically isolated from Normal World, the Secure World can protect the ROS2/DDS sensitive security assets from leakage to Normal World even if Normal World is hacked.
![arm-trustzone-for-cortexA|354x339](upload://kWqhw14Kkfhens0fSAEhLWaoQdq.jpg)
In contrast, since OpenSSL runs in Normal World which is not considered as trusted, the security assets in OpenSSL might be vulnerable if rich OS or applications are hacked.

With arm TrustZone, ROS2 with DDS security can run on billions of arm devices in an enhanced security environment.
We are very glad to discuss with you in details. Looking forward to hearing from you.

Thank you.

@marguedas @Jaime_Martin_Losa





---
[Visit Topic](https://discourse.ros.org/t/ros2-and-dds-security-enhancement-on-arm-platforms/3677/1) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>
Reply | Threaded
Open this post in threaded view
|

[Discourse.ros.org] [Next Generation ROS] ROS2 and DDS Security enhancement on arm platforms

Ian McMahon via ros-users


Hi @davidhuziji! This is certainly interesting for those of us trying to make use of ROS 2 in real applications.

Are you guys currently working into integrating these enhancements in any specific DDS implementation? Is there any working example available that we can review? Will you open source these "improvements" in an open source DDS implementation together with the security plugins as a reference guide?. This will definitely help the community (and vendors) evaluate it and eventually adopt it.

I'm particularly interested in examples working with lead DDS vendors such as RTI. Any plans on this regard?





---
[Visit Topic](https://discourse.ros.org/t/ros2-and-dds-security-enhancement-on-arm-platforms/3677/2) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>
Reply | Threaded
Open this post in threaded view
|

[Discourse.ros.org] [Next Generation ROS] ROS2 and DDS Security enhancement on arm platforms

Ian McMahon via ros-users
In reply to this post by Ian McMahon via ros-users


Slightly off-topic, but @davidhuziji's post reminded me of it: [CLKSCREW](https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/tang) ([article](https://blog.acolyer.org/2017/09/21/clkscrew-exposing-the-perils-of-security-oblivious-energy-management/)).





---
[Visit Topic](https://discourse.ros.org/t/ros2-and-dds-security-enhancement-on-arm-platforms/3677/3) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>
Reply | Threaded
Open this post in threaded view
|

[Discourse.ros.org] [Next Generation ROS] ROS2 and DDS Security enhancement on arm platforms

Ian McMahon via ros-users
In reply to this post by Ian McMahon via ros-users


Hi @vmayoral!

We are currently developing our secure libraries based on arm TrustZone to support some popular DDS, together with the lead DDS vendors.
We will definitely release the implementations after it is verified, thus billions of arm platforms with ROS2/DDS can benefit from it.

Thank you.





---
[Visit Topic](https://discourse.ros.org/t/ros2-and-dds-security-enhancement-on-arm-platforms/3677/4) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>
Reply | Threaded
Open this post in threaded view
|

[Discourse.ros.org] [Next Generation ROS] ROS2 and DDS Security enhancement on arm platforms

Ian McMahon via ros-users
In reply to this post by Ian McMahon via ros-users


Honestly, there is no "absolute" secure. It's just about the cost(complexity) to crack.
For the CLKSCREW issue:
You can see the first step is to crack kernel in which case no secret can be kept for openssl solution.

And this attack is HW design specific.
e.g. The fundamental is that non-secure SW can control the regulators of clock and voltage.
This might not be true for all the platforms. As I know, some designs are using an MCU running in the secure world to access the regulators which are also in the secure world. The Kernel in the non-secure world can't access these regulators directly. It can just send the high-level requests to this secure MCU through Arm-TrustedFirmware. So this MCU is a safeguard to restrict the range of frequencies and voltages that can be configured.
Another example is to use the hardware crypto engine to generate/store the keys and decryption/encryption also happen in HW. In this case, CLKSCREW can't attack it anyway.





---
[Visit Topic](https://discourse.ros.org/t/ros2-and-dds-security-enhancement-on-arm-platforms/3677/5) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>
Reply | Threaded
Open this post in threaded view
|

[Discourse.ros.org] [Next Generation ROS] ROS2 and DDS Security enhancement on arm platforms

Ian McMahon via ros-users
In reply to this post by Ian McMahon via ros-users


Thanks @davidhuziji for posting this.
Is it possible to share the more details about the design and the API that the DDS Security plugins should implement to be able to leverage TrustZone?

Thanks!

/cc @davwan01





---
[Visit Topic](https://discourse.ros.org/t/ros2-and-dds-security-enhancement-on-arm-platforms/3677/6) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>
Reply | Threaded
Open this post in threaded view
|

[Discourse.ros.org] [Next Generation ROS] ROS2 and DDS Security enhancement on arm platforms

Ian McMahon via ros-users
In reply to this post by Ian McMahon via ros-users


Hi @marguedas, we are very glad to share our design. Any suggestion is welcomed.

Please help check the two documents in below.
<a class="attachment" href="/uploads/ros/original/2X/e/e9853b8eea8a63906618a7fc04f33954335b90a1.pdf">Security Services for DDS Security Plugins.pdf</a> (1.3 MB) introduces the general idea of our design. A group of generic internal security APIs is inserted to connect vendor DDS Security Plugins and diverse security implementations, such as OpenSSL or OP-TEE based on arm TrustZone.
<a class="attachment" href="/uploads/ros/original/2X/3/3b9b4fb8e8d8178ff37daa94a8e787b2aaf4704a.pdf">DDS Security Plugins Internal API specification.pdf</a> (2.1 MB) introduces the generic internal security APIs in details.

Looking forward to your feedback. Thanks a lot.





---
[Visit Topic](https://discourse.ros.org/t/ros2-and-dds-security-enhancement-on-arm-platforms/3677/8) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>
Reply | Threaded
Open this post in threaded view
|

[Discourse.ros.org] [Next Generation ROS] ROS2 and DDS Security enhancement on arm platforms

Ian McMahon via ros-users
In reply to this post by Ian McMahon via ros-users


thanks @davidhuziji!
I think several members of the community will be interested in having a closer look at these documents.
Getting feedback from DDS experts such as @Jaime_Martin_Losa, @GerardoPardo and @kydos would be extremely valuable. Moving towards adoption and support for Trustzone in all supported DDS implementations would be really awesome!





---
[Visit Topic](https://discourse.ros.org/t/ros2-and-dds-security-enhancement-on-arm-platforms/3677/9) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>
Reply | Threaded
Open this post in threaded view
|

[Discourse.ros.org] [Next Generation ROS] ROS2 and DDS Security enhancement on arm platforms

Ian McMahon via ros-users
In reply to this post by Ian McMahon via ros-users


@davidhuziji

Just started reviewing the material.  Looks promising so far.  Just want to get some clarification on overall design.  

ARM DDS SecureLib defines an interface library but does not appear to be responsible for context / resource management.  For a prospective deployment context, it is possible there could exist different levels of applications attempting to leverage TrustZone, thus a form of resource management that can properly handle the context switching securely would need to be supported.  

I am assuming that this form of feature would likely be presented in the TEECLibrary existing in layer `EL1` in the `Block Diagram on Cortex-A Platforms` due to context awareness or is this something that is being attempted to be pushed into the `Secure World` `TEE OS`?





---
[Visit Topic](https://discourse.ros.org/t/ros2-and-dds-security-enhancement-on-arm-platforms/3677/10) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>
Reply | Threaded
Open this post in threaded view
|

[Discourse.ros.org] [Next Generation ROS] ROS2 and DDS Security enhancement on arm platforms

Ian McMahon via ros-users
In reply to this post by Ian McMahon via ros-users


@awkonecki, thanks for the comment.

TEE Client library, TEE drivers and TEE-OS protect the TEE Client Application context in Non-Secure World. The context, including the resource, will be isolated and managed by TEE Client library, TEE drivers and TEE-OS.

If there is any further question, please feel free to let me know.





---
[Visit Topic](https://discourse.ros.org/t/ros2-and-dds-security-enhancement-on-arm-platforms/3677/11) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>
Reply | Threaded
Open this post in threaded view
|

[Discourse.ros.org] [Next Generation ROS] ROS2 and DDS Security enhancement on arm platforms

Ian McMahon via ros-users
In reply to this post by Ian McMahon via ros-users


To give a small update on this topic: we implemented a small application in ROS2 that can be found in https://github.com/ros2-for-arm/example. This application is using TrustZone support with Optee-OS to encrypt and decrypt ROS2 messages from the application level.
As of now, this is not using the ARM DDS SecureLib (as this is still under development) but it gives a small example on how to use TrustZone+Optee-OS to secure messages by having security assets in a secure memory.





---
[Visit Topic](https://discourse.ros.org/t/ros2-and-dds-security-enhancement-on-arm-platforms/3677/12) or reply to this email to respond.


If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
[hidden email]
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <http://lists.ros.org/mailman//options/ros-users>