Combining ROS with seL4 forTrustworthy Autonomous Systems

Cynthia Irvine

Naval Postgraduate School

September 2019

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 1 / 27

A Reason to Care

Subversion

The covert and methodical undermining of internaland external controls over a system lifetime to allowunauthorized or undetected access to systemresources and/or information. [1]

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 2 / 27

Early Subversion Experiments

Karger and Schell (1974)

Paul Karger

Roger Schell

Early proponents of trustworthy systemsConducted vulnerability analysis of Multics [2]Described early episodes of subversionSoftware Trapdoor in Multics

I “Upgrade” to fielded systems

Possible firmware or hardware “upgrade”Both “unexpected”

I Sailed through configuration control board

Required “damage control”

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 3 / 27

Subversion Popularized

Ken Thompson

Elaborated on subversion suggestion made inKarger and Schell paper: Subvert the compiler.

Reflections on Trusting Trust (1984) [3]Compiler contained two artifice constructors

I Compiler artifice installerI Unix artifice installer

When compiler compiles compiler source, both installers are installedWhen compiler compiles Unix source, Unix artifice is installed

Was this real? Evidence of subversion backed out of system? Maybe.

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 4 / 27

Potential Uses of seL4 - Autonomous Systems

UAV SwarmsAdvanced Robotic Systems Engineering Laboratory (ARSENL),a team of students at the Naval Postgraduate Schoolin Monterey, California, successfully launched aswarm of 50 drones

– 27 Aug 2015.

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 5 / 27

NPS Zepher II

Basic system

Developed mostly usingCOTS hobby equipment

- Wingspan: 145 cm- Takeoff weight: 2.5 kg- Flight endurance: 50 min- Cruise speed: 18 m/sec

COTS used for- Flight- Avionics- Navigation- Communications

Zepher II

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 6 / 27

NPS Zepher II

Deliberative Planning and Control System- ODroid companion computer- Ubuntu 14.04

Implemented as independent ROS nodes- Controlled by separate swarm control node

Inter-component communication on companion computer relies on ROSservices & message topicsAutopilot-bridge node provides direction to Pixhawk Autopilot usingMAVLink (Micro Air Vehicle Link) protocol

- Serial link

Swarm behavior implemented using ROS

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 7 / 27

ARSENL Companion-computer C2 Architecture

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 8 / 27

Simulation System

Enhanced Software-in-the-Loop (SITL) simulation system [5]Development and testing of single- and multi-UAV algorithmsRealistic testing with actual vehicle software in rigorous, physically-basedsimulation

Can simulate lossy communications environments as expected inreal-world

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 9 / 27

Functional Success!!But What is Wrong With This Picture?

No Consideration of Security

Just Trying to Make Them FunctionCommunicationsSeparation of Critical ProcessingSeparation of High Integrity DataAudit

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 10 / 27

Hypothesis

seL4 could provide a foundation to support a better architecture.

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 11 / 27

Marketing Genius

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 12 / 27

Potential Uses of seL4 - Classroom

ProblemStudents need exposure to real highly trustworthy systems

How can we make seL4 projects accessible tobeginning and intermediate-level students?

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 13 / 27

Labtainers Objectives

Consistent and FairStudents execute labs in identical environmentsInstructors see consistent results and assess students on their workrather than environmental effects

ParameterizableLabs configured so each student’s work can be uniqueLabs are same level of difficulty for all studentsExpected results are parameterized to streamline grading

Support for Automatic AssessmentCollected student work is parsed for specific outputsTools may be developed to support assessment of particular aspects ofexercise

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 14 / 27

Pre-packaged cyber labs

Multiple Linux-based computers per lab- Spin up >10 computers in seconds on a laptop- Independent computers with virtual networks

No provisioning/admin required of student- Consistent configurations via Docker containers

Automated student assessment- Did student accomplish defined goals of the lab?

Individualized labs to discourage “sharing”

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 15 / 27

Example Labtainers-based Distributed System

Each container hasown init & systemdVirtual networks;config files;packages . . .We instrumentcontainers forartifactsSelected stdin/stdout& logs timestamped

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 16 / 27

More than 45 Existing Labs

Software vulnerabilities, e.g., buffer overflowNetworking, e.g., arp-spoof, DNS-spoof, snortOperations, e.g. ACLs, logging, authenticationWeb security, e.g., cross site scriptingCryptography, e.g., hashing, VPNsIndustrial control systems (PLCs)

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 17 / 27

Roles in the World of Labtainers

DesignerSME who works with instructor to create labs based on learning objectives.Fine tunes and updates labs. May support auxiliary assessment tools.

InstructorDefines learning objectives. Works with (or is) designer. Ensures studentreadiness to perform labs and conducts assessments.

StudentPerforms lab exercise. Learns! Delivers results to instructor for assessment.

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 18 / 27

Student Experience

Download a single fully provisioned Linux VM, e.g, into virtual boxIssue command to run lab, e.g., labtainers ssl for the SSL labFramework automatically pulls imagesDocker containers start per the lab designStudent then sees virtual terminals & GUIsWhen done, student runs stoplabDirected to send zip file to instructor, .e.g, LMS

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 19 / 27

Instructor Experience

Assign lab (each has a lab manual)Collect zips, e.g., via LMS bulk downloadRun “gradelab ssl”Framework recognizes and unpacks LMS bulkInstructor sees table of students & goalsCan to deep dive into specific student artifacts

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 20 / 27

Automated Assessment

Lab designer defines measurable goalsMight want to know: did nmap output indicate the correct ports wereopen during a single configuration of iptables?Identify specific artifacts, e.g., stdout of nmapExpress intended values, e.g., 80 tcp/openSupport for temporal expressionsEvaluate set of results delimited in time by configuration actions, e.g.,running iptables

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 21 / 27

Managed as Project

Open source project with GitHub presence- https://github.com/mfthomps/Labtainers

Developed in PythonSuite of regression tests for stabilitySimLab automated lab performance toolSimulate keystrokes for testing labs sOur website: http://my.nps.edu/web/c3o/labtainersInitial development sponsored by NSF (DUE-1438893).Continued support from NSF (SaTC 1932950) and NSA.

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 22 / 27

Why Did I Tell You All of This?

Student exposure to highly trustworthy systems

Do not need to convert them into formalmethodistsDo want them to understand benefits ofhigh assurance systemsNeed a story, otherwise “What, meworry?”Lab exercise should not be tortureIllustrate high assurance as anappropriate investmentCan interesting seL4 projects beaccessible to intermediate-levelstudents?

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 23 / 27

Compelling Story

Where is the convincing evidencethat clearly demonstrates how

a system founded on seL4will save lives?

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 24 / 27

References I

[1] P. Myers, “Subversion: The neglected aspect of computer security,” M.S. Thesis, Naval PostgraduateSchool, Monterey, CA, 1980.

[2] P. A. Karger and R. R. Schell, “Multics security evaluation: Vulnerability analysis,” Information SystemsTechnology Application Office Deputy for Command and Management Systems Electronic SystemsDivision (AFSC), Hanscom AFB, Bedford, MA 01730, Tech. Rep. ESD-TR-74-193, Vol. II, 1974.

[3] K. Thompson, “Reflections on Trusting Trust,” Communications of the A.C.M., vol. 27, no. 8, pp. 761–763,1984.

[4] D. T. Davis, T. H. Chung, M. R. Clement, and M. A. Day, “Consensus-based data sharing for large-scaleaerial swarm coordination in lossy communications environments,” in 2016 IEEE/RSJ InternationalConference on Intelligent Robots and Systems (IROS), October 2016.

[5] M. A. Day, M. R. Clement, J. D. Russo, D. Davis, and T. H. Chung, “Multi-UAV Software Systems andSimulation Architecture,” in 2015 International Conference on Unmanned Aerial Systems. IEEE, 2015, pp.426–435.

[6] C. E. Irvine, M. F. Thompson, M. McCarrian, and J. Khosalim, “Labtainers: A Docker-based framework forcybersecurity labs,” in Proceedings of the 2017 USENIX Workshop on Advances in Security Education.USENIX, August 2017.

[7] M. F. Thompson and C. E. Irvine, “Individualizing cybersecurity lab exercises with labtainers,” IEEE SecurityPrivacy, vol. 16, no. 2, pp. 91–95, March 2018.

[8] ——, “Individualizing cybersecurity lab exercises with labtainers,” Computing Edge (reprint), pp. 29–33,May 2018.

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 25 / 27

Questions

Cynthia IrvineNaval Postgraduate School

irvine@nps.edu

C. Irvine Combining ROS with seL4 for Trustworthy Autonomous Systems 26 / 27