ROSec: Intra-Process Isolation for ROS Composition With Memory Protection Keys

IF 6.4 2区计算机科学 Q1 AUTOMATION & CONTROL SYSTEMS IEEE Transactions on Automation Science and Engineering Pub Date : 2025-01-10 DOI:10.1109/TASE.2024.3525050

Jiwon Seo;Martin Kayondo;Jeonghwan Kang;Kyeongryong Lee;Donghyun Kwon;Yunheung Paek

{"title":"ROSec: Intra-Process Isolation for ROS Composition With Memory Protection Keys","authors":"Jiwon Seo;Martin Kayondo;Jeonghwan Kang;Kyeongryong Lee;Donghyun Kwon;Yunheung Paek","doi":"10.1109/TASE.2024.3525050","DOIUrl":null,"url":null,"abstract":"Robot Operating System (ROS) is a software framework for robotic systems that includes various packages for developing robotic applications. Composition is a package that combines multiple applications, namely, nodes, to be loaded and executed in a single process. However, permitting multiple nodes to share the address space could expand the attack surface such that vulnerabilities in a node are more likely to be exploited to subvert nodes running in the same space. We propose ROSec, an in-process isolation solution for ROS composition that utilizes Intel Memory Protection Keys. ROSec aims to enforce memory isolation between nodes within a process by preventing unauthorized access from one node to another. Unlike previous works that assume the number and sizes of nodes are statically defined and partitioned by developers, ROSec is designed to handle the dynamic nature of nodes that can be loaded and executed in a process at any time during execution. To achieve this, ROSec adopts a unique scheduling mechanism that utilizes the executor-centric execution model of ROS to perform two main operations for MPK-based isolation: protection key assignment and reassignment. Our evaluation shows that ROSec effectively enforces in-process isolation while incurring a 6.4% performance overhead on a real-world application. Note to Practitioners—Cyber-Physical Systems are the core of modern applications, particularly robotics, as they integrate computing and physical processes. ROS necessitates real-time and security guarantees, which, unfortunately, trade-off with each other. While traditional ROS architecture relies on process isolation to separate various nodes, ROS2 introduces a feature called composition, which allows multiple nodes to run inside a single process, thus exposing various nodes to potential malicious compromises from others. This paper proposes a technique that utilizes Intel memory protection keys (MPK) to provide intraprocess isolation for ROS composition. Given that ROS nodes are dynamic, ROSEC provides key assignment and reassignment techniques to configure MPK dynamically.","PeriodicalId":51060,"journal":{"name":"IEEE Transactions on Automation Science and Engineering","volume":"22 ","pages":"10546-10559"},"PeriodicalIF":6.4000,"publicationDate":"2025-01-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Automation Science and Engineering","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10836890/","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"AUTOMATION & CONTROL SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Robot Operating System (ROS) is a software framework for robotic systems that includes various packages for developing robotic applications. Composition is a package that combines multiple applications, namely, nodes, to be loaded and executed in a single process. However, permitting multiple nodes to share the address space could expand the attack surface such that vulnerabilities in a node are more likely to be exploited to subvert nodes running in the same space. We propose ROSec, an in-process isolation solution for ROS composition that utilizes Intel Memory Protection Keys. ROSec aims to enforce memory isolation between nodes within a process by preventing unauthorized access from one node to another. Unlike previous works that assume the number and sizes of nodes are statically defined and partitioned by developers, ROSec is designed to handle the dynamic nature of nodes that can be loaded and executed in a process at any time during execution. To achieve this, ROSec adopts a unique scheduling mechanism that utilizes the executor-centric execution model of ROS to perform two main operations for MPK-based isolation: protection key assignment and reassignment. Our evaluation shows that ROSec effectively enforces in-process isolation while incurring a 6.4% performance overhead on a real-world application. Note to Practitioners—Cyber-Physical Systems are the core of modern applications, particularly robotics, as they integrate computing and physical processes. ROS necessitates real-time and security guarantees, which, unfortunately, trade-off with each other. While traditional ROS architecture relies on process isolation to separate various nodes, ROS2 introduces a feature called composition, which allows multiple nodes to run inside a single process, thus exposing various nodes to potential malicious compromises from others. This paper proposes a technique that utilizes Intel memory protection keys (MPK) to provide intraprocess isolation for ROS composition. Given that ROS nodes are dynamic, ROSEC provides key assignment and reassignment techniques to configure MPK dynamically.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

带有内存保护键的ROS组合的进程内隔离

机器人操作系统（ROS）是机器人系统的软件框架，包括用于开发机器人应用程序的各种软件包。组合是一个包，它将多个应用程序（即节点）组合在一起，在单个进程中加载和执行。然而，允许多个节点共享地址空间可能会扩大攻击面，这样一个节点中的漏洞更有可能被利用来破坏在同一空间中运行的节点。我们提出了ROSec，这是一种利用英特尔内存保护密钥的ROS组成的进程内隔离解决方案。ROSec旨在通过防止从一个节点到另一个节点的未经授权访问来强制进程内节点之间的内存隔离。与以前的工作不同，假设节点的数量和大小是由开发人员静态定义和划分的，ROSec旨在处理节点的动态特性，这些节点可以在执行过程中的任何时间加载和执行。为了实现这一点，ROSec采用了一种独特的调度机制，该机制利用ROS的以执行者为中心的执行模型来执行基于mpc的隔离的两个主要操作：保护密钥分配和重新分配。我们的评估表明，ROSec有效地实施了进程内隔离，同时在实际应用程序上产生了6.4%的性能开销。从业人员注意：信息物理系统是现代应用的核心，特别是机器人，因为它们集成了计算和物理过程。ROS需要实时和安全保证，不幸的是，这两者是相互权衡的。传统的ROS体系结构依赖于进程隔离来分离各种节点，而ROS2引入了一个称为组合的特性，该特性允许多个节点在单个进程中运行，从而将各种节点暴露给其他节点潜在的恶意攻击。本文提出了一种利用英特尔内存保护键（MPK）为ROS组成提供进程内隔离的技术。鉴于ROS节点是动态的，ROSEC提供了密钥分配和重分配技术来动态配置MPK。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

IEEE Transactions on Automation Science and Engineering 工程技术-自动化与控制系统

CiteScore

12.50

自引率

14.30%

发文量

404

审稿时长

3.0 months

期刊介绍： The IEEE Transactions on Automation Science and Engineering (T-ASE) publishes fundamental papers on Automation, emphasizing scientific results that advance efficiency, quality, productivity, and reliability. T-ASE encourages interdisciplinary approaches from computer science, control systems, electrical engineering, mathematics, mechanical engineering, operations research, and other fields. T-ASE welcomes results relevant to industries such as agriculture, biotechnology, healthcare, home automation, maintenance, manufacturing, pharmaceuticals, retail, security, service, supply chains, and transportation. T-ASE addresses a research community willing to integrate knowledge across disciplines and industries. For this purpose, each paper includes a Note to Practitioners that summarizes how its results can be applied or how they might be extended to apply in practice.