research-article

Open access

Analysis and Mitigation of Function Interaction Risks in Robot Apps

Authors:

Yungang BaoAuthors Info & Claims

RAID '21: Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses

Pages 1 - 16

https://doi.org/10.1145/3471621.3471854

Published: 07 October 2021 Publication History

All formats PDF

Abstract

Robot apps are becoming more automated, complex and diverse. An app usually consists of many functions, interacting with each other and the environment. This allows robots to conduct various tasks. However, it also opens a new door for cyber attacks: adversaries can leverage these interactions to threaten the safety of robot operations. Unfortunately, this issue is rarely explored in past works.

We present the first systematic investigation about the function interactions in common robot apps. First, we disclose the potential risks and damages caused by malicious interactions. By investigating the relationships among different functions, we identify and categorize three types of interaction risks. Second, we propose RTron, a novel system to detect and mitigate these risks and protect the operations of robot apps. We introduce security policies for each type of risks, and design coordination nodes to enforce the policies and regulate the interactions. We conduct extensive experiments on 110 robot apps from the ROS platform and two complex apps (Baidu Apollo and Autoware) widely adopted in industry. Evaluation results indicated RTron can correctly identify and mitigate all potential risks with negligible performance cost. To validate the practicality of the risks and solutions, we implement and evaluate RTron on a physical UGV (Turtlebot) with real-word apps and environments.

References

[1]

2015. After Jeep Hack, Chrysler Recalls 1.4M Vehicles for BugFix. https://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix/.

[2]

2019. Open source robot operating system. http://www.ros.org/.

[3]

2020. App Store. https://www.apple.com/ios/app-store/.

[4]

2020. Apple HomeKit. https://developer.apple.com/homekit/.

[5]

2020. Application Builder. https://www.universal-robots.com/builder/.

[6]

2020. The Autoware.AI Project. https://github.com/Autoware-AI/autoware.ai.

[7]

2020. Baidu Apollo. https://github.com/ApolloAuto/apollo.

[8]

2020. Dji Onboard SDK. https://developer.dji.com/onboard-sdk/.

[9]

2020. Gazebo 3D Robot Simulator.http://gazebosim.org/.

[10]

2020. Google Play. https://play.google.com/store/.

[11]

2020. Google Weave Project. https://developers.google.com/weave/.

[12]

2020. LGSVL Simulator.https://www.lgsvlsimulator.com/.

[13]

2020. The Mac App Store. https://www.apple.com/uk/osx/apps/app-store//.

[14]

2020. An Open Source Self-Driving Car. https://www.udacity.com/self-driving-car/.

[15]

2020. OpenXC Platform. http://openxcplatform.com/.

[16]

2020. Robot Vulnerability Database (RVD). https://github.com/aliasrobotics/RVD/.

[17]

2020. Robots that you can use with ROS.https://robots.ros.org/.

[18]

2020. ROS 2 Robotic Systems Threat Model. https://design.ros2.org/articles/ros2_threat_model.html.

[19]

2020. ROS ABB Package. http://wiki.ros.org/abb/.

[20]

2020. ROS Messages. http://wiki.ros.org/Messages/.

[21]

2020. ROS PR2 Package. http://wiki.ros.org/Robots/PR2/.

[22]

2020. ROSbot 2.0 PRO. https://store.husarion.com/collections/dev-kits/products/rosbot-pro/.

[23]

2020. RosBot Exploration App. https://husarion.com/tutorials/ros-tutorials/8-unknown-environment-exploration/.

[24]

2020. RosBot Navigation App. https://husarion.com/tutorials/ros-tutorials/7-path-planning/.

[25]

2020. RosBot SLAM App. https://husarion.com/tutorials/ros-tutorials/6-slam-navigation/.

[26]

2020. RosBot Teleoperation App. https://husarion.com/tutorials/ros-tutorials/3-simple-kinematics-for-mobile-robot/.

[27]

2020. Rviz 3D visualization tool for ROS.https://www.stereolabs.com/docs/ros/rviz/.

[28]

2020. Samsung SmartThings. https://www.smartthings.com/.

[29]

2020. Turtlebot3. https://emanual.robotis.com/docs/en/platform/turtlebot3/overview/.

[30]

2020. Turtlebot3 AutoRace. https://emanual.robotis.com/docs/en/platform/turtlebot3/autonomous_driving.

[31]

2020. Ubuntu Appstore. https://ubuntu.com/blog/tag/appstore/.

[32]

2020. Windows Apps - Microsoft Store. https://www.microsoft.com/en-us/store/apps/windows/.

[33]

2020. Xiaoqiang Voice Interaction App. https://community.bwbot.org/topic/492/.

[34]

Yasemin Acar, Michael Backes, Sven Bugiel, Sascha Fahl, Patrick D. McDaniel, and Matthew Smith. 2016. SoK: Lessons Learned from Android Security Research for Appified Software Platforms. In IEEE Symposium on Security and Privacy (S&P).

[35]

Samuel Jero Benjamin E. Ujcich, Anne Edmundson, Qi Wang, Richard Skowyra, James Landry, Adam Bates, William H. Sanders, Cristina Nita-Rotaru, and Hamed Okhravi. 2018. Cross-App Poisoning in Software-Defined Networking. In ACM Conference on Computer and Communications Security (CCS).

[36]

Tamara Bonaci, Jeffrey Herron, Tariq Yusuf, Junjie Yan, Tadayoshi Kohno, and Howard Jay Chizeck. 2015. To Make a Robot Secure: An Experimental Analysis of Cyber Security Threats Against Teleoperated Surgical Robots. In CoRR abs/1504.04339.

[37]

Behzad Boroujerdian, Hasan Genc, Srivatsan Krishnan, Wenzhi Cui, Aleksandra Faust, and Vijay Janapa Reddi. 2018. MAVBench: Micro Aerial Vehicle Benchmarking. In Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[38]

Benjamin Breiling, Bernhard Dieber, and Peter Schartner. 2017. Secure communication for the robot operating system. In IEEE Systems Conference (SysCon).

[39]

Lei Bu, Wen Xiong, Chieh-Jan Mike Liang, Shi Han, Dongmei Zhang, Shan Lin, and Xuandong Li. 2018. Systematically Ensuring the Confidence of Real-Time Home Automation IoT Systems. ACM Transactions on Cyber-Physical Systems (TCPS) 2, 3 (2018), 22:1–22:23.

[40]

Yulong Cao, Chaowei Xiao, Benjamin Cyr, Yimeng Zhou, Won Park, Sara Rampazzi, Qi Alfred Chen, Kevin Fu, and Z. Morley Mao. 2019. Adversarial Sensor Attack on LiDAR-based Perception in Autonomous Driving. In ACM Conference on Computer and Communications Security (CCS).

[41]

Z. Berkay Celik, Patrick D. McDaniel, and Gang Tan. 2018. Soteria: Automated IoT Safety and Security Analysis. In Annual Technical Conference (ATC).

[42]

Z. Berkay Celik, Gang Tan, and Patrick D. McDaniel. 2019. IoTGuard: Dynamic Enforcement of Security and Safety Policy in Commodity IoT. In Annual Network and Distributed System Security Symposium (NDSS).

[43]

Cesar Cerrudo and Lucas Apa. 2017. Hacking Robots Before Skynet. IOActive Website (2017).

[44]

Jiyang Chen, Zhiwei Feng, Jen-Yang Wen, Bo Liu, and Lui Sha. 2019. A Container-based DoS Attack-Resilient Control Framework for Real-Time UAV Systems. In Design, Automation, and Test in Europe (DATE).

[45]

Haotian Chi, Qiang Zeng, Xiaojiang Du, and Jiaping Yu. 2018. Cross-App Interference Threats in Smart Homes: Categorization, Detection and Handling. In CoRR abs/1808.02125.

[46]

Hongjun Choi, Wen-Chuan Lee, Yousra Aafer, Fan Fei, Zhan Tu, Xiangyu Zhang, Dongyan Xu, and Xinyan Xinyan. 2018. Detecting Attacks Against Robotic Vehicles: A Control Invariant Approach. In ACM Conference on Computer and Communications Security (CCS).

Digital Library

[47]

Drew Davidson, Hao Wu, Robert Jellinek, Vikas Singh, and Thomas Ristenpart. 2016. Controlling UAVs with Sensor Input Spoofing Attacks. In Workshop on Offensive Technologies (WOOT).

[48]

Nicholas DeMarinis, Stefanie Tellex, Vasileios P. Kemerlis, George Dimitri Konidaris, and Rodrigo Fonseca. 2019. Scanning the Internet for ROS: A View of Security in Robotics Research. In International Conference on Robotics and Automation (ICRA).

[49]

Tamara Denning, Cynthia Matuszek, Karl Koscher, Joshua R. Smith, and Tadayoshi Kohno. 2009. A spotlight on security and privacy risks with future household robots: attacks and lessons. In Ubiquitous Computing (UbiComp).

[50]

Bernhard Dieber, Benjamin Breiling, Sebastian Taurer, Severin Kacianka, Stefan Rass, and Peter Schartner. 2017. Security for the robot operating system. IEEE Trans. Robotics and Autonomous Systems 98 (2017), 192–203.

Digital Library

[51]

Bernhard Dieber, Severin Kacianka, Stefan Rass, and Peter Schartner. 2016. Application-level security for ROS-based applications. In International Conference on Intelligent RObots and Systems (IROS).

Digital Library

[52]

Bernhard Dieber, Severin Kacianka, Stefan Rass, and Peter Schartner. 2016. Application-level security for ROS-based applications. In International Conference on Intelligent RObots and Systems (IROS).

Digital Library

[53]

Wenbo Ding and Hongxin Hu. 2018. On the Safety of IoT Device Physical Interaction Control. In ACM Conference on Computer and Communications Security (CCS).

[54]

Roland Dóczi, Balázs Süto Ferenc Kis, Valeria Poser, Gernot Kronreif, Eszter Josvai, and Miklos Kozlovszky. 2016. Increasing ROS 1.x communication security for medical surgery robot. In IEEE International Conference on Systems, Man and Cybernetics (SMC).

Digital Library

[55]

Fan Fei, Zhan Tu, Ruikun Yu, Taegyu Kim, Xiangyu Zhang, Dongyan Xu, and Xinyan Deng. 2018. Cross-Layer Retrofitting of UAVs Against Cyber-Physical Attacks. In IEEE International Conference on Robotics and Automation (ICRA).

[56]

David Ke Hong, John Kloosterman, Yuqi Jin, Yulong Cao, Qi Alfred Chen, Scott A. Mahlke, and Z. Morley Mao. 2020. AVGuardian: Detecting and Mitigating Publish-Subscribe Overprivilege for Autonomous Vehicle Systems. In European Symposium on Security and Privacy (EuroS&P).

[57]

Michael Hooper, Yifan Tian, Runxuan Zhou, Bin Cao, Adrian P. Lauf, Lanier Watkins, William H. Robinson, and Wlajimir Alexis. 2016. A review on cybersecurity vulnerabilities for unmanned aerial vehicles. In Military Communications Conference (MILCOM).

[58]

Taegyu Kim, Chung Hwan Kim, Junghwan Rhee, Fan Fei, Zhan Tu, Gregory Walkup, Xiangyu Zhang, Xinyan Deng, and Dongyan Xu. 2019. Rvfuzzer: Finding input validation bugs in robotic vehicles through control-guided testing. In USENIX Security Symposium (USENIX Security 19).

[59]

C. G. Leela Krishna and Robin R. Murphy. 2017. A review on cybersecurity vulnerabilities for unmanned aerial vehicles. In IEEE International Symposium on Safety, Security, and Rescue Robotics (SSRR).

[60]

Chieh-Jan Mike Liang, Börje F. Karlsson, Nicholas D. Lane, Feng Zhao, Junbei Zhang, Zheyi Pan, Zhao Li, and Yong Yu. 2015. SIFT: building an internet of safe things. In International Symposium on Information Processing in Sensor Networks (IPSN).

Digital Library

[61]

Chieh-Jan Mike Liang, Zhao Li Lei Bu, Junbei Zhang, Shi Han, Börje F. Karlsson, Dongmei Zhang, and Feng Zhao. 2015. Systematically Debugging IoT Control System Correctness for Building Automation. In Proceedings of the 3rd ACM International Conference on Systems for Energy-Efficient Built Environments (BuildSys@SenSys).

[62]

Shih-Chieh Lin, Yunqi Zhang, Chang-Hong Hsu, Matt Skach, Md E. Haque, Lingjia Tang, and Jason Mars. 2018. The Architectural Implications of Autonomous Driving: Constraints and Acceleration. In International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS).

Digital Library

[63]

Bharat B Madan, Manoj Banik, and Doina Bein. 2016. Securing unmanned autonomous systems from cyber threats. Journal of Defense Modeling & Simulation 16, 2 (2016), 119–135.

[64]

Vicente Matellán, Jesús Balsa, F. Casado, Camino Fernández, and Francisco Javier Rodríguez Lera. 2016. Cybersecurity in Autonomous Systems: Evaluating the performance of hardening ROS. In XVII Workshop En Agentes Físicos.

[65]

Jarrod R. Mcclean and Charles Farrar. 2013. A Preliminary Cyber-Physical Security Assessment of the Robot Operating System (ROS). In Proceedings of SPIE.

[66]

Chandrakana Nandi and Michael D. Ernst. 2016. Automatic Trigger Generation for Rule-based Smart Homes. In PLAS@CCS.

[67]

Dang Tu Nguyen, Chengyu Song, Zhiyun Qian, Srikanth V. Krishnamurthy, Edward J. M. Colbert, and Patrick D. McDaniel. 2018. IotSan: fortifying the safety of IoT systems. In Conference on Emerging Network Experiment and Technology (CoNEXT).

Digital Library

[68]

NTyler Nighswander, Brent M. Ledvina, Jonathan Diamond, Robert Brumley, and David Brumley. 2012. GPS software attacks. In ACM Conference on Computer and Communications Security (CCS).

Digital Library

[69]

Davide Quarta, Marcello Pogliani, Mario Polino, Federico Maggi, Andrea Maria Zanchettin, and Stefano Zanero. 2017. An Experimental Security Analysis of an Industrial Robot Controller. In IEEE Symposium on Security and Privacy (S&P).

[70]

Davide Quarta, Marcello Pogliani, Mario Polino, Andrea M. Zanchettin, and Stefano Zanero. 2017. Rogue robots: Testing the limits of an industrial robot’s security. Technical Report. Politecnico di Milano.

[71]

Nils Miro Rodday, Ricardo de Oliveira Schmidt, and Aiko Pras. 2016. Exploring security vulnerabilities of unmanned aerial vehicles. In IEEE/IFIP Network Operations and Management Symposium (NOMS).

Digital Library

[72]

Seong-Hun Seo, Byung-Hyun Lee, Sung-Hyuck Im, and Gyu-In Jee. 2015. Effect of Spoofing on Unmanned Aerial Vehicle using Counterfeited GPS Signal. Journal of Positioning, Navigation, and Timing 4, 2 (2015), 57–65.

[73]

Shai Shalev-Shwartz, Shaked Shammah, and Amnon Shashua. 2016. Reinforcement Learning for Autonomous Driving. In NIPS Workshop on Learning, Inference and Control of Multi-Agent Systems.

[74]

Hocheol Shin, Dohyun Kim, Yujin Kwon, and Yongdae Kim. 2017. Illusion and Dazzle: Adversarial Optical Channel Exploits Against Lidars for Automotive Applications. In International Workshop on Cryptographic Hardware and Embedded Systems (CHES).

[75]

Yasser Shoukry, Paul D. Martin, Paulo Tabuada, and Mani B. Srivastava. 2013. Non-invasive Spoofing Attacks for Anti-lock Braking Systems. In International Workshop on Cryptographic Hardware and Embedded Systems (CHES).

[76]

Siciliano, Bruno, and Oussama Khatib. 2016. Springer handbook of robotics. Springer, Secaucus, NJ, USA: Sprinter-Verlag New York, Inc.

[77]

Yunmok Son, Hocheol Shin, Dongkwan Kim, Young-Seok Park, Juhwan Noh, Kibum Choi, Jungwoo Choi, and Yongdae Kim. 2015. Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors. In USENIX Security Symposium (USENIX Security 15).

[78]

Sebastian Thrun, Wolfram Burgard, and Diter Fox. 2005. Probabilistic Robotics. The MIT Press.

[79]

Nils Ole Tippenhauer, Christina Pöpper, Kasper Bonne Rasmussen, and Srdjan Capkun. 2011. On the requirements for successful GPS spoofing attacks. In ACM Conference on Computer and Communications Security (CCS).

Digital Library

[80]

Russell Toris, Craig A. Shue, and Sonia Chernova. 2014. Message authentication codes for secure remote non-native client connections to ROS enabled robots. In International Conference on Technologies for Practical Robot Applications (TePRA).

[81]

Timothy Trippel, Ofir Weisse, Wenyuan Xu, Peter Honeyman, and Kevin Fu. 2017. WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks. In EuroS&P.

[82]

Yazhou Tu, Zhiqiang Lin, Insup Lee, and Xiali Hei. 2018. Injected and Delivered: Fabricating Implicit Control over Actuation Systems by Spoofing Inertial Sensors. In USENIX Security Symposium (USENIX Security 18).

[83]

Qi Wang, Pubali Datta, Wei Yang, Si Liu, Adam Bates, and Carl A. Gunter. 2019. Charting the Attack Surface of Trigger-Action IoT Platforms. In ACM Conference on Computer and Communications Security (CCS).

[84]

Jon S Warner and Roger G Johnston. 2002. A simple demonstration that the global positioning system (GPS) is vulnerable to spoofing. Journal of Security Administration 25, 2 (2002), 19–27.

[85]

Ruffin White, Henrik I. Christensen, and Morgan Quigley. 2016. SROS: Securing ROS over the wire, in the graph, and through the kernel. In CoRR abs1611.07060.

[86]

Tianlong Yu, Vyas Sekar, Srinivasan Seshan, Yuvraj Agarwal, and Chenren Xu. 2015. Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the Internet-of-Things. In HotNets.

[87]

Kexiong (Curtis) Zeng, Shinan Liu, Yuanchao Shu, Dong Wang, Haoyu Li, Yanzhi Dou, Gang Wang, and Yaling Yang. 2018. All Your GPS Are Belong To Us: Towards Stealthy Manipulation of Road Navigation Systems. In USENIX Security Symposium (USENIX Security 18).

[88]

Lefan Zhang, Weijia He, Jesse Martinez, Noah Brackenbury, Shan Lu, and Blase Ur. 2019. AutoTap: synthesizing and repairing trigger-action programs using LTL properties. In International Conference on Software Engineering (ICSE).

Digital Library

Cited By

Xu YBao YWang SZhang T(2024)Function Interaction Risks in Robot Apps: Analysis and Policy-Based SolutionIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.334877221:4(4236-4253)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3348772
Xu YHan XDeng GLi JLiu YZhang T(2023)SoK: Rethinking Sensor Spoofing Attacks against Robotic Vehicles from a Systematic View2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00067(1082-1100)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSP57164.2023.00067
Mo RJiang YZhan WWang DLi Z(2023)A Comprehensive Study on Code Clones in Automated Driving Software2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE)10.1109/ASE56229.2023.00053(1073-1085)Online publication date: 11-Sep-2023
https://doi.org/10.1109/ASE56229.2023.00053
Show More Cited By

Recommendations

Function Interaction Risks in Robot Apps: Analysis and Policy-Based Solution
Robot apps are becoming more automated, complex and diverse. An app usually consists of many functions, interacting with each other and the environment. This allows robots to conduct various tasks. However, it also opens a new door for cyber attacks: ...
Characterizing Privacy Risks of Mobile Apps with Sensitivity Analysis

Given the emerging concerns over app privacy-related risks, major app distribution providers (e.g., Microsoft) have been exploring approaches to help end users to make informed decision before installation. This is different from existing approaches of ...
Enpublic Apps: Security Threats Using iOS Enterprise and Developer Certificates
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

Compared with Android, the conventional wisdom is that iOS is more secure. However, both jailbroken and non-jailbroken iOS devices have number of vulnerabilities. For iOS, apps need to interact with the underlying system using Application Programming ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

RAID '21: Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses

October 2021

468 pages

ISBN:9781450390583

DOI:10.1145/3471621

Program Chairs:
Leyla Bilge,
Tudor Dumitras

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 October 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Youth Innovation Promotion Association of Chinese Academy of Sciences
Key-Area Research and Development Program of Guangdong Province
NTU-Desay Research Program
the National Natural Science Foundation of China
the Strategic Priority Research Program of Chinese Academy of Sciences
Singapore Ministry of Education

Conference

RAID '21

RAID '21: 24th International Symposium on Research in Attacks, Intrusions and Defenses

October 6 - 8, 2021

San Sebastian, Spain

Acceptance Rates

Overall Acceptance Rate 43 of 173 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
767
Total Downloads

Downloads (Last 12 months)214
Downloads (Last 6 weeks)20

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Xu YBao YWang SZhang T(2024)Function Interaction Risks in Robot Apps: Analysis and Policy-Based SolutionIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.334877221:4(4236-4253)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3348772
Xu YHan XDeng GLi JLiu YZhang T(2023)SoK: Rethinking Sensor Spoofing Attacks against Robotic Vehicles from a Systematic View2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00067(1082-1100)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSP57164.2023.00067
Mo RJiang YZhan WWang DLi Z(2023)A Comprehensive Study on Code Clones in Automated Driving Software2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE)10.1109/ASE56229.2023.00053(1073-1085)Online publication date: 11-Sep-2023
https://doi.org/10.1109/ASE56229.2023.00053
Huang Y(2022)Mixed Training Mode of Business English Cloud Classroom Based on Mobile APP with Shared SDK2022 International Conference on Electronics and Renewable Systems (ICEARS)10.1109/ICEARS53579.2022.9751874(792-795)Online publication date: 16-Mar-2022
https://doi.org/10.1109/ICEARS53579.2022.9751874

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents