Secure Autonomous and Cyber-Physical Systems

Instructor: Prof. Sibin Mohan, Oregon State University

CS/ECE 599 | Winter 2022 Term | MW 2:00 - 3:50 PM PT | BAT 150


MP II-B: Middleware Security [Extra Credit]

Administrivia

Announcement Date Feb. 28, 2022
Submission Date Mar. 07, 2022
Submission Time 11:59PM PT
Total Points 10

Objective

Middleware is often used to exchange messages between modules/components of autonomous systems. In part A, we explored how PX4 module uses uORB to subscribe to topics. For this MP, we will focus on Man-In-The-Middle attacks.

Prelude

Running the PX4-SITL

This MP has an extra step where you have to run a server script. There are additional files which you must download from here which contains the mp2_server.py and mp2_lib. Later instructional steps will describe where to correctly extract the additional files.

Running the simulator
  1. Start with the MP2 base directory: cd /home/student/Desktop/MP2
  2. Run the MP2 server: python3 mp2_server.py which should wait for the mp2 module in the PX4 to run mp2_server_running
  3. In another terminal, change the directoy to cd /home/student/Desktop/MP2/PX4-Autopilot
  4. Compile and start the simulation by running: make px4_sitl gazebo px4_running
  5. In PX4 command prompt, start the mp2 module mp2 start module_running
  6. In the third terminal, change the directory to the MP2 base directory and run the offboard control: python3 mp2_offboard_control.py offboard_control_running

Man-In-The-Middle
  1. Create a custom message that has the same structure as the vehicle_local_position under a different name.
    1. Go to the msg in PX4-Autopilot directory
    2. Copy the vehicle_local_position.msg under a different name of your choosing.
    3. We will refer to it as vehicle_local_position_copy
    4. At the bottom of the vehicle_local_position.msg, there should be two commented out lines msg_1
    5. The commented out lines are responsible for it will be declared in #inlcude.
    6. Therefore, modify vehicle_local_position_copy.msg to make it distict from the original. msg_2
    7. Modify the msg/CMakeLists.txt by adding vehicle_local_position_copy.msg to set(msg_files).
  2. Hijack the vehicle_local_position topic.
    1. We want to modify the EKF module so that it publishes under the malicious topic.
    2. In side PX4-Autopilot/src/modules/ekf2/ we need to modify the EKF2Selector.cpp and EKF2Selector.hpp.
    3. In side EKF2Selector.hpp, first include the new message #include <uORB/topics/vehicle_local_position_copy.h>
    4. Then find the line uORB::Publication<vehicle_local_position_s> _vehicle_local_position_pub{ORB_ID(vehicle_local_position)}; which is responsible for publishing the topic.
    5. Replace it with uORB::Publication<vehicle_local_position_copy_s> _vehicle_local_position_pub{ORB_ID(vehicle_local_position_copy)}; to make the variable publish under different topic.
    6. Go to the EKF2Selector.cpp and find the function PublishVehicleLocalPosition().
    7. In the very last few lines of code, find the line where _vehicle_local_position_pub is used, create a struct of the new malicious and copy the vehicle_local_position struct to it using memcpy()
    8. Should look like this: pub
  3. Make the mp2 module communicate with the mp2_server.py.
    1. Download the additional files here which contains mp2_server.py and mp2_lib.cpp and mp2_lib.h
    2. Extract the mp2_server.py in the ~/Desktop/MP2/ directory.
    3. Extract the mp2_lib.cpp and mp2_lib.h in the ~/Desktop/MP2/PX4-Autopilot/src/modules/mp2 directory.
    4. Modify the mp2.hpp inside the modules/mp2
      1. Include the mp2_lib.h in mp2.hpp mp2_lib
      2. Add the following line Mp2Server * mp2server; to the private section of the MP2 class.
    5. Add mp2_lib.cpp and mp2_lib.h in CMakeLists.txt under SRC
    6. Modify the mp2.cpp inside the modules/mp2 to read the new topic.
      1. Initizlize the mp2server in the MP2contructor mp2_module_1
      2. Subscribe to vehicle_local_position_copy instead of vehicle_local_position (refer to MP2 part A, remember to change the struct type as well).
      3. Inside the run() function, use mp2server.exfiltrate() to send the subscribed data to the server and mp2server.recieve() to get the offset values back from the server. mp2_module_2
      4. Create vehicle_local_position struct and memcpy() the subscribed data to the struct.
      5. Add the values recieved from the server to the x, y, z position of the struct.
      6. Create publishing id (similar to how there was subscribe id in part A) using orb_advertise()
      7. Publish the topic using orb_publish() mp2_module_3
  4. Implement the attack types in the mp2_server.py
    1. Find the "TODO:" flags in the script and implement the corresponding attack.
    2. Fixed offset attack adds fixed constant value (of your choosing) to each of the position values (specify the value you used in the report).
    3. Random offset attack adds random value in a specified range (of your choosing) to each of the position values (specify the range of values you used in the report).
    4. Flipped attack causes move in a trajectory where the X and Y positions are flipped.
    5. Scaled attack causes move in a trajectory where the X and Y movements are scaled by a constant (i.e., if the mission is for the vehicle to move along x axis by 2 meters, in actualality it would move by 2*constant).
    6. The mp2_server.py outputs exfil_traj.npy which can be used by the prior plotting script by finding changing the "traj.npy" to "exfil_traj.npy".
    Note: for each of the above missions, repeat them for the missions from MP II-A, i.e. linear and circular.

    Also, the "mission" is finite time and only should attack between the interval where drone takes off and stop when it lands.

Submission Instructions