Secure Autonomous Systems

Instructor: Prof. Sibin Mohan, The George Washington University

CSCI 6907/3907 | Fall 2022 | TR 12:45PM - 02:00PM PT | SMTH 115

MP II: PX4 Autopilot & Flight Controller Security

Administrivia

Objective

• Install and use PX4 and PX4 Software-In-The-Loop simulatior to perform quadrotor flight simulation.
• Gain familiarity with MAVLink and controlling the UAV using offboard control.
• Understand internals of the PX4 and uORB middleware.

Prelude

1. PX4 is a popular opensource autopilot that controls multicopters, fixed-wing aircrafts, rovers and submarines. As shown in the diagram, PX4 is composed of modules and the modules communicate using the uORB middleware.
2. uORB middware is a publish-subscribe middleware where a module can publish certain message topics and other modules can subscribe to the topic to get the message.
3. PX4 provides Software-In-The-Loop(SITL) simulation platform where PX4 controls a simulated vehicle in the host machine.
4. By default, SITL provides simplistic physics simulation. However, it supports Gazebo for more complex simulation.
5. PX4 also provides Hardware-In-The-Loop where the environment is simulated in the host machine but the flight controller runs in the flgiht hardware.

Setting up PX4

• 13GB Storage
• At least 4GB memory
• VirtualBox/VMWare (Note: Virtual Machines do not work very well with Apple M1/2 Macs, therefore it's advised to use an Intel Based Machine.)

Running the PX4-SITL

Running the simulator

1. Download the VM image here.
2. Inside the VM, change the directory to the PX4: cd /home/student/Desktop/MP2/PX4-Autopilot/
3. To compile and start the simulation run: make px4_sitl gazebo
4. In PX4 command prompt, start the mp2 module mp2 start
5. In another terminal, change the directory to MP2 base directory: cd /home/student/Desktop/MP2/PX4-Autopilot/
6. If the run is successful, you should see the following:
7. In another terminal, change the directory to the MP2 base directory and run the offboard control: python3 mp2_offboard_control.py

MP II Instructions

1. Mavlink and Offboard Control

   • Mavlink is the messaging protocol used by UAVs and rovers which contains information regarding the sensor data, state of the vehicle, and status of the vehicle.
   • The protocol also contains commands to control the vehicle.
   • Offboard control is a method of controlling the UAV like a script.
   • For instance, the offboard control script can command the vehicle to move up by a meter or maintain certain velocity or attitude.
   • In this MP, we will be using MAVSDK-Python and the script is located in ~/Desktop/MP2/mp2_offboard_control.py
   • Check out the example script to implement the missions.
   • Also checkout the API documentation.
   • Implement linear mission
     • Place the setpoint to 10 meters above the ground for takeoff.
     • Laterally move the vehicle by placing a position setpoint anywhere in the same altitude.
     • Land where the vehicle was moved to.
   • Implement circular mission
     • Place the setpoint to 10 meters above the ground for takeoff.
     • Move the vehicle by placing multiple setpoints (at least 16) around the place of takeoff in a circular shape with radius equal to 20 meters
     • The circular mission does not need to be a perfect circle.
2. • When the script ends, the script outputs traj.npy in numpy format.
   • To read the data, use numpy.load().
   • The data is a matrix in following shape (# of logs, 6) where columns consists of (north_pos, east_pos, down_pos, north_vel, east_vel, down_vel).
   • Because the coordinates are in North, East, Down (NED) format, when the drone takes off, the down_pos value should be negative and decrease.
   • We provided a script which can run with the following command python3 mp2_plot_traj.py.
   • The script creates a window with a 3D plot which can be rotated using mouse can the plot can be saved using the save icon.
     
   • The red and blue points represent the starting point of the log and the end points of the log respectively (i.e., the vehicle moved from red point to the blue point following the line).
   • The blue point does not need to reach the ground since it only implies that the logging ended before the vehicle fully landed.
   • However, Make sure that the vehicle reaches the position before sending out the next command.
   • To read the latest position, use async with lock: and read from the variable velpos.

3. uORB: Understanding the middleware

   • We provided our skeleton module located in PX4-Autopilot/src/modules/mp2. However, it needs to subscribe to the vehicle_local_position. You must uncomment /* and */.
   • To subscribe to the topic, use orb_subscribe(ORB_ID(INSERT_TOPIC_NAME_HERE)) to get the subscription id.
   • Poll for the topic using px4_poll().
   • If the polling recieves the topic of interest, the data can be read by first creating the struct to hold the data: struct INSERT_TOPIC_NAME_s topic_msg.
     For example, to create a struct variable to hold the sensor_gyro message, use struct sensor_gyro_s var_name.
   • Copy the data to the struct using orb_copy(topic id, subscription id, reference to struct)(e.g., for sensor_gyro, it would be orb_copy(ORB_ID(sensor_gyro), gyro_sub_id, &var_name);.
   • Check out this link for a more indepth tutorial. Therefore for this task, subscribe to that topic and have the position information print out using PX4_INFO() which takes input like printf().

4. Man-In-The-Middle

   For this section:
   • We will hijack a topic by creating a custom uORB topic and causing the EKF module to publish to the malicious topic than the true topic.
   • EKF module will be publishing under a malicious uORB topic.
   • MP2 module will subscribe to the malicious topic and publish under the true topic with spoofed values.
   • We will look into four types of spoofing: constant offset, random offset, rotated, and scaled.

   1. Adjustments in Running the PX4-SITL

      For this section, there is an extra step where you have to run a server script. There are additional files which you must download from here which contains the mp2_server.py and mp2_lib. Later instructional steps will describe where to correctly extract the additional files.

      Running the simulator

      1. Start with the MP2 base directory: cd /home/student/Desktop/MP2
      2. Run the MP2 server: python3 mp2_server.py which should wait for the mp2 module in the PX4 to run
      3. In another terminal, change the directoy to cd /home/student/Desktop/MP2/PX4-Autopilot
      4. Compile and start the simulation by running: make px4_sitl gazebo
      5. In PX4 command prompt, start the mp2 module mp2 start
      6. In the third terminal, change the directory to the MP2 base directory and run the offboard control: python3 mp2_offboard_control.py

   2. Implementation Steps

      1. Create a custom message that has the same structure as the vehicle_local_position under a different name.
         1. Go to the msg in PX4-Autopilot directory
         2. Copy the vehicle_local_position.msg under a different name of your choosing.
         3. We will refer to it as vehicle_local_position_copy
         4. At the bottom of the vehicle_local_position.msg, there should be two commented out lines
         5. The commented out lines are responsible for it will be declared in #inlcude.
         6. Therefore, modify vehicle_local_position_copy.msg to make it distict from the original.
         7. Modify the msg/CMakeLists.txt by adding vehicle_local_position_copy.msg to set(msg_files).
      2. Hijack the vehicle_local_position topic.
         1. We want to modify the EKF module so that it publishes under the malicious topic.
         2. In side PX4-Autopilot/src/modules/ekf2/ we need to modify the EKF2Selector.cpp and EKF2Selector.hpp.
         3. In side EKF2Selector.hpp, first include the new message #include <uORB/topics/vehicle_local_position_copy.h>
         4. Then find the line uORB::Publication<vehicle_local_position_s> _vehicle_local_position_pub{ORB_ID(vehicle_local_position)}; which is responsible for publishing the topic.
         5. Replace it with uORB::Publication<vehicle_local_position_copy_s> _vehicle_local_position_pub{ORB_ID(vehicle_local_position_copy)}; to make the variable publish under different topic.
         6. Go to the EKF2Selector.cpp and find the function PublishVehicleLocalPosition().
         7. In the very last few lines of code, find the line where _vehicle_local_position_pub is used, create a struct of the new malicious and copy the vehicle_local_position struct to it using memcpy()
         8. Should look like this:
      3. Make the mp2 module communicate with the mp2_server.py.
         1. Download the additional files here which contains mp2_server.py and mp2_lib.cpp and mp2_lib.h
         2. Extract the mp2_server.py in the ~/Desktop/MP2/ directory.
         3. Extract the mp2_lib.cpp and mp2_lib.h in the ~/Desktop/MP2/PX4-Autopilot/src/modules/mp2 directory.
         4. Modify the mp2.hpp inside the modules/mp2
            1. Include the mp2_lib.h in mp2.hpp
            2. Add the following line Mp2Server * mp2server; to the private section of the MP2 class.
         5. Add mp2_lib.cpp and mp2_lib.h in CMakeLists.txt under SRC
         6. Modify the mp2.cpp inside the modules/mp2 to read the new topic.
            1. Initizlize the mp2server in the MP2contructor
            2. Subscribe to vehicle_local_position_copy instead of vehicle_local_position (refer to MP2 part A, remember to change the struct type as well).
            3. Inside the run() function, use mp2server.exfiltrate() to send the subscribed data to the server and mp2server.recieve() to get the offset values back from the server.
            4. Create vehicle_local_position struct and memcpy() the subscribed data to the struct.
            5. Add the values recieved from the server to the x, y, z position of the struct.
            6. Create publishing id (similar to how there was subscribe id in part A) using orb_advertise()
            7. Publish the topic using orb_publish()
      4. Implement the attack types in the mp2_server.py
         1. Find the "TODO:" flags in the script and implement the corresponding attack.
         2. Fixed offset attack adds fixed constant value (of your choosing) to each of the position values (specify the value you used in the report).
         3. Random offset attack adds random value in a specified range (of your choosing) to each of the position values (specify the range of values you used in the report).
         4. Flipped attack causes move in a trajectory where the X and Y positions are flipped.
         5. Scaled attack causes move in a trajectory where the X and Y movements are scaled by a constant (i.e., if the mission is for the vehicle to move along x axis by 2 meters, in actualality it would move by 2*constant).
         6. The mp2_server.py outputs exfil_traj.npy which can be used by the prior plotting script by finding changing the "traj.npy" to "exfil_traj.npy".
         Note: For each of the above missions, repeat them for the missions from the first section of this MP's Instructions, i.e. linear and circular.
         
         Also, the "mission" is finite time and only should attack between the interval where drone takes off and stop when it lands.

Submission Instructions

1. PX4
   • Plot of the trajectory of the two missions [3 points]
   • Your mp2_offboard_control and describe the implementation details in the report [4 points]
   • Your mp2.cpp module code [3 point]
2. Man-in-the-Middle Implementation
   • Man-In-The-Middle implementation (fixed offset, random offset, flipped, and scaled) description [2 points]
   • Plot of the missions with MitM implementations: two missions (linear and circular) on the four attack types [8 points]