Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

Florencia Cabral Berenfus
on 25 May 2022

ROS 2 Humble security, a tour of the new and improved features


We’re excited about the recent release of ROS 2 Humble Hawksbill, a Long Term Support (LTS) distro, supported for the next five years. ROS 2 releases come out on every even-numbered year together with the LTS release of Ubuntu, this time with Ubuntu 22.04 (Jammy Jellyfish). 

Earlier this week, we shared a step-by-step guide to install ROS 2 Humble in Ubuntu 20.04 or 18.04 using LXD containers, that will allow you to easily install it on your current Ubuntu station. So, take a few minutes to check that out as well!

Let’s dive into the new developments available to you when you start using Humble. And if this is the first time you hear about ROS, here is a good place to start.

What is new in ROS 2 Humble?

ROS 2 Humble Hawksbill. Image source

Humble comes with a host of new code and tutorials. For instance, ‘launch’ incorporated the pytest plugin ‘launch_pytest’. And when using ‘launch_ros’ you can now provide ROS-specific node arguments directly, without a leading ‘–ros-args’ flag. ROS 2 Humble also offers new frontend support for composable nodes. Just as exciting are content-filtered topics that allow a more sophisticated subscription to topics. Finally, the ros2cli saw an expansion, with a new  ‘–launch-prefix’ argument. This feature allows passing a prefix to all executables in a launch file, useful in many debugging situations. These are just a few examples of the amazing work the ROS community has done to reach this milestone.

But particularly interesting to us are security enhancing developments, as they continuously  increase trust in ROS 2, with each release the most secure one yet. This time, we are seeing yet new enhancements to the security features of ROS with the addition of Certificate Revocation Lists (CRL) to the SROS2 toolbox. Let’s take a closer look at ROS 2 Humble security features.

What are CRLs, and what can they do for your robot?

For those of you who are new to security in ROS 2, a reminder that ROS 2 includes tools that help create and load the needed artefacts to enable DDS-security. The SROS2 package in particular provides the tools and instructions to enable these features. This is a great place to start using these tools on your robot.

Specifically, SROS2 introduced the concept of a security “enclave”, defined as a process or group of processes that will share the same identity and access control rules. As in public key infrastructure, the Certificate Authority (CA) acts as a trust anchor, validating the identities and permissions of participants. Again, there is great documentation available to satisfy your technical curiosity of all the elements in ROS 2 security, such as these tutorials.

But let us come back to CRL. In short, a Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing CA before their expiration date. A CRL works essentially as a blocklist of certificates that are no longer trusted. 

As of Humble, it is possible to include a CRL with an SROS2 security enclave. 

Certificate revocation is an essential component of the certificate process to establish and maintain trust. For example, a certificate can be revoked if its integrity is at risk. This could result from a key being compromised or lost due to modification of privileges, misuse, or termination.

Try ROS 2 Humble security today 

Try this new feature for yourself now! This tutorial follows the usual talker/listener example and will show you exactly how to set up a Certificate Revocation List on your robot today.

As always, we would love to hear about your ROS project! Reach out to us.

Related posts


Canonical
4 December 2024

Canonical announces Ubuntu Security Research Alliance Program 

Canonical announcements Article

Today, Canonical, the publisher of Ubuntu, announced its new Ubuntu Security Research Alliance Program, a free partnership between Canonical and open source vulnerability scanning organizations. The goal is to ensure vulnerability data is more transparent and standardized, while improving on-platform security for Ubuntu users through more ...


eslerm
19 November 2024

Needrestart local privilege escalation vulnerability fixes available

Ubuntu Article

Qualys discovered vulnerabilities which allow a local attacker to gain root privileges in the needrestart package (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, and CVE-2024-11003) and a related issue in libmodule-scandeps-perl (CVE-2024-10224). The vulnerabilities affect Debian, Ubuntu and other Linux distributions. Canonical’s securit ...


Luci Stanescu
28 October 2024

Imagining the future of Cybersecurity

Ubuntu Security

October 2024 marks the 20th anniversary of Ubuntu. The cybersecurity landscape has significantly shifted since 2004. If you have been following the Ubuntu Security Team’s special three-part series podcast that we put out to mark Cybersecurity Awareness Month, you will have listened to us talk about significant moments that have shaped the ...