Home

Awesome

Robot Vulnerability Database (RVD)

<a href="http://www.aliasrobotics.com"><img src="https://www.aliasrobotics.com/img/LOGO-alias.svg" align="left" hspace="8" vspace="2" width="200"></a>

Article

This repository contains the Robot Vulnerability and Database (RVD), an attempt to register and record robot vulnerabilities and bugs.

Vulnerabilities are rated according to the Robot Vulnerability Scoring System (RVSS). For a discussion regarding terminology and the difference between robot vulnerabilities, robot weaknesses, robot bugs or others refer to Appendix A.

<details><summary>Cite this work (BibTeX)</summary>
@article{vilches2019introducing,
  title={Introducing the robot vulnerability database (rvd)},
  author={Vilches, V{'\i}ctor Mayoral and Juan, Lander Usategui San and Dieber, Bernhard and Carbajo, Unai Ayucar and Gil-Uriarte, Endika},
  journal={arXiv preprint arXiv:1912.11299},
  year={2019}
}

</details>

As main contributor, Alias Robotics supports and offers robot cybersecurity activities in close collaboration with original robot manufacturers. By no means Alias encourages or promote the unauthorized tampering with running robotic systems. This can cause serious human harm and material damages.

Last updated Sat, 25 Feb 2023 10:07:12 GMT

OpenClosedAll
Vulnerabilitieslabel: vulns_openlabel: vulns_closedlabel: vulns
Bugslabel: bugs_openlabel: bugs_closedlabel: bugs
Otherslabel: others_openlabel: others_closedlabel: others
Vulnerabilities (open)label: vulns_criticallabel: vulns_highlabel: vulns_mediumlabel: vulns_low
<details><summary><b>Robot vulnerabilities by robot component</b></summary>

By robot components, we consider both software and hardware robot components

</details> <details><summary><b>Robot vulnerabilities by robot</b></summary> </details> <details><summary><b>Robot vulnerabilities by vendor</b></summary> </details>

For more, visit the complete list of reported robot vulnerabilities.

ToC

Concepts

Each RVD issue (ticket) corresponds with a flaw that is labeled appropriately. The meaning of the most relevant labels or statuses is covered below. Refer to the appendices for definitions on the terminology used:

For more including the categorization used for flaws refer to RVD's taxonomy

Sponsored and funded projects

ROS

Last updated Sat, 25 Feb 2023 10:07:12 GMT

OpenClosedAll
ROS Vulnerabilitieslabel: vulns_open_roslabel: vulns_closed_roslabel: vulns_ros
ROS Bugslabel: bugs_open_roslabel: bugs_closed_roslabel: bugs_ros
ROS Otherslabel: others_open_roslabel: others_closed_roslabel: others_ros
Severity of ROS Vulnerabilities (open and if available)label: vulns_critical_roslabel: vulns_high_roslabel: vulns_medium_roslabel: vulns_low_ros

ROS 2

Last updated Sat, 25 Feb 2023 10:07:12 GMT

OpenClosedAll
ROS 2 Vulnerabilitieslabel: vulns_open_ros2label: vulns_closed_ros2label: vulns_ros2
ROS 2 Bugslabel: bugs_open_ros2label: bugs_closed_ros2label: bugs_ros2
ROS 2 Otherslabel: others_open_ros2label: others_closed_ros2label: others_ros2
Severity of ROS 2 Vulnerabilities (open and if available)label: vulns_critical_ros2label: vulns_high_ros2label: vulns_medium_ros2label: vulns_low_ros2

Disclosure policy

Together with RVD, we propose a coherent diclosure policy adopted first by Alias Robotics. Thee disclosure policy is highly inspired by Google's Project Zero. TL;DR, unless otherwise specified, we adhere to a 90-day disclosure deadline for new vulnerabilities.

This policy is strongly in line with our desire to improve the robotics industry response times to security bugs, but also results in softer landings for bugs marginally over deadline. According to our research, most vendors are ignoring security flaws completely. We call on all researchers to adopt disclosure deadlines in some form, and feel free to use our policy verbatim (we've actually done so, from Google's) if you find our record and reasoning compelling. Creating pressure towards more reasonably-timed fixes will result in smaller windows of opportunity for blackhats to abuse vulnerabilities. Given the direct physical connection with the world that robots have, in our opinion, vulnerability disclosure policies such as ours result in greater security in robotics and an overall improved safety. A security-first approach is a must to ensure safe robotic operations.

The maintainers of RVD believe that vulnerability disclosure is a two-way street where both vendors and researchers, must act responsibly. We generally adhere to a 90-day disclosure deadline for new vulnerabilities while other flaws such as simple bugs or bugs could be filed at any point in time (refer to Appendix A for the difference between vulnerabilities, bugs and bugs). We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix.

Similar to Google's policy, we want to acknowledge that the deadline can vary in the following ways:

Each security researcher or group should reserve the right to bring deadlines forwards or backwards based on extreme circumstances. We remain committed to treating all vendors strictly equally and we expect to be held to the same standard.

CI/CD setup

In an attempt to lower the overall effort to maintain the Robot Vulnerability Database, RVD attempts to make active use of Continuous Integration (CI) and Continuous Deployment (CD) techniques through Github Actions. See our configurations here. Contributions and new ideas to this section are welcome. Please submit a Pull Request with your proposal or enhancement.

Below we list some of the existing capabilities (some deprecated in the current setup) and some tentative ones for future versions:

Beta (>= 0.5)

1.x (>= 1.0)

Future

Contributing, reporting a vulnerability

Vulnerabilities are community-contributed. If you believe you have discovered a vulnerability in a robot or robot component (either software or hardware), obtain public acknowledgement by submitting a vulnerability while providing prove of it. Reports can be submitted in the form of an issue.

If you wish to contribute to the RVD repository's content, please note that this document (README.md) is generated automatically. Submit the corresponding PRs by looking at the rvd_tools/ folder. If you need some inspiration or ideas to contribute, refer to CI/CD setup.

Contact us or send feedback

Feel free to contact us if you have any requests of feedaback at contact[at]aliasrobotics[dot]com

Automatic pings for manufacturers

By default, new vulnerabilities are reported to manufacturers and/or open source projects however other flaws aren't. Alias Robotics can inform manufacturers directly when bugs are reported. If you're interested in this service, contact contact[at]aliasrobotics[dot]com.

Cite our work

@article{vilches2019introducing,
  title={Introducing the robot vulnerability database (rvd)},
  author={Mayoral-Vilches, V{'\i}ctor and Juan, Lander Usategui San and Dieber, Bernhard and Carbajo, Unai Ayucar and Gil-Uriarte, Endika},
  journal={arXiv preprint arXiv:1912.11299},
  year={2019}
}

Appendices

Appendix A: Vulnerabilities, weaknesses, bugs and more

Research on terminology

Commonly:

According to CWE:

Moreover, according to CVE page:

ISO/IEC 27001 defines only vulnerability:

Discussion and interpretation

From the definitions above, it seems reasonable to associate use interchangeably bugs and flaws when referring to software issues. In addition, the word weakness seems applicable to any flaw that might turn into a vulnerability however it must be noted that (from the text above) a vulnerability "must be exploited"). Based on this a clear difference can be established classifiying flaws with no potential to be exploitable as bugs and flaws potentially exploitable as vulnerabilities. Ortogonal to this appear exposures which refer to misconfigurations that allows attackers to establish an attack vector in a system.

Beyond pure logic, an additional piece of information that comes out of researching other security databases is that most security-oriented databases do not distinguish between bugs (general bugs) and weaknesses (security bugs).

Based in all of the above, we interpret and make the following assumptions for RVD:

Appendix B: How does RVD relate to CVE, the CVE List and the NVD?

Some definitions:

RVD does not aim to replace CVE but to <ins>complement it for the domain of robotics</ins>. RVD aims to become CVE-compatible (see official guidelines for compatibility) by tackling aspects such scope and impact of the flaws (through a proper severity scoring mechanism for robots), information for facilitating mitigation, detailed technical information, etc. For a more detailed discussion, see this ROS Discourse thread.

When compared to other vulnerability databases, RVD aims to differenciate itself by focusing on the following:

As part of RVD, we encourage security researchers to file CVE Entries and use official CVE identifiers for their reports and discussions at RVD.

Appendix C: Legal disclaimer

ACCESS TO THIS DATABASE (OR PORTIONS THEREOF) AND THE USE OF INFORMATION, MATERIALS, PRODUCTS OR SERVICES PROVIDED THROUGH THIS WEB SITE (OR PORTIONS THEREOF), IS NOT INTENDED, AND IS PROHIBITED, WHERE SUCH ACCESS OR USE VIOLATES APPLICABLE LAWS OR REGULATIONS.

By using or accessing this database you warrant to Alias Robotics S.L. that you will not use this Web site for any purpose that is unlawful or that is prohibited. This product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability. In no event will Alias Robotics S.L. be liable for any incidental, indirect, consequential, punitive or special damages of any kind, or any other damages whatsoever, including, without limitation, those resulting from loss of profit, loss of contracts, loss of reputation, goodwill, data, information, income, anticipated savings or business relationships, whether or not Alias Robotics S.L. has been advised of the possibility of such damage, arising out of or in connection with the use of this database or any linked websites."

These Terms of Use are made under Spanish law and this database is operated from Vitoria-Gasteiz, Spain. Access to, or use of, this database site or information, materials, products and/or services on this site may be prohibited by law in certain countries or jurisdictions. You are responsible for compliance with any applicable laws of the country from which you are accessing this site. We make no representation that the information contained herein is appropriate or available for use in any location.

You agree that the courts of Vitoria-Gasteiz, Spain shall have exclusive jurisdiction to resolve any controversy or claim of whatever nature arising out of or relating to use of this site. However, we retain the right to bring legal proceedings in any jurisdiction where we believe that infringement of this agreement is taking place or originating.


<!-- ROSIN acknowledgement from the ROSIN press kit @ https://github.com/rosin-project/press_kit --> <a href="http://rosin-project.eu"> <img src="http://rosin-project.eu/wp-content/uploads/rosin_ack_logo_wide.png" alt="rosin_logo" height="60" > </a></br>

Supported by ROSIN - ROS-Industrial Quality-Assured Robot Software Components. More information: <a href="http://rosin-project.eu">rosin-project.eu</a>

<img src="http://rosin-project.eu/wp-content/uploads/rosin_eu_flag.jpg" alt="eu_flag" height="45" align="left" >

This repository was partly funded by ROSIN RedROS2-I FTP which received funding from the European Union’s Horizon 2020 research and innovation programme under the project ROSIN with the grant agreement No 732287.