Difference between revisions of "ROSRV"

From FSL
Jump to: navigation, search
(Access Control)
Line 1: Line 1:
ROSRV is a runtime verification framework for the Robot Operating System (ROS) [1]. ROS is an open-source framework for robot software development, providing operating system-like functionality on heterogeneous
+
__NOTOC__ __NOEDITSECTION__
computer clusters. With the wide adoption of ROS, its safety and security are becoming an important problem. ROSRV integrates seamlessly with ROS and works as a transparent monitoring infrastructure that intercepts the commands and messages passing through the system and performs monitoring actions upon events of interest. Safety and security properties can be defined in a formal specification language, and are ensured by monitors generated automatically from specifications.
+
ROSRV is a runtime verification framework for the [http://www.ros.org/ Robot Operating System (ROS)]. ROS is an open-source framework for robot software development, providing operating system-like functionality on a heterogeneous computer cluster. With the wide adoption of ROS, its safety and security are becoming an important problem.
  
== Getting Started ==
+
ROSRV integrates seamlessly with ROS. Its two purposes are (1) monitoring safety properties and (2) enforcing security policies. Its core is a runtime monitoring infrastructure that intercepts, observes and optionally modifies messages passing through the system, to check system's runtime behavior against user-defined safety properties and perform desired actions. For automatic monitor generation out of formal specifications, ROSRV depends on [[ROSMOP|ROSMOP]]. ROSRV regulates system state and execution of commands by enforcing a user-defined access control policy to address security concerns.
  
 
=== Download ===
 
=== Download ===
[http://fsl.cs.illinois.edu/images/6/6c/Rvmaster.tar.gz rvmaster]
+
<preserve>
 
+
<table width=720 border=0 cellpadding=0 cellspacing=0>
 +
<tr>
 +
<td width=170 align=left valign=top>
 +
<b>Download the source code</b><br>
 +
<a href="https://github.com/runtimeverification/ROSRV">ROSRV on GitHub</a><br>
 +
</td>
 +
<td width=20>
 +
</td>
 +
<td width=270 align=left valign=top>
 +
<b>Prerequisites</b><br>
 +
<a href=http://git-scm.com/book/en/Getting-Started-Installing-Git target=_blank>Git</a> (1.8 or later)<br>
 +
<a href=http://wiki.ros.org/groovy target=_blank>ROS Groovy Galapagos</a><br>
 +
<a href=http://fsl.cs.illinois.edu/index.php/ROSMOP target=_blank>ROSMOP</a> (Please check the ROSMOP Installation guide)<br>
 +
</td>
 +
</tr>
 +
</table>
 +
</preserve>
 
(Our framework currently works on Ubuntu 12.04 with ROS Groovy distribution release)
 
(Our framework currently works on Ubuntu 12.04 with ROS Groovy distribution release)
  
=== Compile ===
+
=====How to Install=====
  
To generate monitors out of event specifications, first you have to compile the ROSMOP tool.
+
* Run <font face=Courier>git clone --recursive https://github.com/runtimeverification/ROSRV.git</font> to check out the source code from the Github repository, including ROSMOP.
  
Go to <font face=Courier>rosmop</font> directory and call
+
* Add <font face=Courier><ROSRV_HOME>/bin</font> to your PATH.
 
+
: <font face=Courier>ant</font>
+
 
+
For the monitor generation and the compilation of RVMaster with the generated code, call the script <font face=Courier>rosmop</font> with event specification(s) as input. For example:
+
 
+
: <font face=Courier>rosmop monitors/landshark_monitors/</font>
+
 
+
or
+
 
+
: <font face=Courier>rosmop monitors/turtlesim/color.rv</font>
+
 
+
=== Run ===
+
 
+
<font face=Courier>rvcore</font>: runs ROSMaster and RVMaster
+
 
+
<font face=Courier>rvsim</font>: runs the LandShark simulator (requires Webots) <br>
+
(to run '''''turtlesim''''' instead, use: <font face=Courier>rosrun turtlesim turtlesim_node</font>)
+
 
+
<font face=Courier>rvjoystick</font>: runs the joystick controller <br>
+
(to run the '''''turtlesim controller''''' instead, use: <font face=Courier>rosrun turtlesim turtle_teleop_key</font>)
+
 
+
=== Monitoring options ===
+
 
+
<font face=Courier>rosrv</font>
+
 
+
: <font face=Courier>-enable</font>: enables given monitor(s)
+
 
+
: <font face=Courier>-disable</font>: disables given monitor(s)
+
 
+
: <font face=Courier>-list</font>: lists active monitors
+
 
+
: <font face=Courier>-rvstate</font>: lists the status of RVMaster regarding monitors
+
 
+
 
+
 
+
== Event Specification ==
+
 
+
All the specifications are provided by users. ROSRV generates C++ code automatically based on those specifications. Each event generates one call back method and all the call back methods are registered by RVMaster. Parameters of events are treated as references to fields in monitored messages, so users can modify messages in event handler code. Event handlers (i.e. actions) are inserted in call back methods and called by RVMaster at runtime. Event specification names are used to identify the monitors. By using those names, one can enable or disable desired monitors, and hence control which events take place.
+
 
+
Basic form of a user-defined event specification is the following:
+
  
 +
* Run
 
<code>
 
<code>
#include <library>
+
cd <ROSRV_HOME>
spec(){
+
catkin_make
int i;
+
bool b;
+
 
+
event event1(parameters) topic messageType '{pattern}'
+
{
+
//action code
+
}
+
}
+
 
</code>
 
</code>
  
 +
* Make sure the target package builds successfully.
  
The following event specification defines the monitor which makes sure the robot doesn't shoot itself.  
+
You can read more about how to use ROSRV [https://github.com/runtimeverification/ROSRV/blob/master/docs/Usage.md here].
  
In this specification, there are two events, <font face=Courier>checkPosition</font> and <font face=Courier>safeTrigger</font>, which have their own parameters and topics. On each topic, there can only be a certain type of message sent and received, which is also provided in the event signature.
+
===Bug Report===
<font face=Courier>checkPosition</font> event checks whether the gun is at a safe position to trigger, i.e. <font face=Courier>position > -0.45</font> (not pointing at itself). It listens to topic <font face=Courier>/landshark/joint_states</font> with the message type <font face=Courier>sensor_msgs/JointState</font>. The fields of the message type can be accessed by providing the parameters of interest as done here; there are two arrays, <font face=Courier>name</font> and <font face=Courier>position</font>, which are bound to variables <font face=Courier>N</font> and <font face=Courier>P</font>, respectively. These parameters are used in the action code of the event to check the validity of the message content.
+
If you experience any problems with ROSRV, please open a new issue on the [https://github.com/runtimeverification/ROSRV/issues Issues Page] of the project.
  
For clarity, please check out our <font size="3">[[#Demo|demo]]</font>.
+
=== Demo ===
  
<code>
+
Watch our demo to see how monitors interact with the robot [http://www.blackirobotics.com LandShark UGV]:
#include <stdint.h>
+
 
+
safeTrigger() {
+
      bool isSafeTrigger = false;
+
 
+
      event checkPoint(std::string monitored_name, double monitored_position) /landshark/joint_states sensor_msgs/JointState '{name[1]:monitored_name, position[1]:monitored_position}'
+
      {
+
if(monitored_name=="turret_tilt")
+
{
+
if(monitored_position > -0.45){
+
isSafeTrigger = true;
+
ROS_INFO("Safe to trigger");
+
}else{
+
isSafeTrigger = false;
+
ROS_INFO("Not safe to trigger");
+
}
+
}
+
      }
+
 
+
      event safeTrigger() /landshark_control/trigger landshark_msgs/PaintballTrigger '{}'
+
      {
+
if(!isSafeTrigger)
+
{
+
ROS_WARN("Monitor: Not allowed to trigger in this pose!");
+
return;
+
}
+
      }
+
}
+
</code>
+
 
+
== Access Control ==
+
 
+
ROSRV enforces access control based on a user-provided specification of access policies as input configuration. On receiving any XMLRPC request from nodes, RVMaster decides whether the request is allowed to go to the ROSMaster according to the specification.
+
 
+
The policies are currently categorized into four different sections. Under each section, the access policy is written as a key followed by an assignment symbol and a list of values.
+
 
+
 
+
<font face=Courier>[Nodes]</font>: ''key'' = node name, ''value'' = machine identity allowed to create the specified nodes
+
 
+
<font face=Courier>[Subscribers]</font>: ''key'' = topic name, ''value'' = node identity allowed to subscribe to the topic
+
 
+
<font face=Courier>[Publishers]</font>: ''key'' = topic name, ''value'' = node identity allowed to publish to the topic
+
 
+
<font face=Courier>[Commands]</font>: ''key'' = command name, ''value'' = node identity allowed to perform the command
+
 
+
 
+
The following is a sample access control policy for LandShark.
+
 
+
- The <font face=Courier>[Group]</font> section defines three groups of IP addresses.
+
 
+
- In the <font face=Courier>[Nodes]</font> section, “<font face=Courier>default=localhost</font>” means that by default “<font face=Courier>localhost</font>” is allowed to create a node with any name, and “<font face=Courier>/landshark_radar=certikos</font>” that the alias “<font face=Courier>certikos</font>” is allowed to create a node with name “<font face=Courier>/landshark_radar</font>”.
+
 
+
- In <font face=Courier>[Publishers]</font>, only nodes running on machine “<font face=Courier>ocu</font>” can publish to topic “<font face=Courier>/landshark_control/trigger</font>”.
+
 
+
- In <font face=Courier>[Commands]</font>, “<font face=Courier>getSystemState=localhost certikos ocu</font>” means that nodes running on machines “<font face=Courier>localhost</font>”, “<font face=Courier>certikos</font>”, or “<font face=Courier>ocu</font>” are allowed to send “<font face=Courier>getSystemState</font>” requests to ROS Master, and “<font face=Courier>shutdown=localhost</font>” that only nodes on “<font face=Courier>localhost</font>” are allowed to “<font face=Courier>shutdown</font>” other nodes.
+
 
+
<code>
+
[Groups]
+
localhost = 127.0.0.1
+
certikos = ip1 ip2 ip3 ip4
+
ocu = ip5 ip6 ip7 ip8
+
 
+
[Nodes]
+
default=localhost
+
/landshark_radar=certikos
+
 
+
[Publishers]
+
default=localhost certikos
+
/landshark_control/trigger= ocu
+
 
+
[Subscribers]
+
default = localhost certikos
+
/landshark/gps = ocu
+
 
+
[Commands]
+
# Commands: full access
+
getSystemState = localhost certikos ocu
+
# Commands: limited access
+
lookupNode = localhost certikos
+
# Commands: local access only
+
shutdown = localhost
+
</code>
+
 
+
== Demo ==
+
 
+
Watch our demo to see how the monitors interact with the robot LandShark [2]:
+
  
 
<iframe width="854" height="514" src="//www.youtube.com/embed/8M6wikTwmjY?rel=0" frameborder="0" modestbranding="1" showinfo="0" allowfullscreen></iframe>
 
<iframe width="854" height="514" src="//www.youtube.com/embed/8M6wikTwmjY?rel=0" frameborder="0" modestbranding="1" showinfo="0" allowfullscreen></iframe>
 
== References ==
 
 
[1] [http://www.ros.org/ ROS]
 
 
[2] The LandShark UGV is a product of [http://www.blackirobotics.com Black-i Robotics]
 

Revision as of 20:31, 21 November 2014

ROSRV is a runtime verification framework for the Robot Operating System (ROS). ROS is an open-source framework for robot software development, providing operating system-like functionality on a heterogeneous computer cluster. With the wide adoption of ROS, its safety and security are becoming an important problem.

ROSRV integrates seamlessly with ROS. Its two purposes are (1) monitoring safety properties and (2) enforcing security policies. Its core is a runtime monitoring infrastructure that intercepts, observes and optionally modifies messages passing through the system, to check system's runtime behavior against user-defined safety properties and perform desired actions. For automatic monitor generation out of formal specifications, ROSRV depends on ROSMOP. ROSRV regulates system state and execution of commands by enforcing a user-defined access control policy to address security concerns.

Download

Download the source code
ROSRV on GitHub

Prerequisites
Git (1.8 or later)
ROS Groovy Galapagos
ROSMOP (Please check the ROSMOP Installation guide)

(Our framework currently works on Ubuntu 12.04 with ROS Groovy distribution release)

How to Install
  • Add <ROSRV_HOME>/bin to your PATH.
  • Run
cd <ROSRV_HOME>
catkin_make
  • Make sure the target package builds successfully.

You can read more about how to use ROSRV here.

Bug Report

If you experience any problems with ROSRV, please open a new issue on the Issues Page of the project.

Demo

Watch our demo to see how monitors interact with the robot LandShark UGV:

Personal tools
Namespaces

Variants
Actions
Navigation