You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/04-security-threat/README.md
+26-13Lines changed: 26 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
# Module 04: Security Threat Demonstration
2
2
3
-
This module demonstrates the security properties of RTI Connext DDS by showing what happens when a malicious application attempts to tamper with surgical arm control commands or steal patient vital signs. Run it alongside [Module 01: Digital Operating Room](../01-operating-room/README.md) to observe attacks succeeding against an unsecured deployment and being blocked by DDS Security in a secured one.
3
+
This module demonstrates the security properties of RTI Connext by showing what happens when a malicious application attempts to tamper with surgical arm control commands or steal patient vital signs. Run it alongside [Module 01: Digital Operating Room](../01-operating-room/README.md) to observe attacks succeeding against an unsecured deployment and being blocked by DDS Security in a secured one.
4
4
5
5
*Note, this module was developed and tested on Debian 11 (Bullseye) and Ubuntu 22.04 running under WSL2 on Windows 11. The instructions below assume a Debian/Ubuntu environment.*
6
6
@@ -20,39 +20,52 @@ Two Python GUI applications simulate different real-world attack scenarios again
The *Threat Injector* application publishes fabricated commands on Topics `t/MotorControl` and `t/DeviceCommand`, simulating an attacker attempting to disrupt the surgical arm or seize device control. It provides a GUI to select:
24
26
25
-
-**Attack Mode** — Unsecure, Rogue CA, Forged Permissions, or Expired Certificate (each affecting whether the DDS Security handshake succeeds or fails and why).
26
-
-**Attack Type** — Motor Inject (continuous erratic joint commands at a configurable frequency), Command Inject PAUSE (one-shot), or Command Inject SHUTDOWN (one-shot).
27
-
-**Frequency Slider** — Controls how many times per second the Motor Inject attack writes samples (only enabled when Motor Inject is selected and an attack is not already running).
27
+
-**Attack Mode**. Each of these modes affects whether the DDS Security handshake succeeds or fails. See [Understanding Why Each Attack Is Blocked](#2-understanding-why-each-attack-is-blocked) to understand why the handshake and the attack can fail:
28
+
- Unsecure
29
+
- Rogue CA
30
+
- Forged Permissions
31
+
- Expired Certificate
32
+
-**Attack Type**:
33
+
- Motor Inject. This triggers continuous erratic joint commands at a configurable frequency.
34
+
- Command Inject PAUSE (one-shot)
35
+
- Command Inject SHUTDOWN (one-shot)
36
+
-**Frequency Slider**
37
+
- The slider controls how many times per second the Motor Inject attack writes samples.
38
+
- This is only enabled when Motor Inject is selected and an attack is not already running.
28
39
29
40
Attack status is derived from `publication_matched_status` — the app checks whether its DataWriters have matched any remote subscribers. If a subscriber matches (unsecured OR is running), the status badge shows **ATTACKING** (green) and log entries appear as `[OK]`. If no subscriber matches (secured OR blocks the handshake), the status badge shows **NO ACCESS** (orange) and log entries appear as `[WARN]`.
30
41
31
-
An arm visualisation panel shows the injected motor commands in real time. The panel renders in colour when an attack mode is active and in grey when idle.
42
+
An arm visualization panel shows the injected motor commands in real time. The panel renders in color when an attack mode is active and in grey when idle.
The *Threat Exfiltrator* application subscribes to the `t/Vitals` topic, displaying patient vital signs as if harvesting them for unauthorised use. Attack status is derived from `subscription_matched_status` — when the exfiltrator's DataReader matches a remote publisher, the status badge shows **ACCESS GRANTED** and live heart rate, SpO₂, EtCO₂, and NiBP values stream in. When no match occurs (secured OR), the vitals panels show `---` and the status badge shows **NO ACCESS**.
36
49
37
50
### Status States
38
51
39
52
Both applications use the following status states:
40
53
41
-
| Status |Colour| Meaning |
54
+
| Status |Color| Meaning |
42
55
| --- | --- | --- |
43
-
|**IDLE**| Grey | No attack mode selected |
44
-
|**ACCESS GRANTED**| Green | DDS matched — data path is open |
45
-
|**ATTACKING**| Green | Actively writing samples that reach a subscriber (injector only) |
46
-
|**NO ACCESS**| Orange | No DDS match — security or configuration is blocking the connection |
47
-
|**ATTACK FAILED**| Red | Participant creation itself failed (e.g. expired certificate rejected at startup) |
56
+
|**IDLE**|⚪ **Grey**| No attack mode selected |
57
+
|**ACCESS GRANTED**|🟢 **Green**| DDS matched — data path is open |
58
+
|**ATTACKING**|🟢 **Green**| Actively writing samples that reach a subscriber (injector only) |
59
+
|**NO ACCESS**|🟠 **Orange**| No DDS match — security or configuration is blocking the connection |
Installation and build steps from [Module 01: Digital Operating Room](../01-operating-room/README.md#setup-and-installation) satisfy the prerequisites for this module. Specifically, ensure RTI Connext DDS and its Python bindings (`rti.connextdds`) are installed and that the `NDDSHOME` environment variable is set.
68
+
Installation and build steps from [Module 01: Digital Operating Room](../01-operating-room/README.md#setup-and-installation) satisfy the prerequisites for this module. Specifically, ensure RTI Connext and its Python bindings (`rti.connextdds`) are installed and that the `NDDSHOME` environment variable is set.
56
69
57
70
### 2. Install Additional Python Dependencies
58
71
@@ -126,7 +139,7 @@ The Activity Log and status badge update in real time.
126
139
| Vitals exfiltrate | Secured | Rogue CA | Status: **NO ACCESS**; vitals panels show `---`|*Patient Monitor* continues normally |
> **Observe:** When the OR is running in unsecured mode and you select **Motor Inject → LAUNCH ATTACK**, the *Arm* GUI in Module 01 begins receiving the fabricated commands and the arm visualisation moves erratically — even though no legitimate operator is sending commands. Switch the OR to secured mode (restart with `-s`) and repeat: the arm in Module 01 is completely unaffected, and the injector's status changes to **NO ACCESS**.
142
+
> **Observe:** When the OR is running in unsecured mode and you select **Motor Inject → LAUNCH ATTACK**, the *Arm* GUI in Module 01 begins receiving the fabricated commands and the arm visualization moves erratically — even though no legitimate operator is sending commands. Switch the OR to secured mode (restart with `-s`) and repeat: the arm in Module 01 is completely unaffected, and the injector's status changes to **NO ACCESS**.
130
143
131
144
> **Observe:** When you switch between Rogue CA and Forged Permissions modes, both result in **NO ACCESS** because the DDS Security handshake fails at different stages — but the observable result from the threat app's perspective is the same: no publication match, no data flowing.
0 commit comments