Skip to content

Commit 4840ca8

Browse files
committed
Updated Module 04 README, scripts, and security setup
- Updated 'RTI Connext DDS' references to 'RTI Connext' - Reformatted README indentation and added colored status indicators - Added Threat Injector and Exfiltrator example screenshots - Fixed bug in setup_threat_security.sh (missing xml/signed directory) - Fixed STOP INJECTION button emoji rendering in ThreatInjector - Removed unused setup_security.py - Made launch scripts executable (+x) - Added screenshots of threat applications
1 parent 8d4035e commit 4840ca8

8 files changed

Lines changed: 28 additions & 279 deletions

File tree

modules/04-security-threat/README.md

Lines changed: 26 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# Module 04: Security Threat Demonstration
22

3-
This module demonstrates the security properties of RTI Connext DDS by showing what happens when a malicious application attempts to tamper with surgical arm control commands or steal patient vital signs. Run it alongside [Module 01: Digital Operating Room](../01-operating-room/README.md) to observe attacks succeeding against an unsecured deployment and being blocked by DDS Security in a secured one.
3+
This module demonstrates the security properties of RTI Connext by showing what happens when a malicious application attempts to tamper with surgical arm control commands or steal patient vital signs. Run it alongside [Module 01: Digital Operating Room](../01-operating-room/README.md) to observe attacks succeeding against an unsecured deployment and being blocked by DDS Security in a secured one.
44

55
*Note, this module was developed and tested on Debian 11 (Bullseye) and Ubuntu 22.04 running under WSL2 on Windows 11. The instructions below assume a Debian/Ubuntu environment.*
66

@@ -20,39 +20,52 @@ Two Python GUI applications simulate different real-world attack scenarios again
2020

2121
### Threat Injector
2222

23+
![Threat Injector Example](../../resource/images/module-04-threat-injector-example.png)
24+
2325
The *Threat Injector* application publishes fabricated commands on Topics `t/MotorControl` and `t/DeviceCommand`, simulating an attacker attempting to disrupt the surgical arm or seize device control. It provides a GUI to select:
2426

25-
- **Attack Mode** — Unsecure, Rogue CA, Forged Permissions, or Expired Certificate (each affecting whether the DDS Security handshake succeeds or fails and why).
26-
- **Attack Type** — Motor Inject (continuous erratic joint commands at a configurable frequency), Command Inject PAUSE (one-shot), or Command Inject SHUTDOWN (one-shot).
27-
- **Frequency Slider** — Controls how many times per second the Motor Inject attack writes samples (only enabled when Motor Inject is selected and an attack is not already running).
27+
- **Attack Mode**. Each of these modes affects whether the DDS Security handshake succeeds or fails. See [Understanding Why Each Attack Is Blocked](#2-understanding-why-each-attack-is-blocked) to understand why the handshake and the attack can fail:
28+
- Unsecure
29+
- Rogue CA
30+
- Forged Permissions
31+
- Expired Certificate
32+
- **Attack Type**:
33+
- Motor Inject. This triggers continuous erratic joint commands at a configurable frequency.
34+
- Command Inject PAUSE (one-shot)
35+
- Command Inject SHUTDOWN (one-shot)
36+
- **Frequency Slider**
37+
- The slider controls how many times per second the Motor Inject attack writes samples.
38+
- This is only enabled when Motor Inject is selected and an attack is not already running.
2839

2940
Attack status is derived from `publication_matched_status` — the app checks whether its DataWriters have matched any remote subscribers. If a subscriber matches (unsecured OR is running), the status badge shows **ATTACKING** (green) and log entries appear as `[OK]`. If no subscriber matches (secured OR blocks the handshake), the status badge shows **NO ACCESS** (orange) and log entries appear as `[WARN]`.
3041

31-
An arm visualisation panel shows the injected motor commands in real time. The panel renders in colour when an attack mode is active and in grey when idle.
42+
An arm visualization panel shows the injected motor commands in real time. The panel renders in color when an attack mode is active and in grey when idle.
3243

3344
### Threat Exfiltrator
3445

46+
![Threat Exfiltrator Example](../../resource/images/module-04-threat-exfiltrator-example.png)
47+
3548
The *Threat Exfiltrator* application subscribes to the `t/Vitals` topic, displaying patient vital signs as if harvesting them for unauthorised use. Attack status is derived from `subscription_matched_status` — when the exfiltrator's DataReader matches a remote publisher, the status badge shows **ACCESS GRANTED** and live heart rate, SpO₂, EtCO₂, and NiBP values stream in. When no match occurs (secured OR), the vitals panels show `---` and the status badge shows **NO ACCESS**.
3649

3750
### Status States
3851

3952
Both applications use the following status states:
4053

41-
| Status | Colour | Meaning |
54+
| Status | Color | Meaning |
4255
| --- | --- | --- |
43-
| **IDLE** | Grey | No attack mode selected |
44-
| **ACCESS GRANTED** | Green | DDS matched — data path is open |
45-
| **ATTACKING** | Green | Actively writing samples that reach a subscriber (injector only) |
46-
| **NO ACCESS** | Orange | No DDS match — security or configuration is blocking the connection |
47-
| **ATTACK FAILED** | Red | Participant creation itself failed (e.g. expired certificate rejected at startup) |
56+
| **IDLE** | **Grey** | No attack mode selected |
57+
| **ACCESS GRANTED** | 🟢 **Green** | DDS matched — data path is open |
58+
| **ATTACKING** | 🟢 **Green** | Actively writing samples that reach a subscriber (injector only) |
59+
| **NO ACCESS** | 🟠 **Orange** | No DDS match — security or configuration is blocking the connection |
60+
| **ATTACK FAILED** | 🔴 **Red** | Participant creation itself failed (e.g. expired certificate rejected at startup) |
4861

4962
---
5063

5164
## Setup and Installation
5265

5366
### 1. See Module 01 Setup and Installation
5467

55-
Installation and build steps from [Module 01: Digital Operating Room](../01-operating-room/README.md#setup-and-installation) satisfy the prerequisites for this module. Specifically, ensure RTI Connext DDS and its Python bindings (`rti.connextdds`) are installed and that the `NDDSHOME` environment variable is set.
68+
Installation and build steps from [Module 01: Digital Operating Room](../01-operating-room/README.md#setup-and-installation) satisfy the prerequisites for this module. Specifically, ensure RTI Connext and its Python bindings (`rti.connextdds`) are installed and that the `NDDSHOME` environment variable is set.
5669

5770
### 2. Install Additional Python Dependencies
5871

@@ -126,7 +139,7 @@ The Activity Log and status badge update in real time.
126139
| Vitals exfiltrate | Secured | Rogue CA | Status: **NO ACCESS**; vitals panels show `---` | *Patient Monitor* continues normally |
127140
| Vitals exfiltrate | Secured | Expired Cert | Status: **ATTACK FAILED**; participant creation blocked | *Patient Monitor* continues normally |
128141

129-
> **Observe:** When the OR is running in unsecured mode and you select **Motor Inject → LAUNCH ATTACK**, the *Arm* GUI in Module 01 begins receiving the fabricated commands and the arm visualisation moves erratically — even though no legitimate operator is sending commands. Switch the OR to secured mode (restart with `-s`) and repeat: the arm in Module 01 is completely unaffected, and the injector's status changes to **NO ACCESS**.
142+
> **Observe:** When the OR is running in unsecured mode and you select **Motor Inject → LAUNCH ATTACK**, the *Arm* GUI in Module 01 begins receiving the fabricated commands and the arm visualization moves erratically — even though no legitimate operator is sending commands. Switch the OR to secured mode (restart with `-s`) and repeat: the arm in Module 01 is completely unaffected, and the injector's status changes to **NO ACCESS**.
130143
131144
> **Observe:** When you switch between Rogue CA and Forged Permissions modes, both result in **NO ACCESS** because the DDS Security handshake fails at different stages — but the observable result from the threat app's perspective is the same: no publication match, no data flowing.
132145

modules/04-security-threat/scripts/launch_exfiltrator.sh

100644100755
File mode changed.

modules/04-security-threat/scripts/launch_injector.sh

100644100755
File mode changed.

modules/04-security-threat/security/setup_threat_security.sh

100644100755
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -72,6 +72,7 @@ openssl smime -sign \
7272
-inkey rogue_ca/private/RogueCaPrivateKey.pem
7373

7474
# Sign governance with rogue CA (for RogueCA mode threat participant's own governance)
75+
mkdir -p xml/signed
7576
openssl smime -sign \
7677
-in "xml/GovernanceDomain0.xml" \
7778
-text \

modules/04-security-threat/src/ThreatInjector.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -549,7 +549,7 @@ def log(self, level: str, msg: str):
549549

550550
def set_launch_btn_active(self, active: bool):
551551
if active:
552-
self.launch_btn.setText(" STOP INJECTION")
552+
self.launch_btn.setText(" STOP INJECTION")
553553
self.launch_btn.setStyleSheet(f"""
554554
QPushButton {{
555555
background-color: {RTI_ORANGE};
172 KB
Loading
82.3 KB
Loading

system_arch/security/setup_security.py

Lines changed: 0 additions & 265 deletions
This file was deleted.

0 commit comments

Comments
 (0)