The Data Distribution Service (DDS) Protocol is Critical: Let's Use it Securely!

Abstract

We discovered and disclosed vulnerabilities in most of the OMG Data Distribution Service (DDS) implementations. DDS enables crucial technologies like autonomous driving, healthcare machinery, military tactical systems, or missile launch stations. Notably, DDS is used by NASA at the KSC, by SIEMENS for smart grid applications, by Volkswagen and Bosch for autonomous valet parking systems, by NAV CANADA for ATC, and by the Robot Operating System 2 (ROS2) to control industrial and consumer robots. Designed around industrial-level requirements, DDS sits deep in the control network, allowing an arbitrary number of endpoints like sensors or actuators to communicate transparently, with an abstract API based on familiar data type specifications (e.g., C structs) and simple function calls, regardless of the complexity of the data. We approached DDS from the bottom up, and we will show you how we wrote a Scapy layer to guide you through the packet structure. Although network fuzzing wasn’t directly effective, it greatly helped us to master the tiny details of DDS. This led us to find an amplification vulnerability in the standard, which allows an attacker to redirect flood an arbitrary host. DDS configuration is highly dependent on XML, JSON, YAML, or similar formats, which make them another attack vector. By writing a Radamsa-based file fuzzer we found a parsing vulnerability in RTI DDS Connector, so an attacker can use a malicious configuration file to gain initial access. We then focus on fuzzing the message interpretation routines in all implementations. Using concrete examples, we explain how to pick good fuzz targets and prepare them for popular frameworks like OSS-Fuzz and UnicornAFL. We take you from knowing nothing about DDS to efficiently researching new vulnerabilities, which we encourage other researchers, DDS users and implementors to do. We report on our interactions with some of the DDS implementors, which we believe is the first concrete step towards securing this critical protocol in the long run. We release fuzzing harnesses and a Scapy layer to decode the DDS RTPS layer.

Date
Nov 8, 2021 12:00 AM
Location
London, UK