From a461e4c8a89f00d730ab82190fc57d25dd4ce3d8 Mon Sep 17 00:00:00 2001 From: ruffsl Date: Sat, 22 Feb 2020 11:13:11 -0800 Subject: [PATCH] Extend multiple contexts per process section --- articles/ros2_security_contexts.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/articles/ros2_security_contexts.md b/articles/ros2_security_contexts.md index ce68495eb..530ba1c3e 100644 --- a/articles/ros2_security_contexts.md +++ b/articles/ros2_security_contexts.md @@ -232,13 +232,17 @@ For circumstances where the context path is orthogonal to node namespace, the us Before the use of contexts, multiple nodes composed into a single process where each mapped to a separate participant. Each participant subsequently load an security identity and access control credential prevalent to its' respective node. The composition of multiple nodes per context however, inevitably means that code compiled to node `foo` could access credentials/permissions only trusted to node `bar`. -This consequence of composition could unintendedly subvert the minimal spanning policy as architected by the designer or measured/generated via ROS 2 tooling/IDL. +This consequence of composition could unintendedly subvert the minimal spanning policy as architected by the policy designer or measured/generated via ROS 2 tooling/IDL. With the introduction of contexts, it becomes possible to describe the union of access control permission by defining a collection of SROS 2 policy profiles as element within a specific context. This would allow for formal analysis tooling to check for potential violations in information flow control given the composing of nodes at runtime. However, should multiple contexts be used per process, then such security guaranties are again lost. Thus it should be asked whether if multiple contexts per process should even be supported. +In summery, the distinction here is that before, the composition of multiple permissions could not be conveyed to the tooling. +Whether nodes could gain the permission of others in the same process space is not the hinge point of note; it's the fact that such side effects could not be formally modeled or accounted for by the designer. +Allowing for multiple contexts per process again exacerbates the same modeling inaccuracies + ## References 1. [Procedurally Provisioned Access Control for Robotic Systems](https://doi.org/10.1109/IROS.2018.8594462)