Enhancing ROS 2 Network Visibility and Attribution with eBPF Kernel Probes
A new open-source tool tracks network packets to specific ROS 2 processes in real-time.
Phesagan Ravi has open-sourced BotGuard-Core, an eBPF-powered security monitor designed specifically for ROS 2 ecosystems. Unlike traditional tools that only examine message content, BotGuard-Core operates at the Linux kernel level to provide real-time attribution of network traffic. It uses eBPF Uprobes to intercept rmw_create_node calls at the moment they happen, instantly mapping node creation to process IDs and binary names. For external visibility, it employs eBPF Traffic Control classifiers to extract source IP and MAC addresses from incoming RTPS discovery traffic, allowing clear segmentation between local processes and external network participants.
This approach addresses critical gaps in current ROS 2 security. Even with SROS2 encryption and VPNs, unauthorized actors can physically hard-wire into a network or flood it with impersonation attempts. BotGuard-Core provides a "Zero Trust" sentinel that operates below the middleware layer, identifying rogue devices without the overhead of full packet capture. The developer is seeking community feedback on integration preferences, whether as a standalone security dashboard or within existing tools like ros2 node list. The project is available on GitHub, with discussions ongoing about its application in complex multi-robot environments.
- BotGuard-Core uses eBPF Uprobes to capture ROS 2 node creation events instantly, resolving them to PIDs and binary names.
- It employs eBPF TC classifiers to extract source IP and MAC addresses from RTPS discovery traffic for external attribution.
- The tool addresses security gaps beyond SROS2, detecting unauthorized physical hard-wiring and network impersonation in real-time.
Why It Matters
Kernel-level attribution closes a critical observability gap, enabling Zero Trust security in real-world multi-robot deployments.