CyFence: Securing Cyber-Physical Controllers via Trusted Execution Environment

• URL: http://arxiv.org/abs/2506.10638v1
• Date: Thu, 12 Jun 2025 12:22:45 GMT
• Title: CyFence: Securing Cyber-Physical Controllers via Trusted Execution Environment
• Authors: Stefano Longari, Alessandro Pozone, Jessica Leoni, Mario Polino, Michele Carminati, Mara Tanelli, Stefano Zanero,
• Abstract summary: Cyber-physical systems (CPSs) have experienced a significant technological evolution and increased connectivity, at the cost of greater exposure to cyber-attacks.<n>We propose CyFence, a novel architecture that improves the resilience of closed-loop control systems against cyber-attacks by adding a semantic check.<n>We evaluate CyFence considering a real-world application, consisting of an active braking digital controller, demonstrating that it can mitigate different types of attacks with a negligible overhead.
• Score: 45.86654759872101
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: In the last decades, Cyber-physical Systems (CPSs) have experienced a significant technological evolution and increased connectivity, at the cost of greater exposure to cyber-attacks. Since many CPS are used in safety-critical systems, such attacks entail high risks and potential safety harms. Although several defense strategies have been proposed, they rarely exploit the cyber-physical nature of the system. In this work, we exploit the nature of CPS by proposing CyFence, a novel architecture that improves the resilience of closed-loop control systems against cyber-attacks by adding a semantic check, used to confirm that the system is behaving as expected. To ensure the security of the semantic check code, we use the Trusted Execution Environment implemented by modern processors. We evaluate CyFence considering a real-world application, consisting of an active braking digital controller, demonstrating that it can mitigate different types of attacks with a negligible computation overhead.

Related papers

• CANDoSA: A Hardware Performance Counter-Based Intrusion Detection System for DoS Attacks on Automotive CAN bus [45.24207460381396]
  This paper presents a novel Intrusion Detection System (IDS) designed for the Controller Area Network (CAN) environment.<n>A RISC-V-based CAN receiver is simulated using the gem5 simulator, processing CAN frame payloads with AES-128 encryption as FreeRTOS tasks.<n>Results indicate that this approach could significantly improve CAN security and address emerging challenges in automotive cybersecurity.
  arXiv  Detail & Related papers  (2025-07-19T20:09:52Z)
• Enabling Security on the Edge: A CHERI Compartmentalized Network Stack [42.78181795494584]
  CHERI provides strong security from the hardware level by enabling fine-grained compartmentalization and memory protection.<n>Our case study examines the trade-offs of isolating applications, TCP/IP libraries, and network drivers on a CheriBSD system deployed on the Arm Morello platform.
  arXiv  Detail & Related papers  (2025-07-07T09:37:59Z)
• Towards Safety and Security Testing of Cyberphysical Power Systems by Shape Validation [42.350737545269105]
  complexity of cyberphysical power systems leads to larger attack surfaces to be exploited by malicious actors.<n>We propose to meet those risks with a declarative approach to describe cyber power systems and automatically evaluate security and safety controls.
  arXiv  Detail & Related papers  (2025-06-14T12:07:44Z)
• Towards Centralized Orchestration of Cyber Protection Condition (CPCON) [0.0]
  U.S. Cyber Command (USCYBERCOM) Cyber Protection Condition (CPCON) framework mandates graduated security postures across DoD networks.<n>Current implementation remains largely manual, inconsistent, and error-prone.<n>This paper presents a prototype system for centralized orchestration of CPCON directives, enabling automated policy enforcement and real-time threat response.
  arXiv  Detail & Related papers  (2025-05-19T01:53:28Z)
• CANTXSec: A Deterministic Intrusion Detection and Prevention System for CAN Bus Monitoring ECU Activations [53.036288487863786]
  We propose CANTXSec, the first deterministic Intrusion Detection and Prevention system based on physical ECU activations.<n>It detects and prevents classical attacks in the CAN bus, while detecting advanced attacks that have been less investigated in the literature.<n>We prove the effectiveness of our solution on a physical testbed, where we achieve 100% detection accuracy in both classes of attacks while preventing 100% of FIAs.
  arXiv  Detail & Related papers  (2025-05-14T13:37:07Z)
• A Virtual Cybersecurity Department for Securing Digital Twins in Water Distribution Systems [39.58317527488534]
  Digital twins (DTs) help improve real-time monitoring and decision-making in water distribution systems.<n>Their connectivity makes them easy targets for cyberattacks such as scanning, denial-of-service (DoS), and unauthorized access.<n>We present a Virtual Cybersecurity Department (VCD), an affordable and automated framework designed for SMEs.
  arXiv  Detail & Related papers  (2025-04-28T21:14:48Z)
• ACRIC: Securing Legacy Communication Networks via Authenticated Cyclic Redundancy Integrity Check [98.34702864029796]
  Recent security incidents in safety-critical industries exposed how the lack of proper message authentication enables attackers to inject malicious commands or alter system behavior.<n>These shortcomings have prompted new regulations that emphasize the pressing need to strengthen cybersecurity.<n>We introduce ACRIC, a message authentication solution to secure legacy industrial communications.
  arXiv  Detail & Related papers  (2024-11-21T18:26:05Z)
• Countering Autonomous Cyber Threats [40.00865970939829]
  Foundation Models present dual-use concerns broadly and within the cyber domain specifically. Recent research has shown the potential for these advanced models to inform or independently execute offensive cyberspace operations. This work evaluates several state-of-the-art FMs on their ability to compromise machines in an isolated network and investigates defensive mechanisms to defeat such AI-powered attacks.
  arXiv  Detail & Related papers  (2024-10-23T22:46:44Z)
• Smart Grid Security: A Verified Deep Reinforcement Learning Framework to Counter Cyber-Physical Attacks [2.159496955301211]
  Smart grids are vulnerable to strategically crafted cyber-physical attacks. Malicious attacks can manipulate power demands using high-wattage Internet of Things (IoT) botnet devices. Grid operators overlook potential scenarios of cyber-physical attacks during their design phase. We propose a safe Deep Reinforcement Learning (DRL)-based framework for mitigating attacks on smart grids.
  arXiv  Detail & Related papers  (2024-09-24T05:26:20Z)
• Security Modelling for Cyber-Physical Systems: A Systematic Literature Review [7.3347982474177185]
  Cyber-physical systems (CPS) are at the intersection of digital technology and engineering domains. Prominent cybersecurity attacks on CPS have brought attention to the vulnerability of these systems. This literature review delves into state-of-the-art research in CPS security modelling, encompassing both threat and attack modelling.
  arXiv  Detail & Related papers  (2024-04-11T07:41:36Z)
• GRAVITAS: Graphical Reticulated Attack Vectors for Internet-of-Things Aggregate Security [5.918387680589584]
  Internet-of-Things (IoT) and cyber-physical systems (CPSs) may consist of thousands of devices connected in a complex network topology. We describe a comprehensive risk management system, called GRAVITAS, for IoT/CPS that can identify undiscovered attack vectors.
  arXiv  Detail & Related papers  (2021-05-31T19:35:23Z)
• Constraints Satisfiability Driven Reinforcement Learning for Autonomous Cyber Defense [7.321728608775741]
  We present a new hybrid autonomous agent architecture that aims to optimize and verify defense policies of reinforcement learning (RL) We use constraints verification (using satisfiability modulo theory (SMT)) to steer the RL decision-making toward safe and effective actions. Our evaluation of the presented approach in a simulated CPS environment shows that the agent learns the optimal policy fast and defeats diversified attack strategies in 99% cases.
  arXiv  Detail & Related papers  (2021-04-19T01:08:30Z)
• A System for Efficiently Hunting for Cyber Threats in Computer Systems Using Threat Intelligence [78.23170229258162]
  We build ThreatRaptor, a system that facilitates cyber threat hunting in computer systems using OSCTI. ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP pipeline that extracts structured threat behaviors from unstructured OSCTI text, (2) a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities, and (3) a query synthesis mechanism that automatically synthesizes a TBQL query from the extracted threat behaviors.
  arXiv  Detail & Related papers  (2021-01-17T19:44:09Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.