Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

UAV Resilience Against Stealthy Attacks

Arthur Amorim, Max Taylor, Trevor Kann, Gary T. Leavens, William L. Harrison, Lance Joneckis

TL;DR

The paper tackles UAV security by addressing both software vulnerabilities and stealthy protocol attacks that can be exploited via MAVLink. It introduces an integrated architecture that fuses HACMS-style seL4 isolation with DATUM runtime monitoring to defend against attackers who can compromise the GCS and onboard network drivers. Through three case studies (inaccurate bounds, precondition violations, and resource misusage), it demonstrates how isolation and runtime verification jointly mitigate these stealthy attacks, supported by SITL-based evaluation on ArduPilot and PX4 showing manageable latency and memory overhead. The work has practical implications for retrofitting legacy UAVs, enabling secure, verifiable communication and resilient operation in real-world MAVLink deployments.

Abstract

Unmanned aerial vehicles (UAVs) depend on untrusted software components to automate dangerous or critical missions, making them a desirable target for attacks. Some work has been done to prevent an attacker who has either compromised a ground control station or parts of a UAV's software from sabotaging the vehicle, but not both. We present an architecture running a UAV software stack with runtime monitoring and seL4-based software isolation that prevents attackers from both exploiting software bugs and stealthy attacks. Our architecture retrofits legacy UAVs and secures the popular MAVLink protocol, making wide adoption possible.

UAV Resilience Against Stealthy Attacks

TL;DR

The paper tackles UAV security by addressing both software vulnerabilities and stealthy protocol attacks that can be exploited via MAVLink. It introduces an integrated architecture that fuses HACMS-style seL4 isolation with DATUM runtime monitoring to defend against attackers who can compromise the GCS and onboard network drivers. Through three case studies (inaccurate bounds, precondition violations, and resource misusage), it demonstrates how isolation and runtime verification jointly mitigate these stealthy attacks, supported by SITL-based evaluation on ArduPilot and PX4 showing manageable latency and memory overhead. The work has practical implications for retrofitting legacy UAVs, enabling secure, verifiable communication and resilient operation in real-world MAVLink deployments.

Abstract

Unmanned aerial vehicles (UAVs) depend on untrusted software components to automate dangerous or critical missions, making them a desirable target for attacks. Some work has been done to prevent an attacker who has either compromised a ground control station or parts of a UAV's software from sabotaging the vehicle, but not both. We present an architecture running a UAV software stack with runtime monitoring and seL4-based software isolation that prevents attackers from both exploiting software bugs and stealthy attacks. Our architecture retrofits legacy UAVs and secures the popular MAVLink protocol, making wide adoption possible.

Paper Structure

This paper contains 37 sections, 1 equation, 3 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Background
  3. The HACMS project
  4. MAVLink Challenges
  5. Runtime Monitoring
  6. Threat Model
  7. Case Studies
  8. Case Study I: Inaccurate Bounds
  9. Background
  10. Impact
  11. Case Study II: Precondition Violation
  12. Background
  13. Impact
  14. Case Study III: Resource Misusage
  15. Background
  16. ...and 22 more sections

Figures (3)

  • Figure 1: The goal of our approach is to retrofit legacy flight control software to use DATUM in a HACMS-style architecture. HACMS successfully prevents an adversary from gaining control of a UAV by compromising unverified software but fails to address stealthy attacks. Dynamic verification approaches, like DATUM, prevent stealthy attacks from compromising a UAV but do not address software vulnerabilities. Our approach uses the strength of both of these architectures to prevent a variety of attacks against compromised software and faulty protocols.
  • Figure 2: Our approach isolates the network stack from DATUM and the FCS. This ensures DATUM and the FCS receive packets via entirely separate mechanisms in the Linux kernel. A bug in one kernel mechanism will affect other software stacks, protecting DATUM and the FCS from compromise.
  • Figure 3: Our system integrates protocol specifications written in DATUM, FCS, and seL4. The final system is tested and validated using existing SITL infrastructure.