Enabling Deep Visibility into VxWorks-Based Embedded Controllers in Cyber-Physical Systems for Anomaly Detection
We propose the DIVER (Defensive Implant for Visibility into Embedded Run-times) framework for real-time deep visibility into embedded control devices in cyber-physical systems (CPSs). DIVER enables run-time detection of anomalies and is targeted at devices running the real-time operating system (RTOS), VxWorks, which precludes traditional methods of implementing dynamic monitors using OS (e.g., Linux, Windows) functions. DIVER has two components. The "measurer" implant is embedded into the VxWorks kernel to collect run-time measurements and provide interactive/streaming interfaces over a TCP/IP port. The remote "listener" acquires and analyzes the measurements and provides an interactive user interface. DIVER focuses on small embedded devices with stringent resource constraints (e.g., insufficient storage to locally store measurements). We demonstrate efficacy of DIVER on the Motorola ACE Remote Terminal Unit used in CPS including power systems.
View on arXiv@article{krishnamurthy2025_2504.17875,
title={ Enabling Deep Visibility into VxWorks-Based Embedded Controllers in Cyber-Physical Systems for Anomaly Detection },
author={ Prashanth Krishnamurthy and Ramesh Karri and Farshad Khorrami },
journal={arXiv preprint arXiv:2504.17875},
year={ 2025 }
}