pith. sign in

arxiv: 2607.01356 · v1 · pith:L4WRNGDLnew · submitted 2026-07-01 · 💻 cs.CR · cs.SY· eess.SY

Chameleon: Recovering Cyber-Physical Systems from Memory Corruption Attacks via ML Surrogates

Pith reviewed 2026-07-03 20:11 UTC · model grok-4.3

classification 💻 cs.CR cs.SYeess.SY
keywords cyber-physical systemsmemory corruption attacksmachine learning surrogatessystem recoveryrobotic vehiclescompartment-based designattack mitigation
0
0 comments X

The pith

Chameleon recovers cyber-physical systems from memory corruption attacks by replacing compromised compartments with machine learning surrogates.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces Chameleon, a framework that trains machine learning surrogates for individual compartments in cyber-physical systems. These surrogates mimic the behavior of the original compartments but avoid the memory corruption vulnerabilities. When an attack is detected, the system swaps in the surrogate instead of stopping or simplifying the task. This matters for safety-critical applications like robotic vehicles because halting execution can lead to dangerous outcomes. Evaluations show the surrogates match original behavior closely and allow task completion with low overhead.

Core claim

Chameleon generates ML surrogates at compartment granularity that approximate original compartment behavior with an average R squared of 0.96. It replaces compromised compartments with these surrogates upon attack detection to recover the system. Tests on seven robotic vehicles demonstrate recovery from real memory corruption attacks while maintaining low performance and memory overhead.

What carries the argument

ML-based surrogate trained at compartment granularity, which approximates compartment behavior without sharing the same vulnerabilities.

Load-bearing premise

Machine learning surrogates can be made accurate enough for safety-critical use without adding unacceptable errors or new risks.

What would settle it

A test case where a surrogate's approximation error causes the robotic vehicle to fail its task or violate safety constraints under a memory corruption attack.

Figures

Figures reproduced from arXiv: 2607.01356 by Karthik Pattabiraman, Mohsen Salehi.

Figure 1
Figure 1. Figure 1: RV Control Loop. In addition to flight control, autopilot software supports the following functionalities: ground communication, which maintains telemetry with a ground control station (GCS); mission management, which involves defining mission plans and controlling operational modes such as takeoff and land￾ing; and safety monitoring, which handles obstacle avoid￾ance. Autopilot software operates as a peri… view at source ↗
Figure 2
Figure 2. Figure 2: An example function of the update receive task with an injected buffer overflow vulnerability. networks (RNNs) that computes arithmetic operations on fixed weight matrices to predict the next output. As shown in [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: High-level architecture of the LSTM-based surro [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗
Figure 5
Figure 5. Figure 5: Overview of Chameleon’s operation, including its four main phases: the first three are performed offline, while the fourth is performed online. compartmentalization policy (i.e., task-based partitioning in Chameleon), the algorithm groups related functions into in￾dividual partitions called compartments, aiming to minimize calls between compartments at runtime. Additionally, all data shared across compartm… view at source ↗
Figure 6
Figure 6. Figure 6: Real RV systems used in the experimental setup. [PITH_FULL_IMAGE:figures/full_fig_p009_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Predictive performance-overhead trade-off across [PITH_FULL_IMAGE:figures/full_fig_p010_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Training and validation loss convergence over 10 [PITH_FULL_IMAGE:figures/full_fig_p010_8.png] view at source ↗
Figure 11
Figure 11. Figure 11: Surrogate model evaluation on a different com [PITH_FULL_IMAGE:figures/full_fig_p011_11.png] view at source ↗
Figure 12
Figure 12. Figure 12: Deviation under attack across five different mis [PITH_FULL_IMAGE:figures/full_fig_p012_12.png] view at source ↗
read the original abstract

Cyber-physical systems (CPSs) are increasingly deployed in every aspect of our lives and can be compromised through memory corruption vulnerabilities, allowing attackers to hijack the control flow and take over the system. Existing techniques mostly focus on detecting such attacks but respond by terminating or halting execution upon attack detection, which is not acceptable in CPSs used in safety-critical tasks, as interrupted tasks can have catastrophic consequences. Other techniques replace compromised CPS components with simplified defaults that degrade system behavior, or reboot the system upon attack detection. We propose Chameleon, a novel framework for automatically recovering CPSs from memory corruption attacks using machine learning (ML)-based surrogates trained at compartment granularity that nearly replicate their original compartments' behavior but do not have the same memory corruption vulnerabilities. Upon attack detection, Chameleon replaces the compromised compartment with its trained surrogate. We implemented Chameleon using the LLVM compiler and evaluated its efficiency and effectiveness on seven different robotic vehicles (RVs), including simulated and real ones. We found that Chameleon can generate surrogates that closely approximate the original compartments (with an average R$^2$=0.96), successfully recover the system despite real-world memory corruption attacks unlike prior approaches, and complete their tasks while incurring low performance and memory overhead.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 0 minor

Summary. The paper presents Chameleon, a framework that trains ML surrogates at the granularity of software compartments to approximate the behavior of original CPS components. Upon detecting memory corruption attacks, the system swaps in the surrogate to continue operation without the vulnerabilities of the original code. Evaluation on seven robotic vehicles (simulated and real) reports an average R² of 0.96 for surrogate fidelity, successful task completion under real-world attacks, and low performance/memory overhead, contrasting with prior detection-only or degrading approaches.

Significance. If the surrogates can be shown to preserve closed-loop stability and safety invariants under attack-induced state corruption, the work would meaningfully advance recovery techniques for safety-critical CPS by avoiding catastrophic interruption. The evaluation across multiple vehicles and the compartment-level granularity are positive aspects, but the current evidence does not yet establish these safety properties.

major comments (3)
  1. [Abstract] Abstract: the central recovery claim—that surrogates enable successful recovery despite real-world memory corruption attacks—is unsupported because R²=0.96 quantifies nominal behavioral match but provides no bound on worst-case state deviation, timing jitter, or feedback-loop stability when the original compartment state is corrupted by the attack.
  2. [Abstract] Abstract/Evaluation: no information is supplied on training data selection, validation splits, attack injection method, or statistical significance testing, which are load-bearing for the empirical claim of R²=0.96 and recovery success on seven vehicles.
  3. [Abstract] Abstract: the manuscript contains no Lyapunov-style analysis, reachability verification, or closed-loop experiments that inject memory corruption and then measure whether the surrogate keeps the vehicle inside its original safety envelope, leaving the safety-critical applicability unestablished.

Simulated Author's Rebuttal

3 responses · 1 unresolved

We thank the referee for the thoughtful review and for highlighting the importance of establishing safety properties for CPS recovery techniques. We address each major comment below. Where the manuscript lacks formal analysis or methodological detail, we agree revisions are needed to clarify scope and limitations.

read point-by-point responses
  1. Referee: [Abstract] Abstract: the central recovery claim—that surrogates enable successful recovery despite real-world memory corruption attacks—is unsupported because R²=0.96 quantifies nominal behavioral match but provides no bound on worst-case state deviation, timing jitter, or feedback-loop stability when the original compartment state is corrupted by the attack.

    Authors: We agree that an average R² of 0.96 measures nominal fidelity and does not by itself bound worst-case deviation, jitter, or closed-loop stability. The manuscript supports the recovery claim through end-to-end experiments in which memory corruption attacks are injected into real and simulated vehicles; the surrogate-enabled system completes the original tasks without catastrophic failure. This constitutes empirical evidence of practical closed-loop behavior under attack, but we acknowledge it falls short of formal worst-case guarantees. We will revise the abstract and add a dedicated limitations paragraph to distinguish empirical task-completion results from formal stability bounds. revision: partial

  2. Referee: [Abstract] Abstract/Evaluation: no information is supplied on training data selection, validation splits, attack injection method, or statistical significance testing, which are load-bearing for the empirical claim of R²=0.96 and recovery success on seven vehicles.

    Authors: The full evaluation section describes compartment-level data collection from nominal executions, the use of cross-validation, the attack models (including concrete memory-corruption payloads), and the seven-vehicle test suite. However, these details are not summarized in the abstract, and explicit statistical significance tests are not reported. We will expand the abstract with a concise methods summary and add statistical analysis (e.g., confidence intervals on R²) to the evaluation section. revision: yes

  3. Referee: [Abstract] Abstract: the manuscript contains no Lyapunov-style analysis, reachability verification, or closed-loop experiments that inject memory corruption and then measure whether the surrogate keeps the vehicle inside its original safety envelope, leaving the safety-critical applicability unestablished.

    Authors: The manuscript does not contain Lyapunov analysis, reachability verification, or quantitative safety-envelope measurements. The reported closed-loop experiments do inject memory corruption and record task completion, which serves as an indirect practical indicator that the vehicle remains operational. We agree this does not formally establish invariant preservation. We will revise the abstract and discussion to explicitly state the absence of formal verification and to frame the contribution as an empirical recovery technique rather than a formally verified safety solution. revision: partial

standing simulated objections not resolved
  • Formal Lyapunov-style analysis or reachability verification of the surrogate-augmented closed-loop system, which the current empirical study does not provide and would require a substantially different research methodology.

Circularity Check

0 steps flagged

No circularity; empirical results only

full rationale

The paper reports measured outcomes from implementation and evaluation on seven robotic vehicles: surrogates achieve average R²=0.96, recover from real attacks, and incur low overhead. No equations, derivations, fitted parameters renamed as predictions, or self-citation chains appear in the provided text. Claims rest on direct experimental data rather than any reduction of outputs to inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The approach rests on the domain assumption that ML models can faithfully replicate compartment behavior without inheriting the original vulnerabilities; no free parameters or invented entities are named in the abstract.

axioms (1)
  • domain assumption ML surrogates can be trained to replicate compartment behavior accurately enough for safety-critical use while eliminating the original memory corruption vulnerabilities
    This premise is required for the replacement strategy to be viable and is invoked by the core proposal in the abstract.

pith-pipeline@v0.9.1-grok · 5762 in / 1223 out tokens · 20975 ms · 2026-07-03T20:11:13.001803+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

80 extracted references · 3 canonical work pages · 1 internal anchor

  1. [1]

    {PatchVerif}: Discovering faulty patches in robotic vehicles,

    H. Kim, M. O. Ozmen, Z. B. Celik, A. Bianchi, and D. Xu, “{PatchVerif}: Discovering faulty patches in robotic vehicles,” in 32nd USENIX Security Symposium (USENIX Security 23), 2023, pp. 3011–3028

  2. [2]

    Ardupilot software in the loop,

    “Ardupilot software in the loop,” https://ardupilot.org/dev/docs/sitl-si mulator-software-in-the-loop.html, Last Accessed, June 2026

  3. [3]

    Px4 open source autopilot,

    “Px4 open source autopilot,” https://docs.px4.io/main/en/, Last Ac- cessed, June 2026

  4. [4]

    Hafix: Hardware-assisted flow integrity extension,

    O. Arias, L. Davi, M. Hanreich, Y . Jin, P. Koeberl, D. Paul, A.-R. Sadeghi, and D. Sullivan, “Hafix: Hardware-assisted flow integrity extension,” 2015

  5. [5]

    Control-flow integrity principles, implementations, and applications,

    M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, “Control-flow integrity principles, implementations, and applications,”ACM Trans- actions on Information and System Security (TISSEC), vol. 13, no. 1, pp. 1–40, 2009

  6. [6]

    Securing software by enforcing data-flow integrity,

    M. Castro, M. Costa, and T. Harris, “Securing software by enforcing data-flow integrity,” inProceedings of the 7th symposium on Operat- ing systems design and implementation, 2006, pp. 147–160

  7. [7]

    Pid- piper: Recovering robotic vehicles from physical attacks,

    P. Dash, G. Li, Z. Chen, M. Karimibiuki, and K. Pattabiraman, “Pid- piper: Recovering robotic vehicles from physical attacks,” in2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 2021, pp. 26–38

  8. [8]

    Cyber- physical system checkpointing and recovery,

    F. Kong, M. Xu, J. Weimer, O. Sokolsky, and I. Lee, “Cyber- physical system checkpointing and recovery,” in2018 ACM/IEEE 9th International Conference on Cyber-Physical Systems (ICCPS). IEEE, 2018, pp. 22–31

  9. [9]

    Specguard: Specification aware recovery for robotic autonomous vehicles from physical at- tacks,

    P. Dash, E. Chan, and K. Pattabiraman, “Specguard: Specification aware recovery for robotic autonomous vehicles from physical at- tacks,” inProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, 2024, pp. 1849–1863

  10. [10]

    Software-based realtime recovery from sensor attacks on robotic vehicles,

    H. Choi, S. Kate, Y . Aafer, X. Zhang, and D. Xu, “Software-based realtime recovery from sensor attacks on robotic vehicles,” in23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020), 2020, pp. 349–364

  11. [11]

    Building diverse com- puter systems,

    S. Forrest, A. Somayaji, and D. H. Ackley, “Building diverse com- puter systems,” inProceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No. 97TB100133). IEEE, 1997, pp. 67–72

  12. [12]

    Galapagos: Automated n-version programming with llms,

    J. Ron, D. Gaspar, J. Cabrera-Arteaga, B. Baudry, and M. Monperrus, “Galapagos: Automated n-version programming with llms,”ACM Transactions on Software Engineering and Methodology, 2025

  13. [13]

    Cross- layer retrofitting of uavs against cyber-physical attacks,

    F. Fei, Z. Tu, R. Yu, T. Kim, X. Zhang, D. Xu, and X. Deng, “Cross- layer retrofitting of uavs against cyber-physical attacks,” in2018 IEEE International Conference on Robotics and Automation (ICRA). IEEE, 2018, pp. 550–557

  14. [14]

    Rx: treating bugs as allergies—a safe method to survive software failures,

    F. Qin, J. Tucek, J. Sundaresan, and Y . Zhou, “Rx: treating bugs as allergies—a safe method to survive software failures,” inProceedings of the twentieth ACM symposium on Operating systems principles, 2005, pp. 235–248

  15. [15]

    Enhancing server availability and security through failure- oblivious computing

    M. C. Rinard, C. Cadar, D. Dumitran, D. M. Roy, T. Leu, and W. S. Beebee, “Enhancing server availability and security through failure- oblivious computing.” inOsdi, vol. 4, 2004, pp. 21–21

  16. [16]

    Software rejuvenation: Analysis, module and applications,

    Y . Huang, C. Kintala, N. Kolettis, and N. D. Fulton, “Software rejuvenation: Analysis, module and applications,” inTwenty-fifth in- ternational symposium on fault-tolerant computing. Digest of papers. IEEE, 1995, pp. 381–390

  17. [17]

    Software availability protection in {Cyber-Physical}systems,

    A. Li, J. Wang, and N. Zhang, “Software availability protection in {Cyber-Physical}systems,” in34th USENIX Security Symposium (USENIX Security 25), 2025, pp. 1807–1825

  18. [18]

    Neural acceleration for general-purpose approximate programs,

    H. Esmaeilzadeh, A. Sampson, L. Ceze, and D. Burger, “Neural acceleration for general-purpose approximate programs,” in2012 45th annual IEEE/ACM international symposium on microarchitecture. IEEE, 2012, pp. 449–460

  19. [19]

    Snnap: Approximate computing on programmable socs via neural acceleration

    T. M. M. W. J. Nelson, A. Sampson, H. Esmaeilzadeh, and L. C. M. Oskin, “Snnap: Approximate computing on programmable socs via neural acceleration.”

  20. [20]

    Schnet: A continuous-filter convo- lutional neural network for modeling quantum interactions,

    K. Sch ¨utt, P.-J. Kindermans, H. E. Sauceda Felix, S. Chmiela, A. Tkatchenko, and K.-R. M¨uller, “Schnet: A continuous-filter convo- lutional neural network for modeling quantum interactions,”Advances in neural information processing systems, vol. 30, 2017

  21. [21]

    Synergies between quantum mechanics and machine learning in reaction predic- tion,

    P. Sadowski, D. Fooshee, N. Subrahmanya, and P. Baldi, “Synergies between quantum mechanics and machine learning in reaction predic- tion,”Journal of chemical information and modeling, vol. 56, no. 11, pp. 2125–2128, 2016

  22. [22]

    Auto-hpcnet: An automatic frame- work to build neural network-based surrogate for high-performance computing applications,

    W. Dong, G. Kestor, and D. Li, “Auto-hpcnet: An automatic frame- work to build neural network-based surrogate for high-performance computing applications,” inProceedings of the 32nd International Symposium on High-Performance Parallel and Distributed Comput- ing, 2023, pp. 31–44

  23. [23]

    {ACES}: Automatic compartments for embedded systems,

    A. A. Clements, N. S. Almakhdhub, S. Bagchi, and M. Payer, “{ACES}: Automatic compartments for embedded systems,” in27th USENIX Security Symposium (USENIX Security 18), 2018, pp. 65–82

  24. [24]

    The llvm compiler,

    “The llvm compiler,” https://llvm.org/, Last Accessed, June 2026

  25. [25]

    Sok: Eternal war in memory,

    L. Szekeres, M. Payer, T. Wei, and D. Song, “Sok: Eternal war in memory,” in2013 IEEE Symposium on Security and Privacy. IEEE, 2013, pp. 48–62

  26. [26]

    The geometry of innocent flesh on the bone: Return- into-libc without function calls (on the x86),

    H. Shacham, “The geometry of innocent flesh on the bone: Return- into-libc without function calls (on the x86),” inProceedings of the 14th ACM conference on Computer and communications security, 2007, pp. 552–561

  27. [27]

    Jump-oriented programming: a new class of code-reuse attack,

    T. Bletsch, X. Jiang, V . W. Freeh, and Z. Liang, “Jump-oriented programming: a new class of code-reuse attack,” inProceedings of the 6th ACM symposium on information, computer and communications security, 2011, pp. 30–40

  28. [28]

    Design and use paradigms for gazebo, an open-source multi-robot simulator,

    N. Koenig and A. Howard, “Design and use paradigms for gazebo, an open-source multi-robot simulator,” in2004 IEEE/RSJ international conference on intelligent robots and systems (IROS)(IEEE Cat. No. 04CH37566), vol. 3. Ieee, 2004, pp. 2149–2154

  29. [29]

    Crystal (ball) i look at physics and predict control flow! just-ahead-of-time controller recovery,

    S. Etigowni, S. Hossain-McKenzie, M. Kazerooni, K. Davis, and S. Zonouz, “Crystal (ball) i look at physics and predict control flow! just-ahead-of-time controller recovery,” inProceedings of the 34th Annual Computer Security Applications Conference, 2018, pp. 553– 565

  30. [30]

    Control-flow integrity: Precision, security, and perfor- mance,

    N. Burow, S. A. Carr, J. Nash, P. Larsen, M. Franz, S. Brunthaler, and M. Payer, “Control-flow integrity: Precision, security, and perfor- mance,”ACM Computing Surveys (CSUR), vol. 50, no. 1, pp. 1–33, 2017

  31. [31]

    Cfimon: Detecting violation of control flow integrity using performance counters,

    Y . Xia, Y . Liu, H. Chen, and B. Zang, “Cfimon: Detecting violation of control flow integrity using performance counters,” inIEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012). IEEE, 2012, pp. 1–12

  32. [32]

    Hafix: Hardware-assisted flow integrity extension,

    L. Davi, M. Hanreich, D. Paul, A.-R. Sadeghi, P. Koeberl, D. Sul- livan, O. Arias, and Y . Jin, “Hafix: Hardware-assisted flow integrity extension,” inProceedings of the 52nd Annual Design Automation Conference, 2015, pp. 1–6

  33. [33]

    µRAI: Securing Embedded Systems with Return Address Integrity,

    N. S. Almakhdhub, A. A. Clements, S. Bagchi, and M. Payer, “µRAI: Securing Embedded Systems with Return Address Integrity,” inNetwork and Distributed Systems Security (NDSS) Symposium, 2020

  34. [34]

    Silhouette: Efficient protected shadow stacks for embedded systems,

    J. Zhou, Y . Du, Z. Shen, L. Ma, J. Criswell, and R. J. Walls, “Silhouette: Efficient protected shadow stacks for embedded systems,” in29th USENIX Security Symposium (USENIX Security 20), 2020, pp. 1219–1236

  35. [35]

    Protecting bare-metal embedded systems with privilege overlays,

    A. A. Clements, N. S. Almakhdhub, K. S. Saab, P. Srivastava, J. Koo, S. Bagchi, and M. Payer, “Protecting bare-metal embedded systems with privilege overlays,” in2017 IEEE Symposium on Security and Privacy (SP). IEEE, 2017, pp. 289–303

  36. [36]

    No-fat: Architectural support for low overhead memory safety checks,

    M. T. I. Ziad, M. A. Arroyo, E. Manzhosov, R. Piersma, and S. Sethu- madhavan, “No-fat: Architectural support for low overhead memory safety checks,” in2021 ACM/IEEE 48th Annual International Sym- posium on Computer Architecture (ISCA). IEEE, 2021, pp. 916–929

  37. [37]

    Trustlite: A security architecture for tiny embedded devices,

    P. Koeberl, S. Schulz, A.-R. Sadeghi, and V . Varadharajan, “Trustlite: A security architecture for tiny embedded devices,” inProceedings of the Ninth European Conference on Computer Systems, 2014, pp. 1–14

  38. [38]

    Guaranteed physical security with restart-based design for cyber- physical systems,

    F. Abdi, C.-Y . Chen, M. Hasan, S. Liu, S. Mohan, and M. Caccamo, “Guaranteed physical security with restart-based design for cyber- physical systems,” in2018 ACM/IEEE 9th International Conference on Cyber-Physical Systems (ICCPS). IEEE, 2018, pp. 10–21

  39. [39]

    Mini-me, you complete me! data-driven drone security via dnn-based approximate computing,

    A. Ding, P. Murthy, L. Garcia, P. Sun, M. Chan, and S. Zonouz, “Mini-me, you complete me! data-driven drone security via dnn-based approximate computing,” inProceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses, 2021, pp. 428–441

  40. [40]

    Learning from mutants: Using code mutation to learn and monitor invariants of a cyber-physical system,

    Y . Chen, C. M. Poskitt, and J. Sun, “Learning from mutants: Using code mutation to learn and monitor invariants of a cyber-physical system,” in2018 IEEE Symposium on Security and Privacy (SP). IEEE, 2018, pp. 648–660

  41. [41]

    Concrete Problems in AI Safety

    D. Amodei, C. Olah, J. Steinhardt, P. Christiano, J. Schulman, and D. Man ´e, “Concrete problems in ai safety,”arXiv preprint arXiv:1606.06565, 2016

  42. [42]

    Anomaly detection in cyber physical systems using recurrent neural networks,

    J. Goh, S. Adepu, M. Tan, and Z. S. Lee, “Anomaly detection in cyber physical systems using recurrent neural networks,” in2017 IEEE 18th international symposium on high assurance systems engineering (HASE). IEEE, 2017, pp. 140–145

  43. [43]

    Behaviour-based attack detection and classification in cyber physical systems using machine learning,

    K. N. Junejo and J. Goh, “Behaviour-based attack detection and classification in cyber physical systems using machine learning,” inProceedings of the 2nd ACM international workshop on cyber- physical system security, 2016, pp. 34–43

  44. [44]

    Detection of fault data injection attack on uav using adaptive neural network,

    A. Abbaspour, K. K. Yen, S. Noei, and A. Sargolzaei, “Detection of fault data injection attack on uav using adaptive neural network,” Procedia computer science, vol. 95, pp. 193–200, 2016

  45. [45]

    The program de- pendence graph and its use in optimization,

    J. Ferrante, K. J. Ottenstein, and J. D. Warren, “The program de- pendence graph and its use in optimization,”ACM Transactions on Programming Languages and Systems (TOPLAS), vol. 9, no. 3, pp. 319–349, 1987

  46. [46]

    Making context-sensitive points-to analysis with heap cloning practical for the real world,

    C. Lattner, A. Lenharth, and V . Adve, “Making context-sensitive points-to analysis with heap cloning practical for the real world,” ACM SIGPLAN Notices, vol. 42, no. 6, pp. 278–289, 2007

  47. [47]

    Learning long-term dependen- cies with gradient descent is difficult,

    Y . Bengio, P. Simard, and P. Frasconi, “Learning long-term dependen- cies with gradient descent is difficult,”IEEE transactions on neural networks, vol. 5, no. 2, pp. 157–166, 1994

  48. [48]

    Writing an llvm pass,

    “Writing an llvm pass,” https://llvm.org/docs/WritingAnLLVMPass. html, Last Accessed, June 2026

  49. [49]

    Tensorflow: Large-scale machine learning on heterogeneous systems,

    M. Abadi, A. Agarwal, P. Barham, E. Brevdo, Z. Chen, C. Citro, G. S. Corrado, A. Davis, J. Dean, M. Devinet al., “Tensorflow: Large-scale machine learning on heterogeneous systems,” 2015

  50. [50]

    Aion robotics,

    “Aion robotics,” https://www.aionrobotics.com/, Last Accessed, June 2026

  51. [51]

    Pixhawk: A system for autonomous flight using onboard computer vision,

    L. Meier, P. Tanskanen, F. Fraundorfer, and M. Pollefeys, “Pixhawk: A system for autonomous flight using onboard computer vision,” in2011 ieee international conference on robotics and automation. IEEE, 2011, pp. 2992–2997

  52. [52]

    Ardupilot plane,

    “Ardupilot plane,” https://ardupilot.org/plane/index.html, Last Ac- cessed, June 2026

  53. [53]

    Ardupilot copter,

    “Ardupilot copter,” https://ardupilot.org/copter/index.html, Last Ac- cessed, June 2026

  54. [54]

    Ardupilot rover,

    “Ardupilot rover,” https://ardupilot.org/rover/index.html, Last Ac- cessed, June 2026

  55. [55]

    Px4 airframes,

    “Px4 airframes,” https://docs.px4.io/v1.12/en/airframes/airframe ref erence.html, Last Accessed, May 2026

  56. [56]

    Qgroundcontrol,

    “Qgroundcontrol,” https://qgroundcontrol.com/, Last Accessed, May 2026

  57. [57]

    Gazebo robot simulation,

    “Gazebo robot simulation,” https://gazebosim.org/home, Last Ac- cessed, June 2026

  58. [58]

    Pixhawk,

    “Pixhawk,” https://ardupilot.org/copter/docs/common-pixhawk-overv iew.html, Last Accessed, June 2026

  59. [59]

    Dropout: A simple way to prevent neural networks from overfitting,

    N. Srivastava, G. Hinton, A. Krizhevsky, I. Sutskever, and R. Salakhutdinov, “Dropout: A simple way to prevent neural networks from overfitting,”Journal of Machine Learning Research, vol. 15, no. 1, pp. 1929–1958, 2014

  60. [60]

    Precise payload delivery via unmanned aerial vehicles: An approach using object detection algorithms,

    A. Vadduri, A. Benjwal, A. Pai, E. Quadros, A. Kammar, and P. Uday, “Precise payload delivery via unmanned aerial vehicles: An approach using object detection algorithms,”arXiv preprint arXiv:2310.06329, 2023

  61. [61]

    Rvdebloater: Mode-based adap- tive firmware debloating for robotic vehicles,

    M. Salehi and K. Pattabiraman, “Rvdebloater: Mode-based adap- tive firmware debloating for robotic vehicles,”arXiv preprint arXiv:2602.00270, 2026

  62. [62]

    Stack buffer overflow,

    “Stack buffer overflow,” https://github.com/PX4/PX4-Autopilot/issue s/5643, Last Accessed, May 2026

  63. [63]

    Cve-2022-28711,

    “Cve-2022-28711,” https://nvd.nist.gov/vuln/detail/CVE-2022-2871 1, Last Accessed, May 2026

  64. [64]

    Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks

    C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton, “Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks.” inUSENIX security symposium, vol. 98. San Antonio, TX, 1998, pp. 63–78

  65. [65]

    A stack smashing technique protection tool for linux,

    S. S. Vendicator, “A stack smashing technique protection tool for linux,”World Wide Web, http://www. angelfire. com/sk/stackshield- /info. html, 2000

  66. [66]

    Enforcing kernel security invariants with data flow integrity

    C. Song, B. Lee, K. Lu, W. Harris, T. Kim, and W. Lee, “Enforcing kernel security invariants with data flow integrity.” inNDSS, 2016

  67. [67]

    Se- curing real-time microcontroller systems through customized memory view switching

    C. H. Kim, T. Kim, H. Choi, Z. Gu, B. Lee, X. Zhang, and D. Xu, “Se- curing real-time microcontroller systems through customized memory view switching.” inNDSS, 2018

  68. [68]

    {SHARD}:{Fine- Grained}kernel specialization with{Context-Aware}hardening,

    M. Abubakar, A. Ahmad, P. Fonseca, and D. Xu, “{SHARD}:{Fine- Grained}kernel specialization with{Context-Aware}hardening,” in 30th USENIX Security Symposium (USENIX Security 21), 2021, pp. 2435–2452

  69. [69]

    Cfi care: Hardware-supported call and return enforcement for commercial mi- crocontrollers,

    T. Nyman, J.-E. Ekberg, L. Davi, and N. Asokan, “Cfi care: Hardware-supported call and return enforcement for commercial mi- crocontrollers,” inInternational Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 2017, pp. 259–284

  70. [70]

    Armlock: Hardware-based fault isolation for arm,

    Y . Zhou, X. Wang, Y . Chen, and Z. Wang, “Armlock: Hardware-based fault isolation for arm,” inProceedings of the 2014 ACM SIGSAC conference on computer and communications security, 2014, pp. 558– 569

  71. [71]

    Sok: Soft- ware compartmentalization,

    H. Lefeuvre, N. Dautenhahn, D. Chisnall, and P. Olivier, “Sok: Soft- ware compartmentalization,” in2025 IEEE Symposium on Security and Privacy (SP). IEEE, 2025, pp. 3107–3126

  72. [72]

    Fault-tolerant architectures for space and avionics applications,

    D. P. Siewiorek and P. Narasimhan, “Fault-tolerant architectures for space and avionics applications,”NASA Ames Research http://ic. arc. nasa. gov/projects/ishem/Papers/Siewi, 2005

  73. [73]

    Config- urable isolation: building high availability systems with commodity multi-core processors,

    N. Aggarwal, P. Ranganathan, N. P. Jouppi, and J. E. Smith, “Config- urable isolation: building high availability systems with commodity multi-core processors,”ACM SIGARCH Computer Architecture News, vol. 35, no. 2, pp. 470–481, 2007

  74. [74]

    Mvtee: Multi-variant trusted execution for secure model inference,

    K. Qin and D. Gu, “Mvtee: Multi-variant trusted execution for secure model inference,” inProceedings of the 26th International Middleware Conference, 2025, pp. 298–313

  75. [75]

    I’ll be there for you! perpetual availability in the a 8 mvx system,

    A. R ¨osti, S. V olckaert, M. Franz, and A. V oulimeneas, “I’ll be there for you! perpetual availability in the a 8 mvx system,” in2024 Annual Computer Security Applications Conference (ACSAC). IEEE, 2024, pp. 520–533

  76. [76]

    System structure for software fault tolerance,

    B. Randell, “System structure for software fault tolerance,”IEEE Transactions on Software Engineering, vol. SE-1, no. 2, pp. 220– 232, 1975

  77. [77]

    Un- rocking drones: Foundations of acoustic injection attacks and recovery thereof

    J. Jeong, D. Kim, J.-H. Jang, J. Noh, C. Song, and Y . Kim, “Un- rocking drones: Foundations of acoustic injection attacks and recovery thereof.” inNDSS, vol. 6, 2023, p. 7

  78. [78]

    Learn-to-recover: Retrofitting uavs with reinforcement learning-assisted flight control under cyber- physical attacks,

    F. Fei, Z. Tu, D. Xu, and X. Deng, “Learn-to-recover: Retrofitting uavs with reinforcement learning-assisted flight control under cyber- physical attacks,” in2020 IEEE International Conference on Robotics and Automation (ICRA). IEEE, 2020, pp. 7358–7364

  79. [79]

    Scvmon: Data-oriented attack recovery for rvs based on safety-critical variable monitoring,

    S. Park, Y . Kim, and D. H. Lee, “Scvmon: Data-oriented attack recovery for rvs based on safety-critical variable monitoring,” in Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, 2023, pp. 547–563

  80. [80]

    Microreboot-a technique for cheap recovery

    G. Candea, S. Kawamoto, Y . Fujiki, G. Friedman, and A. Fox, “Microreboot-a technique for cheap recovery.” inOSDI, vol. 4, 2004, pp. 31–44