RoboShield: A Low-Latency Out-of-Band RTPS Watchdog in Rust

Hey everyone! :waving_hand:

I’ve been working on something I’m pretty excited about and wanted to share it with the community.

RoboShield is a real-time RTPS security watchdog I wrote in Rust. It basically sits on the wire (like on a NanoPi R2S with dual ethernet) and sniffs DDS/RTPS packets to catch stuff like rogue nodes joining your network, someone flooding /cmd_vel, or unauthorized publishers trying to hijack topics.

:backhand_index_pointing_right: GitHub: GitHub - Amin-Ahmed-G/robotshield · GitHub

What it does

  • Parses raw RTPS submessages (DATA, HEARTBEAT, ACKNACK, etc.) from UDP captures using libpcap
  • Checks every packet’s GUID prefix against a TOML-based whitelist
  • Tracks per-topic message rates with a sliding window to catch flood attacks
  • Logs alerts as structured JSON (for SIEM tools or just grepping through logs)

Why not just use SROS2?

SROS2 is great, but setting up PKI certificates for every node on a fleet of robots is painful, and the crypto overhead can mess with tight real-time loops. RoboShield works out-of-band — plug it between your robot and the network, zero changes to your existing nodes.

Performance

I ran some benchmarks and got ~1.36 μs average processing time per packet (parse + policy check on an x86 dev machine) in release mode, which is way under what you’d need for even 1kHz control loops. NanoPi R2S hardware benchmarks are planned next.

I’m a 4th year Robotics & Automation student and this started as a security research project targeting ICRA/IEEE RAS. Would love to hear any feedback, especially from folks who’ve dealt with DDS security in production!

Feel free to connect with me on LinkedIn as well!

Cheers,
Amin :victory_hand:

1 Like