Dual State-Space Fidelity Blade (D-STAB)
- D-STAB is a firmware-level cyber-physical attack paradigm exploiting asymmetric fidelity gaps between detailed HF models and simplified LF models used for real-time control.
- It employs a bi-level attack synthesis with adversarial high-fidelity MPC and inverse LF MPC to stealthily manipulate firmware parameters while evading detection.
- The approach targets critical CPS components such as battery management systems, highlighting potential impacts and defenses against hidden high-fidelity dynamics.
Searching arXiv for the target paper and closely related attack literature. arXiv search query: "Dual State-Space Fidelity Blade D-STAB stealthy cyber-physical attack paradigm" Dual State-Space Fidelity Blade (D-STAB) is a firmware-level cyber-physical attack paradigm that exploits the fidelity gap between high-fidelity (HF) and low-fidelity (LF) models used in cyber-physical systems (CPS). The central premise is that many CPS deploy LF models for real-time control and monitoring because of computational efficiency, while HF models capture richer multi-physics dynamics but are generally unavailable to defenders. D-STAB leverages this information asymmetry by designing adversarial constraints and parameter modifications in firmware so that HF states deviate into harmful regimes while LF observers and controllers continue to indicate normal operation. The paradigm is introduced as a new class of attack surface targeting the firmware of core CPS components, including Battery Management Systems (BMS) and embedded controllers (Shen et al., 9 Jul 2025).
1. Concept and threat model
D-STAB is defined as a firmware-centric attack that targets the parameters, constraints, and logic of control and estimation routines stored in ROM, EEPROM, or flash. The attack surface includes MPC weight matrices or scalars, terminal weights, constraint bounds such as , , and , ramp-rate limits, reference schedules, estimator gains, model parameters such as and OCV curve coefficients, and safety checks including boundary thresholds, rate limiters, and saturation logic (Shen et al., 9 Jul 2025).
The threat model assumes an adversary with read/write access to firmware through physical interfaces such as JTAG, J-Link, or ISP, or through remote interfaces such as CAN or UART by exploiting buffer overflow or malware. The adversary is assumed to be able to execute offline optimization using HF models and then inject minimal parameter changes into the LF controller or estimator. Required knowledge includes the HF model and key physical parameters; the LF control or observer implementation and its parameterization ; and mappings between HF states and the LF states or outputs used by the defender. The defender, by contrast, is assumed to rely on LF models and observers, such as equivalent circuit models for batteries or steady-state approximations for power systems, together with standard residual-based anomaly detection and limited visibility into HF dynamics (Shen et al., 9 Jul 2025).
This threat model distinguishes D-STAB from attacks that depend on continuous sensor-stream manipulation. A plausible implication is that the attack’s operational burden is shifted from sustained online spoofing to a largely offline design phase followed by persistent firmware modification.
2. Dual state-space formulation and the fidelity gap
The formalism of D-STAB is built on parallel HF and LF state-space models. In continuous time, the HF model is
while the LF model is
For MPC-ready discrete-time prediction, the paper writes
0
and
1
The fidelity gap is expressed through state and output mappings
2
with mismatch variables
3
In the battery case study, a domain-specific mapping 4 translates HF particle concentrations from the Single Particle Model into LF SoC in the equivalent-circuit model:
5
The defender’s LF observer is modeled in standard form:
6
7
with residual
8
D-STAB is designed so that 9 remains within bounds even while HF states cross harmful thresholds. The paper states an LF indistinguishability proposition: if there exists a mapping 0 and an input sequence 1 such that, for all 2, the LF state is a projection of the HF state, the LF output equals the nominal LF output, and LF constraints hold, then 3 and the LF detector does not alarm, even if HF states deviate beyond HF safety thresholds (Shen et al., 9 Jul 2025).
This formalization generalizes the idea of hidden behavior from exact unobservable dynamics to cross-model mismatch. The paper characterizes this as exploiting “hidden” HF modes not represented in LF models.
3. Bi-level attack synthesis
D-STAB is constructed as a bi-level design consisting of an HF adversarial MPC and an LF inverse MPC. At the HF level, the attacker solves
4
Here 5 denotes adversarial constraints in HF space that encode harm-inducing conditions, while 6 and 7 are stealth constraints chosen to mimic LF limits such as current, voltage, or SoC bounds (Shen et al., 9 Jul 2025).
At the LF level, the attacker infers firmware parameters 8 so that the compromised LF MPC reproduces the HF-derived adversarial sequence:
9
0
with a squared loss 1 given as an example. The compromised LF MPC is
2
The inverse optimization is updated by
3
where the gradient can be computed using Pontryagin differentiable programming (Shen et al., 9 Jul 2025).
The stealth condition is dual: LF outputs must remain close to nominal and LF residuals must stay below threshold,
4
while HF impact is maximized under 5. The algorithmic outline given in the paper is: build the HF model and choose adversarial constraints; solve HF adversarial MPC to obtain 6; construct LF inverse MPC and select a firmware parameterization 7; minimize 8 to obtain 9; inject 0 into firmware; and let the runtime LF controller produce 1 that preserves LF stealth while driving HF states to satisfy the adversarial constraints (Shen et al., 9 Jul 2025).
4. Firmware targeting and cycle-level stealth
The attack is explicitly firmware-oriented rather than packet-oriented. Injection points include controller parameters such as MPC weight matrices or scalars 2, terminal weights, constraint bounds, ramp-rate limits, and reference schedules; estimator parameters such as filter gains, OCV coefficients, and internal resistance 3; and safety logic such as thresholds and saturation routines. The paper emphasizes that the modified parameters are persistent and resource-efficient, with one-time programming as a representative deployment mode (Shen et al., 9 Jul 2025).
D-STAB is synchronized to the control and estimation cycle of the targeted CPS. The LF MPC is assumed to run at sampling instants 4 with prediction horizon 5, while the observer generates 6 and 7. The attacker tunes 8 so that the LF optimal action 9 matches the HF adversarial input 0 at each cycle. This alignment is what permits LF constraint satisfaction and residual suppression to coexist with harmful HF evolution. The synchronization condition is operationally important: the parameter modification must take effect before the next control or observer update (Shen et al., 9 Jul 2025).
A common misconception is to equate D-STAB with general firmware tampering. The distinguishing feature is not merely firmware access, but the coupling of firmware parameterization with a dual-model state-space design. The paper’s contribution lies in showing how parameter changes that appear benign in LF coordinates can systematically drive harmful HF trajectories.
5. Battery management case study: optimal charging under hidden HF deviation
The principal case study concerns cyber-physical battery systems, specifically an optimal charging task governed by a BMS. The architecture described in the paper includes LF ECM-based SoC and SoH estimation, control via MPC or rule-based charging logic, protection mechanisms for over-voltage, over-current, and over-temperature, and sensing and actuation through voltage 1, current 2, temperature 3, and charge-current setpoints (Shen et al., 9 Jul 2025).
The HF model is a Single Particle Model with radial diffusion in electrode particles:
4
5
The corresponding SoC quantities on the anode side are
6
7
With discretization at 10 radial nodes for each electrode, the HF state is 8 and the control input is 9. The affine discrete dynamics are
0
The HF cost tracks bulk SoC to a target 1 while penalizing input effort:
2
with 3. The adversarial HF constraint is
4
which pushes surface concentration significantly above bulk concentration and is linked in the paper to lithium plating and SEI growth. Stealth in HF space is maintained by constraints that mimic normal LF operation:
5
with terminal condition 6 (Shen et al., 9 Jul 2025).
The LF model is an Rint equivalent circuit model:
7
Its MPC objective is
8
with firmware weights 9. The LF stealth envelope is
0
The paper explores three adversarial levels by varying 1: low with 2 and 3; medium with 4 and 5; and high with 6 and 7. Across these settings, the HF adversarial constraints are satisfied for a subset of time steps, and stronger adversarial constraints reduce the duration of satisfaction. At the same time, LF outputs remain within nominal bounds under the D-STAB parameterization. Detection thresholds are not explicitly enumerated; stealth is evidenced by LF constraint satisfaction and residual-based monitoring consistent with those constraints (Shen et al., 9 Jul 2025).
6. Relation to prior attack classes, defenses, and scope of applicability
The paper positions D-STAB relative to several established attack categories. False Data Injection manipulates sensor streams, typically requiring sustained spoofing and often leaving statistical signatures. Covert attacks aim to hide manipulations in residuals by emulating nominal outputs. Zero-dynamics attacks rely on system zeros to remain undetected. D-STAB differs in that it modifies firmware parameters once, has a minimal resource footprint, does not require sensor tampering, and does not require system zeros in the LF model. Its novelty is identified as exploiting LF/HF model mismatch through firmware-level tuning of constraints and weights (Shen et al., 9 Jul 2025).
The mitigation strategies proposed in the paper operate along three axes. First, defenders can reduce the fidelity gap by incorporating HF-informed observers, simplified SPMs, multi-particle approximations, or hybrid physics-ML models, especially in safety-critical regimes. Second, they can harden the firmware layer by using secure boot, signed firmware, periodic attestation, parameter-table monitoring, and checksums on configuration sectors. Third, they can augment runtime observability through multi-physics sensing, out-of-band monitoring, and residual design that accounts for HF transients, including sliding-window or frequency-domain signatures and adaptive thresholds 8 (Shen et al., 9 Jul 2025).
These defenses are accompanied by explicit trade-offs. Higher fidelity increases computational load and complexity; attestation and auditing introduce maintenance overhead; and multi-sensor solutions add cost and integration effort. The attack itself also has limitations: its success depends on access to HF models and firmware parameterization, is sensitive to the accuracy of the mapping 9, and may be weakened by model deviations such as unmodeled temperature dependence. The paper notes, however, that computational complexity is partly mitigated by the fact that both HF MPC and bi-level inverse MPC can be solved offline before one-time firmware deployment (Shen et al., 9 Jul 2025).
The framework is presented as generalizable beyond batteries. The paper lists power systems, autonomous vehicles and robotics, industrial control, and drones as representative CPS domains in which an HF/LF mismatch may exist between the defender’s operational model and the underlying physical dynamics. This suggests that D-STAB is best understood not as a battery-specific exploit, but as a general attack template for CPS whose safety monitoring is mediated by low-order or reduced-order models while richer dynamics remain unobserved.