Papers
Topics
Authors
Recent
Search
2000 character limit reached

Dual State-Space Fidelity Blade (D-STAB)

Updated 6 July 2026
  • D-STAB is a firmware-level cyber-physical attack paradigm exploiting asymmetric fidelity gaps between detailed HF models and simplified LF models used for real-time control.
  • It employs a bi-level attack synthesis with adversarial high-fidelity MPC and inverse LF MPC to stealthily manipulate firmware parameters while evading detection.
  • The approach targets critical CPS components such as battery management systems, highlighting potential impacts and defenses against hidden high-fidelity dynamics.

Searching arXiv for the target paper and closely related attack literature. arXiv search query: "Dual State-Space Fidelity Blade D-STAB stealthy cyber-physical attack paradigm" Dual State-Space Fidelity Blade (D-STAB) is a firmware-level cyber-physical attack paradigm that exploits the fidelity gap between high-fidelity (HF) and low-fidelity (LF) models used in cyber-physical systems (CPS). The central premise is that many CPS deploy LF models for real-time control and monitoring because of computational efficiency, while HF models capture richer multi-physics dynamics but are generally unavailable to defenders. D-STAB leverages this information asymmetry by designing adversarial constraints and parameter modifications in firmware so that HF states deviate into harmful regimes while LF observers and controllers continue to indicate normal operation. The paradigm is introduced as a new class of attack surface targeting the firmware of core CPS components, including Battery Management Systems (BMS) and embedded controllers (Shen et al., 9 Jul 2025).

1. Concept and threat model

D-STAB is defined as a firmware-centric attack that targets the parameters, constraints, and logic of control and estimation routines stored in ROM, EEPROM, or flash. The attack surface includes MPC weight matrices or scalars, terminal weights, constraint bounds such as SoCmax\text{SoC}_{\max}, ImaxI_{\max}, and VmaxV_{\max}, ramp-rate limits, reference schedules, estimator gains, model parameters such as R0R_0 and OCV curve coefficients, and safety checks including boundary thresholds, rate limiters, and saturation logic (Shen et al., 9 Jul 2025).

The threat model assumes an adversary with read/write access to firmware through physical interfaces such as JTAG, J-Link, or ISP, or through remote interfaces such as CAN or UART by exploiting buffer overflow or malware. The adversary is assumed to be able to execute offline optimization using HF models and then inject minimal parameter changes into the LF controller or estimator. Required knowledge includes the HF model fHf_H and key physical parameters; the LF control or observer implementation and its parameterization θ\theta; and mappings between HF states and the LF states or outputs used by the defender. The defender, by contrast, is assumed to rely on LF models and observers, such as equivalent circuit models for batteries or steady-state approximations for power systems, together with standard residual-based anomaly detection and limited visibility into HF dynamics (Shen et al., 9 Jul 2025).

This threat model distinguishes D-STAB from attacks that depend on continuous sensor-stream manipulation. A plausible implication is that the attack’s operational burden is shifted from sustained online spoofing to a largely offline design phase followed by persistent firmware modification.

2. Dual state-space formulation and the fidelity gap

The formalism of D-STAB is built on parallel HF and LF state-space models. In continuous time, the HF model is

xh(t)Rnh,yh(t)Rph,u(t)Rm,x_h(t)\in\mathbb{R}^{n_h},\quad y_h(t)\in\mathbb{R}^{p_h},\quad u(t)\in\mathbb{R}^{m},

x˙h(t)=Ahxh(t)+Bhu(t),yh(t)=Chxh(t)+Dhu(t),\dot{x}_h(t)=A_h x_h(t)+B_h u(t),\quad y_h(t)=C_h x_h(t)+D_h u(t),

while the LF model is

x(t)Rn,y(t)Rp,x_\ell(t)\in\mathbb{R}^{n_\ell},\quad y_\ell(t)\in\mathbb{R}^{p_\ell},

x˙(t)=Ax(t)+Bu(t),y(t)=Cx(t)+Du(t).\dot{x}_\ell(t)=A_\ell x_\ell(t)+B_\ell u(t),\quad y_\ell(t)=C_\ell x_\ell(t)+D_\ell u(t).

For MPC-ready discrete-time prediction, the paper writes

ImaxI_{\max}0

and

ImaxI_{\max}1

The fidelity gap is expressed through state and output mappings

ImaxI_{\max}2

with mismatch variables

ImaxI_{\max}3

In the battery case study, a domain-specific mapping ImaxI_{\max}4 translates HF particle concentrations from the Single Particle Model into LF SoC in the equivalent-circuit model:

ImaxI_{\max}5

The defender’s LF observer is modeled in standard form:

ImaxI_{\max}6

ImaxI_{\max}7

with residual

ImaxI_{\max}8

D-STAB is designed so that ImaxI_{\max}9 remains within bounds even while HF states cross harmful thresholds. The paper states an LF indistinguishability proposition: if there exists a mapping VmaxV_{\max}0 and an input sequence VmaxV_{\max}1 such that, for all VmaxV_{\max}2, the LF state is a projection of the HF state, the LF output equals the nominal LF output, and LF constraints hold, then VmaxV_{\max}3 and the LF detector does not alarm, even if HF states deviate beyond HF safety thresholds (Shen et al., 9 Jul 2025).

This formalization generalizes the idea of hidden behavior from exact unobservable dynamics to cross-model mismatch. The paper characterizes this as exploiting “hidden” HF modes not represented in LF models.

3. Bi-level attack synthesis

D-STAB is constructed as a bi-level design consisting of an HF adversarial MPC and an LF inverse MPC. At the HF level, the attacker solves

VmaxV_{\max}4

Here VmaxV_{\max}5 denotes adversarial constraints in HF space that encode harm-inducing conditions, while VmaxV_{\max}6 and VmaxV_{\max}7 are stealth constraints chosen to mimic LF limits such as current, voltage, or SoC bounds (Shen et al., 9 Jul 2025).

At the LF level, the attacker infers firmware parameters VmaxV_{\max}8 so that the compromised LF MPC reproduces the HF-derived adversarial sequence:

VmaxV_{\max}9

R0R_00

with a squared loss R0R_01 given as an example. The compromised LF MPC is

R0R_02

The inverse optimization is updated by

R0R_03

where the gradient can be computed using Pontryagin differentiable programming (Shen et al., 9 Jul 2025).

The stealth condition is dual: LF outputs must remain close to nominal and LF residuals must stay below threshold,

R0R_04

while HF impact is maximized under R0R_05. The algorithmic outline given in the paper is: build the HF model and choose adversarial constraints; solve HF adversarial MPC to obtain R0R_06; construct LF inverse MPC and select a firmware parameterization R0R_07; minimize R0R_08 to obtain R0R_09; inject fHf_H0 into firmware; and let the runtime LF controller produce fHf_H1 that preserves LF stealth while driving HF states to satisfy the adversarial constraints (Shen et al., 9 Jul 2025).

4. Firmware targeting and cycle-level stealth

The attack is explicitly firmware-oriented rather than packet-oriented. Injection points include controller parameters such as MPC weight matrices or scalars fHf_H2, terminal weights, constraint bounds, ramp-rate limits, and reference schedules; estimator parameters such as filter gains, OCV coefficients, and internal resistance fHf_H3; and safety logic such as thresholds and saturation routines. The paper emphasizes that the modified parameters are persistent and resource-efficient, with one-time programming as a representative deployment mode (Shen et al., 9 Jul 2025).

D-STAB is synchronized to the control and estimation cycle of the targeted CPS. The LF MPC is assumed to run at sampling instants fHf_H4 with prediction horizon fHf_H5, while the observer generates fHf_H6 and fHf_H7. The attacker tunes fHf_H8 so that the LF optimal action fHf_H9 matches the HF adversarial input θ\theta0 at each cycle. This alignment is what permits LF constraint satisfaction and residual suppression to coexist with harmful HF evolution. The synchronization condition is operationally important: the parameter modification must take effect before the next control or observer update (Shen et al., 9 Jul 2025).

A common misconception is to equate D-STAB with general firmware tampering. The distinguishing feature is not merely firmware access, but the coupling of firmware parameterization with a dual-model state-space design. The paper’s contribution lies in showing how parameter changes that appear benign in LF coordinates can systematically drive harmful HF trajectories.

5. Battery management case study: optimal charging under hidden HF deviation

The principal case study concerns cyber-physical battery systems, specifically an optimal charging task governed by a BMS. The architecture described in the paper includes LF ECM-based SoC and SoH estimation, control via MPC or rule-based charging logic, protection mechanisms for over-voltage, over-current, and over-temperature, and sensing and actuation through voltage θ\theta1, current θ\theta2, temperature θ\theta3, and charge-current setpoints (Shen et al., 9 Jul 2025).

The HF model is a Single Particle Model with radial diffusion in electrode particles:

θ\theta4

θ\theta5

The corresponding SoC quantities on the anode side are

θ\theta6

θ\theta7

With discretization at 10 radial nodes for each electrode, the HF state is θ\theta8 and the control input is θ\theta9. The affine discrete dynamics are

xh(t)Rnh,yh(t)Rph,u(t)Rm,x_h(t)\in\mathbb{R}^{n_h},\quad y_h(t)\in\mathbb{R}^{p_h},\quad u(t)\in\mathbb{R}^{m},0

The HF cost tracks bulk SoC to a target xh(t)Rnh,yh(t)Rph,u(t)Rm,x_h(t)\in\mathbb{R}^{n_h},\quad y_h(t)\in\mathbb{R}^{p_h},\quad u(t)\in\mathbb{R}^{m},1 while penalizing input effort:

xh(t)Rnh,yh(t)Rph,u(t)Rm,x_h(t)\in\mathbb{R}^{n_h},\quad y_h(t)\in\mathbb{R}^{p_h},\quad u(t)\in\mathbb{R}^{m},2

with xh(t)Rnh,yh(t)Rph,u(t)Rm,x_h(t)\in\mathbb{R}^{n_h},\quad y_h(t)\in\mathbb{R}^{p_h},\quad u(t)\in\mathbb{R}^{m},3. The adversarial HF constraint is

xh(t)Rnh,yh(t)Rph,u(t)Rm,x_h(t)\in\mathbb{R}^{n_h},\quad y_h(t)\in\mathbb{R}^{p_h},\quad u(t)\in\mathbb{R}^{m},4

which pushes surface concentration significantly above bulk concentration and is linked in the paper to lithium plating and SEI growth. Stealth in HF space is maintained by constraints that mimic normal LF operation:

xh(t)Rnh,yh(t)Rph,u(t)Rm,x_h(t)\in\mathbb{R}^{n_h},\quad y_h(t)\in\mathbb{R}^{p_h},\quad u(t)\in\mathbb{R}^{m},5

with terminal condition xh(t)Rnh,yh(t)Rph,u(t)Rm,x_h(t)\in\mathbb{R}^{n_h},\quad y_h(t)\in\mathbb{R}^{p_h},\quad u(t)\in\mathbb{R}^{m},6 (Shen et al., 9 Jul 2025).

The LF model is an Rint equivalent circuit model:

xh(t)Rnh,yh(t)Rph,u(t)Rm,x_h(t)\in\mathbb{R}^{n_h},\quad y_h(t)\in\mathbb{R}^{p_h},\quad u(t)\in\mathbb{R}^{m},7

Its MPC objective is

xh(t)Rnh,yh(t)Rph,u(t)Rm,x_h(t)\in\mathbb{R}^{n_h},\quad y_h(t)\in\mathbb{R}^{p_h},\quad u(t)\in\mathbb{R}^{m},8

with firmware weights xh(t)Rnh,yh(t)Rph,u(t)Rm,x_h(t)\in\mathbb{R}^{n_h},\quad y_h(t)\in\mathbb{R}^{p_h},\quad u(t)\in\mathbb{R}^{m},9. The LF stealth envelope is

x˙h(t)=Ahxh(t)+Bhu(t),yh(t)=Chxh(t)+Dhu(t),\dot{x}_h(t)=A_h x_h(t)+B_h u(t),\quad y_h(t)=C_h x_h(t)+D_h u(t),0

The paper explores three adversarial levels by varying x˙h(t)=Ahxh(t)+Bhu(t),yh(t)=Chxh(t)+Dhu(t),\dot{x}_h(t)=A_h x_h(t)+B_h u(t),\quad y_h(t)=C_h x_h(t)+D_h u(t),1: low with x˙h(t)=Ahxh(t)+Bhu(t),yh(t)=Chxh(t)+Dhu(t),\dot{x}_h(t)=A_h x_h(t)+B_h u(t),\quad y_h(t)=C_h x_h(t)+D_h u(t),2 and x˙h(t)=Ahxh(t)+Bhu(t),yh(t)=Chxh(t)+Dhu(t),\dot{x}_h(t)=A_h x_h(t)+B_h u(t),\quad y_h(t)=C_h x_h(t)+D_h u(t),3; medium with x˙h(t)=Ahxh(t)+Bhu(t),yh(t)=Chxh(t)+Dhu(t),\dot{x}_h(t)=A_h x_h(t)+B_h u(t),\quad y_h(t)=C_h x_h(t)+D_h u(t),4 and x˙h(t)=Ahxh(t)+Bhu(t),yh(t)=Chxh(t)+Dhu(t),\dot{x}_h(t)=A_h x_h(t)+B_h u(t),\quad y_h(t)=C_h x_h(t)+D_h u(t),5; and high with x˙h(t)=Ahxh(t)+Bhu(t),yh(t)=Chxh(t)+Dhu(t),\dot{x}_h(t)=A_h x_h(t)+B_h u(t),\quad y_h(t)=C_h x_h(t)+D_h u(t),6 and x˙h(t)=Ahxh(t)+Bhu(t),yh(t)=Chxh(t)+Dhu(t),\dot{x}_h(t)=A_h x_h(t)+B_h u(t),\quad y_h(t)=C_h x_h(t)+D_h u(t),7. Across these settings, the HF adversarial constraints are satisfied for a subset of time steps, and stronger adversarial constraints reduce the duration of satisfaction. At the same time, LF outputs remain within nominal bounds under the D-STAB parameterization. Detection thresholds are not explicitly enumerated; stealth is evidenced by LF constraint satisfaction and residual-based monitoring consistent with those constraints (Shen et al., 9 Jul 2025).

6. Relation to prior attack classes, defenses, and scope of applicability

The paper positions D-STAB relative to several established attack categories. False Data Injection manipulates sensor streams, typically requiring sustained spoofing and often leaving statistical signatures. Covert attacks aim to hide manipulations in residuals by emulating nominal outputs. Zero-dynamics attacks rely on system zeros to remain undetected. D-STAB differs in that it modifies firmware parameters once, has a minimal resource footprint, does not require sensor tampering, and does not require system zeros in the LF model. Its novelty is identified as exploiting LF/HF model mismatch through firmware-level tuning of constraints and weights (Shen et al., 9 Jul 2025).

The mitigation strategies proposed in the paper operate along three axes. First, defenders can reduce the fidelity gap by incorporating HF-informed observers, simplified SPMs, multi-particle approximations, or hybrid physics-ML models, especially in safety-critical regimes. Second, they can harden the firmware layer by using secure boot, signed firmware, periodic attestation, parameter-table monitoring, and checksums on configuration sectors. Third, they can augment runtime observability through multi-physics sensing, out-of-band monitoring, and residual design that accounts for HF transients, including sliding-window or frequency-domain signatures and adaptive thresholds x˙h(t)=Ahxh(t)+Bhu(t),yh(t)=Chxh(t)+Dhu(t),\dot{x}_h(t)=A_h x_h(t)+B_h u(t),\quad y_h(t)=C_h x_h(t)+D_h u(t),8 (Shen et al., 9 Jul 2025).

These defenses are accompanied by explicit trade-offs. Higher fidelity increases computational load and complexity; attestation and auditing introduce maintenance overhead; and multi-sensor solutions add cost and integration effort. The attack itself also has limitations: its success depends on access to HF models and firmware parameterization, is sensitive to the accuracy of the mapping x˙h(t)=Ahxh(t)+Bhu(t),yh(t)=Chxh(t)+Dhu(t),\dot{x}_h(t)=A_h x_h(t)+B_h u(t),\quad y_h(t)=C_h x_h(t)+D_h u(t),9, and may be weakened by model deviations such as unmodeled temperature dependence. The paper notes, however, that computational complexity is partly mitigated by the fact that both HF MPC and bi-level inverse MPC can be solved offline before one-time firmware deployment (Shen et al., 9 Jul 2025).

The framework is presented as generalizable beyond batteries. The paper lists power systems, autonomous vehicles and robotics, industrial control, and drones as representative CPS domains in which an HF/LF mismatch may exist between the defender’s operational model and the underlying physical dynamics. This suggests that D-STAB is best understood not as a battery-specific exploit, but as a general attack template for CPS whose safety monitoring is mediated by low-order or reduced-order models while richer dynamics remain unobserved.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Dual State-Space Fidelity Blade (D-STAB).