Robotics

RoboShield: Rust-based RTPS watchdog catches rogue ROS 2 nodes at 1.36μs

A 4th-year student’s Rust watchdog slashes real-time security overhead for ROS 2 fleets.

Deep Dive

RoboShield is a low-latency, out-of-band RTPS security watchdog written in Rust by robotics student Amin Ahmed. It runs on hardware like the NanoPi R2S with dual ethernet, passively sniffing DDS/RTPS packets via libpcap. By parsing raw RTPS submessages (DATA, HEARTBEAT, ACKNACK), it checks every packet’s GUID prefix against a TOML-based whitelist and tracks per-topic message rates with a sliding window to catch flood attacks. Logs are output as structured JSON, ready for SIEM ingestion or grep-based analysis.

Ahmed designed RoboShield as an alternative to SROS2, whose PKI certificate setup and crypto overhead can be problematic for real-time robotic fleets. In benchmarks on an x86 machine, it achieved ~1.36 μs average processing time per packet, well under the requirements for 1kHz control loops. The project targets ICRA/IEEE RAS and is open-source on GitHub. Future plans include benchmarking on the NanoPi R2S, promising a lightweight security layer that requires zero changes to existing ROS 2 nodes.

Key Points
  • Parses raw RTPS submessages (DATA, HEARTBEAT, ACKNACK) from UDP captures using libpcap
  • Achieves ~1.36 μs average processing time per packet on x86, suitable for 1kHz control loops
  • Out-of-band design: no node modifications required, runs on NanoPi R2S with dual ethernet

Why It Matters

Enables secure ROS 2 deployments without sacrificing real-time performance or complex PKI certificate management.

📬 Get the top 10 AI stories daily