← blog

Zero-trust vehicle security with Craton Shield

Why CAN IDS, SecOC, and V2X are converging on a single #![no_std] Rust stack — and what that means for Tier-1s and OEMs.

by Victor Bobrovskiy

UN R155 is now a fact for every vehicle type-approved in a UNECE country since July 2024. The regulation does not tell you how to build a secure vehicle — it tells you the evidence you need to produce, and implicitly the shape of the architecture that produces it.

The shape is converging. CAN and CAN-FD intrusion detection, SecOC for message authentication, V2X (IEEE 1609.2) for vehicle-to-vehicle, UDS for diagnostic gateways, SOME/IP for service-oriented ECUs. Each of these has an established reference implementation in C. None of them have a production-ready Rust answer — which is why we built Craton Shield.

The zero-heap constraint

AUTOSAR Classic targets and many AUTOSAR Adaptive targets run with no dynamic allocator. You get a fixed memory budget at link time and you stay inside it. Rust's default allocator and most Rust libraries assume otherwise. That makes #![no_std] and statically-bounded data structures the non-negotiable foundation.

Craton Shield Core runs with zero heap allocations. CAN frame IDS runs in under 500 nanoseconds on a Cortex-M7. The verification paths are constant-time where they need to be. The libraries are structured so that every size is known at compile time, which means every guarantee is known at certification time.

The seven verticals, one core

  • Shield Core (Apache-2.0): foundational IDS, crypto traits, tamper-evident logging, anomaly detection engine.
  • Shield Auto: AUTOSAR Adaptive integration, V2X 1609.2, ISO 26262, UDS gateway, SecOC.
  • Shield Embedded: IoT / wearables, BLE, MQTT-SN, CoAP, ultra-low-footprint crypto.
  • Shield Industrial: Modbus / OPC-UA / PROFINET IDS, IEC 62443.
  • Shield Medical: HL7 / FHIR message IDS, DICOM monitoring, IEC 62304.
  • Shield Avionics: ARINC 429 / 664 bus IDS, MIL-STD-1553, DO-178C DAL C readiness.
  • Shield Enterprise (BSL-1.1): HSM integration, post-quantum crypto, OTA orchestration.

The point of the structure is that the certification evidence is re-used. A Tier-1 building for ISO 26262 starts from the same Core as a medical-device OEM targeting IEC 62304. The deltas are the vertical modules, not a forked fundamental.

What this changes for your program

If you are on a fresh ECU project: starting in Rust with #![no_std] is a fraction of the risk it would have been three years ago. The Ferrocene toolchain is qualified, embedded Rust tooling is mature, and the reference implementations of the protocols you care about are improving every quarter.

If you are mid-program in C++: the incremental path is FFI-bounded Rust modules for new services, while the existing code continues. The ROI is highest on the pieces that touch memory-unsafe parsing — CAN frame handling, diagnostic payload processing, OTA image verification.

Source: github.com/craton-co/craton-shield-core. Documentation: /docs/craton-shield.