Craton Shield

Craton Shield

Craton Shield

Embedded intrusion detection and prevention runtime for safety-critical systems.

CI License MSRV

#![no_std] | zero-heap | ~280 KiB flash | 3,200+ tests | 122K lines of Rust

Craton Shield is a modular, multi-domain cybersecurity runtime for resource-constrained embedded devices. It provides real-time intrusion detection, network firewalling, cryptographic integrity, secure boot, and OTA validation -- all without dynamic memory allocation.

Domains

DomainLayerCratesProtocols
CoreShared security primitives21CAN, Ethernet, SOME/IP
AutomotiveVehicle-specific IDS7AUTOSAR, V2X, UDS, Signal IDS
Embedded IoTConstrained device monitoring8MQTT, CoAP, BLE, Zigbee, LoRa, Modbus
IndustrialOT/ICS protocol monitoring11Modbus, OPC UA, PROFINET, EtherNet/IP, DNP3, BACnet, S7comm, IEC 60870, IEC 61850

Architecture

Layer 3  INTEGRATION     vs-runtime, vs-ids-engine, vs-ffi
Layer 2  SUBSYSTEMS      vs-crypto, vs-netfw, vs-policy-engine, vs-anomaly, ...
Layer 1  HAL             vs-hal (traits), vs-hal-linux (Linux impl)
Layer 0  TYPES           vs-types (shared enums, structs, errors)

Dependencies flow strictly downward. Domain layers (auto, embedded, industrial) extend the core stack with protocol-specific monitors and runtimes.

Full architecture documentation: core/docs/architecture.md

Performance

All operations fit within a 10 us CAN gateway budget (x86_64, release profile):

OperationLatency
CAN frame (5 detectors)~265 ns
Ethernet inspection~28 ns
Firewall (128 rules)~166 ns
Policy engine (64 rules)~199 ns
Runtime tick (idle)~73 ns
AES-128-GCM (256 B)~907 ns

See core/docs/performance-results.md for full benchmarks.

Quick Start

# Requirements: Rust 1.82+
rustup update stable

# Build the entire workspace
cargo build --workspace

# Run all tests
cargo test --workspace

# Check no_std compatibility (Cortex-M)
rustup target add thumbv7em-none-eabihf
cargo check --target thumbv7em-none-eabihf -p vs-types -p vs-crypto -p vs-runtime

# Run local CI (mirrors GitHub Actions)
./scripts/local-ci.sh --fast

Workspace

Core (21 crates)

CrateDescription
vs-typesShared types, error enums, constants
vs-cryptoAES-256-GCM, SHA-256, HMAC, ECDSA P-256, ECDH
vs-key-managerKey storage, rotation, and lifecycle
vs-secure-bootBoot chain attestation with TPM support
vs-can-monitorCAN bus IDS (flood, DLC, fuzzing, replay)
vs-eth-monitorEthernet IDS (ARP/DHCP anomaly, SOME/IP)
vs-ids-engineCAN/Ethernet correlation engine
vs-anomalyEWMA-based anomaly scoring
vs-integrityConstant-time integrity verification
vs-netfwNetwork firewall (128 rules, L3/L4)
vs-ota-validatorTUF/Uptane OTA metadata validation
vs-event-loggerHMAC-chained tamper-evident audit log
vs-policy-engineHierarchical rule evaluation engine
vs-storagePersistent storage abstraction
vs-runtimeMain orchestrator / tick loop
vs-ffiC FFI bindings (cbindgen)
vs-halHardware abstraction traits
vs-hal-linuxLinux HAL (SocketCAN, raw Ethernet)
vs-report-iec62443IEC 62443 compliance report generator
vs-report-iso21434ISO/SAE 21434 compliance report generator
vs-report-iec62304IEC 62304 compliance report generator

Automotive (7 crates)

CrateDescription
vs-types-autoAutomotive-specific types
vs-autosarAUTOSAR Adaptive integration
vs-v2xV2X message validation
vs-signal-idsSignal-level anomaly detection
vs-diag-gatewayUDS diagnostic gateway (0x27 SecurityAccess)
vs-runtime-autoAutomotive runtime orchestrator
vs-ffi-autoAutomotive C FFI bindings

Embedded IoT (8 crates)

CrateDescription
vs-types-embeddedEmbedded IoT types
vs-mqtt-monitorMQTT protocol monitor
vs-coap-monitorCoAP protocol monitor
vs-ble-monitorBLE protocol monitor
vs-zigbee-monitorZigbee protocol monitor
vs-lora-monitorLoRa protocol monitor
vs-modbus-monitor-embModbus monitor (embedded)
vs-runtime-embeddedEmbedded runtime orchestrator

Industrial (11 crates)

CrateDescription
vs-types-indIndustrial types
vs-modbus-monitor-indModbus TCP/RTU monitor
vs-opcua-monitorOPC UA protocol monitor
vs-profinet-monitorPROFINET protocol monitor
vs-ethernetip-monitorEtherNet/IP protocol monitor
vs-dnp3-monitorDNP3 protocol monitor
vs-bacnet-monitorBACnet protocol monitor
vs-s7comm-monitorS7comm protocol monitor
vs-iec60870-monitorIEC 60870-5-104 protocol monitor
vs-iec61850-monitorIEC 61850 MMS/GOOSE monitor
vs-runtime-indIndustrial runtime orchestrator

Standards Alignment

StandardDomainStatus
ISO/SAE 21434Automotive cybersecurityDesigned to support
UN R155Vehicle type approvalTechnical controls implemented
ISO 26262 ASIL-BFunctional safetyTargeting (not certified)
AUTOSAR AP R22-11Automotive softwareARXML manifest provided
IEC 62443Industrial cybersecurityReport generator included
IEC 62304Medical device softwareReport generator included

Design Principles

  • No heap allocation -- all data structures are stack-allocated with fixed capacities
  • No unsafe code -- unsafe_code = "deny" enforced workspace-wide (except FFI boundary)
  • No std -- every crate compiles for thumbv7em-none-eabihf (Cortex-M4F)
  • Default-deny -- firewall, policy engine, and diagnostic gateway deny by default
  • Constant-time comparison -- integrity checks use subtle::ConstantTimeEq
  • HMAC-chained logging -- tamper-evident audit trail with cryptographic chain

Documentation

Getting Started

Domain Guides

Reference

Project

Enterprise Edition

Craton Shield Enterprise adds hardware-backed cryptography (PKCS#11, TPM 2.0), QNX RTOS support, and fleet telemetry under a Business Source License.

Contributing

See CONTRIBUTING.md for development setup, coding standards, and pull request guidelines. All contributions require a Developer Certificate of Origin sign-off (git commit -s).

See also: Governance | Maintainers | Acknowledgments | Installation | Architecture

License

Licensed under the Apache License, Version 2.0.

Copyright 2026 Craton Software Company
SPDX-License-Identifier: Apache-2.0