pith. sign in

arxiv: 2606.17001 · v2 · pith:QKBGME4Vnew · submitted 2026-06-15 · 📡 eess.SY · cs.SY

Sandbox-Enabled Digital Twin for Cyber-Physical Systems

Meet Udeshi , Md Raz , Prashanth Krishnamurthy , Ramesh Karri , Farshad Khorrami This is my paper

Pith reviewed 2026-06-27 02:58 UTC · model grok-4.3

classification 📡 eess.SY cs.SY
keywords digital twincyber-physical systemssandboxside-channel analysisvulnerability detectioncontroller firmwareplant simulatorobservability
0
0 comments X

The pith

A Linux sandbox digital twin runs unmodified CPS controller binaries while capturing time-synchronized side channels and plant states to correlate execution with physical events.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents a closed-loop digital twin framework that places unmodified controller binaries inside a Linux sandbox with I/O rerouted to an external plant simulator. Four side channels—hardware performance counters, system calls, disk activity, and network activity—are recorded in lockstep with plant state variables. Orchestration hooks support automated, repeatable, parameterized test runs. The resulting traces aim to link internal software behavior directly to plant dynamics. This addresses the gap where traditional digital twins model controllers as black boxes and side-channel studies often rely on synthetic inputs disconnected from real plant evolution.

Core claim

The framework hosts unmodified controller binaries in a Linux sandbox (SaMOSA) with its I/O rerouted to an external plant simulator. The framework captures four time-synchronized side channels (hardware performance counters, system calls, disk activity, network activity) alongside plant state and provides orchestration hooks for automated, repeatable, parameterized runs. The synchronized traces correlate internal controller execution with plant events, providing an observability foundation for online testing, coverage analysis, and vulnerability detection. The approach is shown on an OpenPLC runtime controlling a Modbus-connected IEEE 14-bus power system.

What carries the argument

SaMOSA, a sandbox that runs unmodified controller binaries with I/O rerouted to a plant simulator while recording four time-synchronized side channels together with plant state.

Load-bearing premise

Running the controller binary inside the Linux sandbox with I/O rerouting preserves the original timing and behavior sufficiently to avoid masking real vulnerabilities or introducing artifacts that invalidate side-channel correlations with plant state.

What would settle it

A demonstration that the same plant input sequence produces measurably different side-channel traces or fails to trigger a known plant-state-dependent vulnerability inside the sandbox compared with bare-metal execution on the real controller.

Figures

Figures reproduced from arXiv: 2606.17001 by Farshad Khorrami, Md Raz, Meet Udeshi, Prashanth Krishnamurthy, Ramesh Karri.

Figure 1
Figure 1. Figure 1: Orchestration and execution framework for the closed-loop digital twin sandbox, including flow, I/O routing, and hooks. [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: PLC programming and execution timeline in the case [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Side channels from SaMOSA sandbox + power system [PITH_FULL_IMAGE:figures/full_fig_p003_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Adapting the digital twin framework and execution [PITH_FULL_IMAGE:figures/full_fig_p004_4.png] view at source ↗
read the original abstract

Firmware/software in cyber-physical system (CPS) embedded devices/controllers can have vulnerabilities stemming from multiple sources such as weak security practices, outdated libraries, or supply chain attacks that induce adversarial effects under plant state-based triggers. However, pre-deployment validation of CPS controllers typically relies on digital twins that model controller logic as a black box. On the other hand, side channel monitoring and anomaly detection of CPS controller firmware/software is complementary, but is typically exercised with synthetic inputs or under specific CPS operational profiles and does not simultaneously track software execution and CPS plant evolution. To bridge this gap, we present a closed-loop digital twin framework that hosts unmodified controller binaries in a Linux sandbox (SaMOSA) with its I/O rerouted to an external plant simulator. The framework captures four time-synchronized side channels (hardware performance counters, system calls, disk activity, network activity) alongside plant state and provides orchestration hooks for automated, repeatable, parameterized runs. We demonstrate the framework on an OpenPLC runtime controlling a Modbus-connected IEEE 14-bus power system, and also briefly discuss application to robotics systems. The synchronized traces correlate internal controller execution with plant events, providing an observability foundation for online testing, coverage analysis, and vulnerability detection.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper presents a closed-loop digital twin framework (SaMOSA) that executes unmodified CPS controller binaries inside a Linux sandbox with I/O rerouted to an external plant simulator. It captures four time-synchronized side channels (hardware performance counters, system calls, disk activity, network activity) together with plant state and provides orchestration for repeatable runs. The framework is demonstrated on an OpenPLC runtime controlling a Modbus-connected IEEE 14-bus power system, with the claim that the resulting traces enable observability for online testing, coverage analysis, and vulnerability detection.

Significance. If the sandboxed execution preserves timing and side-channel fidelity, the framework would offer a practical bridge between digital-twin plant simulation and low-level software observability that is currently missing from most CPS security toolchains. The approach is notable for targeting unmodified binaries and for explicitly synchronizing software-level traces with physical-state evolution.

major comments (2)
  1. [Abstract] Abstract: The central claim that the synchronized traces 'provide an observability foundation for ... vulnerability detection' is load-bearing on the assumption that Linux sandbox I/O rerouting and containerization preserve original controller timing and side-channel statistics; however, the manuscript supplies no quantitative comparison of execution timing, interrupt latency, or side-channel distributions between sandboxed and native runs on the target hardware.
  2. [Abstract] Abstract / Demonstration: The OpenPLC + IEEE 14-bus demonstration is described at the level of a working prototype without reported error metrics, timing jitter statistics, correlation coefficients between side channels and plant events, or any ablation showing that sandbox artifacts do not mask or fabricate plant-triggered behaviors.
minor comments (2)
  1. [Abstract] The abstract would benefit from an explicit enumeration of the four side channels and a one-sentence statement of how synchronization is achieved.
  2. A brief related-work paragraph contrasting SaMOSA with existing hardware-in-the-loop digital twins and with standalone side-channel monitors would help situate the contribution.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback highlighting the need for quantitative validation of sandbox fidelity and demonstration metrics. We address each major comment below and will incorporate the requested analyses in the revised manuscript.

read point-by-point responses

  1. Referee: [Abstract] Abstract: The central claim that the synchronized traces 'provide an observability foundation for ... vulnerability detection' is load-bearing on the assumption that Linux sandbox I/O rerouting and containerization preserve original controller timing and side-channel statistics; however, the manuscript supplies no quantitative comparison of execution timing, interrupt latency, or side-channel distributions between sandboxed and native runs on the target hardware.

    Authors: We agree that direct quantitative comparisons are necessary to support the observability claims. The current manuscript focuses on framework design and integration but does not include benchmarks of timing preservation or side-channel fidelity. In revision, we will add measurements comparing execution timing, interrupt latency, and side-channel distributions (HPC, syscalls, disk, network) between sandboxed and native runs on equivalent hardware, including statistical tests for distribution similarity. revision: yes

  2. Referee: [Abstract] Abstract / Demonstration: The OpenPLC + IEEE 14-bus demonstration is described at the level of a working prototype without reported error metrics, timing jitter statistics, correlation coefficients between side channels and plant events, or any ablation showing that sandbox artifacts do not mask or fabricate plant-triggered behaviors.

    Authors: The demonstration currently illustrates the end-to-end workflow and trace synchronization but lacks the requested quantitative metrics. We will expand this section to report timing jitter statistics, error metrics for plant state synchronization, Pearson/Spearman correlations between side-channel events and plant state changes, and ablation experiments (e.g., comparing runs with/without specific sandbox features) to verify that no spurious plant-triggered behaviors are introduced or masked. revision: yes

Circularity Check

0 steps flagged

No circularity; framework description is self-contained

full rationale

The paper presents a systems engineering framework (SaMOSA sandbox with I/O rerouting, side-channel capture, and plant simulator integration) without any equations, fitted parameters, predictions, or mathematical derivations. The central claim—that synchronized traces provide an observability foundation—rests on the architectural description and a concrete demonstration (OpenPLC on IEEE 14-bus), not on any self-referential definitions, self-citation chains, or renamings that reduce to inputs. No load-bearing steps match the enumerated circularity patterns; the contribution is externally falsifiable via implementation and timing measurements.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

The paper is an engineering systems contribution that introduces no mathematical free parameters, domain axioms, or invented physical entities; all components build on existing Linux sandboxing, simulator, and monitoring technologies.

pith-pipeline@v0.9.1-grok · 5757 in / 1121 out tokens · 45452 ms · 2026-06-27T02:58:24.250174+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

42 extracted references · 6 canonical work pages

  1. [1]

    Cybersecurity for control systems: A process-aware perspective,

    F. Khorrami, P. Krishnamurthy, and R. Karri, “Cybersecurity for control systems: A process-aware perspective,”IEEE Design & Test, vol. 33, no. 5, pp. 75–83, 2016

    2016

  2. [2]

    The Stuxnet computer worm: Harbinger of an emerging warfare capability,

    P. K. Kerr, J. W. Rollins, and C. A. Theohary, “The Stuxnet computer worm: Harbinger of an emerging warfare capability,” Congressional Research Service, Tech. Rep. R41524. [Online]. Available: https://ww w.congress.gov/crs external products/R/PDF/R41524/R41524.3.pdf

  3. [3]

    Vulnerabilities and attacks against industrial control systems and critical infrastructures,

    G. M. Makrakis, C. Kolias, G. Kambourakis, C. Rieger, and J. Benjamin, “Vulnerabilities and attacks against industrial control systems and critical infrastructures,”CoRR, vol. abs/2109.03945, 2021. [Online]. Available: https://arxiv.org/abs/2109.03945

    arXiv 2021

  4. [4]

    Kinsing v2,

    AQUASEC, “Kinsing v2,” https://www.aquasec.com/blog/threat-alert-k insing-malware-container-vulnerability/

  5. [5]

    Kinsing saltstack,

    Redcanary, “Kinsing saltstack,” https://redcanary.com/blog/threat-intelli gence/kinsing-malware-citrix-saltstack/

  6. [6]

    Ghost in the PLC: designing an unde- tectable programmable logic controller rootkit via pin control attack,

    A. Abbasi and M. Hashemi, “Ghost in the PLC: designing an unde- tectable programmable logic controller rootkit via pin control attack,” Black Hat Europe, pp. 1–35, 2016

    2016

  7. [7]

    PLC-blaster: A worm living solely in the PLC,

    R. Spenneberg, M. Br ¨uggemann, and H. Schwartke, “PLC-blaster: A worm living solely in the PLC,”Black Hat Asia, vol. 16, pp. 1–16, 2016

    2016

  8. [8]

    On ladder logic bombs in industrial control systems,

    N. Govil, A. Agrawal, and N. O. Tippenhauer, “On ladder logic bombs in industrial control systems,” inInternational Workshop on the Security of Industrial Control Systems and Cyber-Physical Systems. Springer, 2017, pp. 110–126

    2017

  9. [9]

    A large-scale analysis of the security of embedded firmwares,

    A. Costin, J. Zaddach, A. Francillon, and D. Balzarotti, “A large-scale analysis of the security of embedded firmwares,” inProceedings of the 23rd USENIX Conference on Security Symposium, ser. SEC’14. USA: USENIX Association, 2014, p. 95–110

    2014

  10. [10]

    P2IM: Scalable and hardware- independent firmware testing via automatic peripheral interface modeling,

    B. Feng, A. Mera, and L. Lu, “P2IM: Scalable and hardware- independent firmware testing via automatic peripheral interface modeling,” in29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 2020, pp. 1237–1254. [Online]. Available: https://www.usenix.org/conference/usenixsecurity20/presentation/feng

    2020

  11. [11]

    Firmae: Towards large-scale emulation of iot firmware for dynamic analysis,

    M. Kim, D. Kim, E. Kim, S. Kim, Y . Jang, and Y . Kim, “FirmAE: towards large-scale emulation of IoT firmware for dynamic analysis,” ser. ACSAC ’20. New York, NY , USA: Association for Computing Machinery, 2020, p. 733–745. [Online]. Available: https://doi.org/10.1145/3427228.3427294

    work page doi:10.1145/3427228.3427294 2020

  12. [12]

    Everything you always wanted to know about embedded trace,

    T. B. Preußer, S. Gautham, A. D. Rajagopala, C. R. Elks, and A. Weiss, “Everything you always wanted to know about embedded trace,”Com- puter, vol. 55, no. 2, pp. 34–43, 2022

    2022

  13. [13]

    Challenges in firmware re-hosting, emulation, and analysis,

    C. Wright, W. A. Moeglein, S. Bagchi, M. Kulkarni, and A. A. Clements, “Challenges in firmware re-hosting, emulation, and analysis,” ACM Comput. Surv., vol. 54, no. 1, Jan. 2021. [Online]. Available: https://doi.org/10.1145/3423167

    work page doi:10.1145/3423167 2021

  14. [14]

    Digital twins for cyber-physical systems security: State of the art and outlook,

    M. Eckhart and A. Ekelhart, “Digital twins for cyber-physical systems security: State of the art and outlook,” inSecurity and Quality in Cyber- Physical Systems Engineering. Cham: Springer, 2019, pp. 383–412. [Online]. Available: https://doi.org/10.1007/978-3-030-25312-7 14

    work page doi:10.1007/978-3-030-25312-7 2019

  15. [15]

    Malicious firmware detection with hardware performance counters,

    X. Wang, C. Konstantinou, M. Maniatakos, R. Karri, S. Lee, P. Robison, P. Stergiou, and S. Kim, “Malicious firmware detection with hardware performance counters,”IEEE Transactions on Multi-Scale Computing Systems, vol. 2, no. 3, pp. 160–173, 2016

    2016

  16. [16]

    Anomaly detection in real- time multi-threaded processes using hardware performance counters,

    P. Krishnamurthy, R. Karri, and F. Khorrami, “Anomaly detection in real- time multi-threaded processes using hardware performance counters,” IEEE Transactions on Information Forensics and Security, vol. 15, pp. 666–680, 2020

    2020

  17. [17]

    Detecting hardware Trojans in PCBs using side channel loopbacks,

    H. Pearce, V . R. Surabhi, P. Krishnamurthy, J. Trujillo, R. Karri, and F. Khorrami, “Detecting hardware Trojans in PCBs using side channel loopbacks,”IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 30, no. 7, pp. 926–937, 2022

    2022

  18. [18]

    SaMOSA: sandbox for malware orchestration and side-channel analysis,

    M. Udeshi, V . S. C. Putrevu, P. Krishnamurthy, R. Karri, and F. Khor- rami, “SaMOSA: sandbox for malware orchestration and side-channel analysis,”arXiv preprint arXiv:2508.14261, 2025

    arXiv 2025

  19. [19]

    Multi-modal side channel data driven golden-free detection of software and firmware Trojans,

    P. Krishnamurthy, V . R. Surabhi, H. Pearce, R. Karri, and F. Khorrami, “Multi-modal side channel data driven golden-free detection of software and firmware Trojans,”IEEE Transactions on Dependable and Secure Computing, vol. 20, no. 6, pp. 4664–4677, 2023

    2023

  20. [20]

    MUDDLE: multi-modal dynamic detector loopback evaluator to expose Trojans in zero-trust PCB systems,

    P. Krishnamurthy, H. Pearce, V . R. Surabhi, J. Trujillo, R. Karri, and F. Khorrami, “MUDDLE: multi-modal dynamic detector loopback evaluator to expose Trojans in zero-trust PCB systems,”IEEE Micro, 2024, early access available on-line on IEEE

    2024

  21. [21]

    Real-time multi-modal subcomponent-level measurements for trustworthy system monitoring and malware detection,

    F. Khorrami, R. Karri, and P. Krishnamurthy, “Real-time multi-modal subcomponent-level measurements for trustworthy system monitoring and malware detection,”arXiv preprint arXiv:2501.13081, 2025

    arXiv 2025

  22. [22]

    Tamper-proof network traffic measurements on a nic for intrusion detection,

    M. Udeshi, P. Krishnamurthy, R. Karri, and F. Khorrami, “Tamper-proof network traffic measurements on a nic for intrusion detection,”IEEE Transactions on Network and Service Management, vol. 22, no. 2, pp. 2214–2224, 2024

    2024

  23. [23]

    Tracking real- time anomalies in cyber-physical systems through dynamic behavioral analysis,

    P. Krishnamurthy, A. Rasteh, R. Karri, and F. Khorrami, “Tracking real- time anomalies in cyber-physical systems through dynamic behavioral analysis,”Journal of Cybersecurity and Privacy, vol. 6, no. 2, 2026

    2026

  24. [24]

    Avatar: A framework to support dynamic security analysis of embedded systems’ firmwares,

    J. Zaddach, L. Bruno, A. Francillon, and D. Balzarotti, “Avatar: A framework to support dynamic security analysis of embedded systems’ firmwares,” inNDSS 2014, Network and Distributed System Security Symposium, 23-26 February 2014, San Diego, USA, ISOC, Ed., 2014

    2014

  25. [25]

    Towards automated dynamic analysis for linux-based embedded firmware

    D. D. Chen, M. Woo, D. Brumley, and M. Egele, “Towards automated dynamic analysis for linux-based embedded firmware.” inNDSS, 2016

    2016

  26. [26]

    HALucinator: Firmware re-hosting through abstraction layer emulation,

    A. A. Clements, E. Gustafson, T. Scharnowski, P. Grosen, D. Fritz, C. Kruegel, G. Vigna, S. Bagchi, and M. Payer, “HALucinator: Firmware re-hosting through abstraction layer emulation,” in29th USENIX Secu- rity Symposium (USENIX Security 20). USENIX Association, Aug. 2020, pp. 1201–1218

    2020

  27. [27]

    OpenPLC: an open source alternative to automation,

    T. R. Alves, M. Buratto, F. M. de Souza, and T. V . Rodrigues, “OpenPLC: an open source alternative to automation,” inIEEE Global Humanitarian Technology Conference (GHTC 2014), 2014

    2014

  28. [28]

    OpenPLC – Open-source PLC programming environment and run-time for industrial automation,

    Autonomy, “OpenPLC – Open-source PLC programming environment and run-time for industrial automation,” https://autonomylogic.com. [29]MODBUS Application Protocol Specification, V1.1b3 ed., Modbus Organization. [Online]. Available: https://www.modbus.org/file/secure /modbusprotocolspecification.pdf [30]IEC 61131-3:2025: Programming languages, International ...

    2025

  29. [29]

    ROS - Robot Operating System,

    “ROS - Robot Operating System,” https://www.ros.org

  30. [30]

    Robot Operating System 2: Design, architecture, and uses in the wild,

    S. Macenski, T. Foote, B. Gerkey, C. Lalancette, and W. Woodall, “Robot Operating System 2: Design, architecture, and uses in the wild,” Science Robotics, vol. 7, no. 66, p. eabm6074, 2022. [Online]. Available: https://www.science.org/doi/abs/10.1126/scirobotics.abm6074

    work page doi:10.1126/scirobotics.abm6074 2022

  31. [31]

    Isaac Sim,

    NVIDIA, “Isaac Sim,” https://github.com/isaac-sim/IsaacSim

  32. [32]

    Dynamic malware analysis in the modern era—a state of the art survey,

    O. Or-Meir, N. Nissim, Y . Elovici, and L. Rokach, “Dynamic malware analysis in the modern era—a state of the art survey,” ACM Comput. Surv., vol. 52, no. 5, Sep. 2019. [Online]. Available: https://doi.org/10.1145/3329786

    work page doi:10.1145/3329786 2019

  33. [33]

    Towards security-aware virtual environments for digital twins,

    M. Eckhart and A. Ekelhart, “Towards security-aware virtual environments for digital twins,” inProceedings of the 4th ACM Workshop on Cyber-Physical System Security, ser. CPSS ’18. New York, NY , USA: Association for Computing Machinery, 2018, p. 61–72. [Online]. Available: https://doi.org/10.1145/3198458.3198464

    work page doi:10.1145/3198458.3198464 2018

  34. [34]

    A digital twin based industrial automation and control system security architecture,

    C. Gehrmann and M. Gunnarsson, “A digital twin based industrial automation and control system security architecture,”IEEE Transactions on Industrial Informatics, vol. 16, no. 1, pp. 669–680, 2020

    2020

  35. [35]

    QEMU Emulator,

    QEMU, “QEMU Emulator,” https://www.qemu.org/docs/master/about/i ndex.html

  36. [36]

    Sysdig, “Sysdig,” https://github.com/draios/sysdig

  37. [37]

    FakeNet-NG,

    Mandiant, “FakeNet-NG,” https://github.com/mandiant/flare-fakenet-ng

  38. [38]

    IEEE 14 Bus System,

    PSCAD, “IEEE 14 Bus System,” Knowledge Base article, Feb. 2022. [Online]. Available: https://www.pscad.com/knowledge-base/article/26

    2022

  39. [39]

    pandapower — an open-source python tool for convenient modeling, analysis, and optimization of electric power systems,

    L. Thurner, A. Scheidler, F. Sch ¨afer, J. Menke, J. Dollichon, F. Meier, S. Meinecke, and M. Braun, “pandapower — an open-source python tool for convenient modeling, analysis, and optimization of electric power systems,”IEEE Transactions on Power Systems, vol. 33, no. 6, pp. 6510– 6521, Nov 2018

    2018

  40. [40]

    pandapower open source tool for power system modeling, analysis and optimization,

    pandapower, “pandapower open source tool for power system modeling, analysis and optimization,” https://www.pandapower.org/

  41. [41]

    Smart malware that uses leaked control data of robotic applications: The case of Raven-II surgical robots,

    K. Chung, X. Li, P. Tang, Z. Zhu, Z. T. Kalbarczyk, R. K. Iyer, and T. Kesavadas, “Smart malware that uses leaked control data of robotic applications: The case of Raven-II surgical robots,” in22nd International Symposium on Research in Attacks, Intrusions and Defenses. USENIX Association, Sep. 2019, pp. 337–351

    2019

  42. [42]

    Checking consistency of robot software ar- chitectures in ros,

    T. Witte and M. Tichy, “Checking consistency of robot software ar- chitectures in ros,” inInternational Workshop on Robotics Software Engineering, ser. RoSE ’18. ACM, 2018, p. 1–8

    2018