RustShield Gateway is a Rust-based MAVLink security validation gateway for controlled SITL/laboratory workflows. It sits between a Ground Control Station and a MAVLink vehicle or simulator, observes traffic, applies semantic command policies, and produces logs, metrics and evidence for security review.
It is for UAV integrators, drone security labs, critical infrastructure inspection teams, defense / dual-use R&D groups and academic robotics/security labs that need a controlled way to study high-risk MAVLink command behavior.
Today, this repository can demonstrate a loopback lab flow:
GCS/SITL traffic -> RustShield Gateway -> MAVLink policy decision -> logs, metrics and evidence
It does not claim formal flight-safety approval, production readiness, real UAV flight validation, complete MAVLink security coverage or replacement for autopilot hardening.
RustShield evaluates selected high-risk MAVLink traffic using:
- semantic command policy for critical/high-risk MAVLink commands;
- conservative flight-state context from
HEARTBEAT; - MAVLink signing observe/audit/enforce laboratory paths;
- shadow enforcement for non-blocking impact assessment;
- read-only logs and metrics for evidence capture;
- reproducible local checks and public evidence summaries.
RustShield is useful when the cost, risk or ownership constraints of modifying autopilot firmware make external command-path controls a practical first step.
It helps UAV teams observe MAVLink command behavior, evaluate high-risk command policies, test shadow enforcement impact and collect evidence before committing to deeper firmware, platform or operational changes.
- MAVLink UDP/SITL gateway.
- ArduPilot Copter SITL as the primary documented workflow.
- QGroundControl-oriented laboratory topology.
- Critical/high-risk MAVLink command policy.
- MAVLink signing observe/audit/enforce laboratory validation paths.
- Shadow enforcement counters and events.
- Read-only
/healthzand/metricsobservability. - Public evidence summaries and reproducibility checks.
- Limited PX4 heartbeat fixtures and smoke tests, with PX4 modes treated
conservatively as
Unknown. - Serial transport validated only against virtual PTY devices.
- No real UAV flight readiness.
- No formal assurance approval.
- No hardware/radio validation.
- No production Serial/radio support.
- No complete PX4 mode-policy support.
- No complete MAVLink security coverage.
- No hard real-time performance guarantee.
- No replacement for platform hardening, key management or network segmentation.
cargo fmt --check
cargo clippy --all-targets --all-features -- -D warnings
cargo testSupply-chain checks used by the project:
cargo audit
cargo deny checkThe public demo is loopback-only and does not require real hardware, radios, QGroundControl or an autopilot.
./scripts/run-public-demo.shThe demo flow is:
GCS/SITL traffic
-> RustShield Gateway
-> MAVLink parser and flight-state context
-> semantic command policy decision
-> structured logs, read-only metrics and evidence summary
See docs/demo.md.
See docs/evidence/latest/ for public, sanitized evidence summaries.
The public evidence pack is a summary. It is not a certification package and it does not include private laboratory history, raw internal logs or customer material.
See COMMERCIAL.md for assessment, laboratory pilot and partner integration options.
- External Gateway Approach
- Who Is This For?
- Commercial Pilot Package
- Market Positioning
- Use Cases
- GitHub Visibility Checklist
- Proposed GitHub Issues
- Public Scope
- Public Claims
- Limitations
- Responsible Use
- Demo
- Evidence Summary
- Public Roadmap
- Product Brief
- Assessment Offer
- Architecture Summary
- Threat Model Summary
- Policy Catalog Summary
- Policy Matrix
- Test Coverage Summary
- Fixtures Summary
- Evidence Ladder
- Signing Lab Summary
- Observability Summary
Please read SECURITY.md before reporting vulnerabilities or using the project in a lab.
Licensed under either of:
- Apache License, Version 2.0 (LICENSE-APACHE)
- MIT License (LICENSE-MIT)
at your option.