Detecting dynamical vulnerabilities in cyber-physical systems (CPS) — where erroneous control code triggers hazardous physical behaviors — remains challenging due to tight software–physics coupling and path explosion induced by periodic execution. To address this, we propose a novel method integrating control-flow analysis with high-fidelity reachability reasoning. Our approach introduces Deep Bernstein Neural Networks to compute tight, differentiable approximations of reachable sets; combines Signal Temporal Logic (STL) for safety specification, prioritized execution-path enumeration, and dynamic guidance to steer exploration. Evaluated on a water-tank system and an automotive engine PID controller, our method achieves up to 98.27% higher vulnerability detection rate than state-of-the-art techniques, while demonstrating strong scalability and practical deployability.

Detecting kinetic vulnerabilities in Cyber-Physical Systems (CPS), vulnerabilities in control code that can precipitate hazardous physical consequences, is a critical challenge. This task is complicated by the need to analyze the intricate coupling between complex software behavior and the system's physical dynamics. Furthermore, the periodic execution of control code in CPS applications creates a combinatorial explosion of execution paths that must be analyzed over time, far exceeding the scope of traditional single-run code analysis. This paper introduces RampoNN, a novel framework that systematically identifies kinetic vulnerabilities given the control code, a physical system model, and a Signal Temporal Logic (STL) specification of safe behavior. RampoNN first analyzes the control code to map the control signals that can be generated under various execution branches. It then employs a neural network to abstract the physical system's behavior. To overcome the poor scaling and loose over-approximations of standard neural network reachability, RampoNN uniquely utilizes Deep Bernstein neural networks, which are equipped with customized reachability algorithms that yield orders of magnitude tighter bounds. This high-precision reachability analysis allows RampoNN to rapidly prune large sets of guaranteed-safe behaviors and rank the remaining traces by their potential to violate the specification. The results of this analysis are then used to effectively guide a falsification engine, focusing its search on the most promising system behaviors to find actual vulnerabilities. We evaluated our approach on a PLC-controlled water tank system and a switched PID controller for an automotive engine. The results demonstrate that RampoNN leads to acceleration of the process of finding kinetic vulnerabilities by up to 98.27% and superior scalability compared to other state-of-the-art methods.