Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
158 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Formal and Fuzzing Amplification: Targeting Vulnerability Detection in 5G and Beyond (2307.05758v1)

Published 11 Jul 2023 in cs.CR

Abstract: Softwarization and virtualization in 5G and beyond require rigorous testing against vulnerabilities and unintended emergent behaviors for critical infrastructure and network security assurance. Formal methods operates efficiently in protocol-level abstract specification models, and fuzz testing offers comprehensive experimental evaluation of system implementations. In this paper, we propose a novel framework that leverages the respective advantages and coverage of both formal and fuzzing methods to efficiently detect vulnerabilities from protocol logic to implementation stacks hierarchically. The detected attack traces from the formal verification results in critical protocols guide the case generation of fuzz testing, and the feedbacks from fuzz testing further broaden the scope of the formal verification. We examine the proposed framework with the 5G Non Standard-Alone (NSA) security processes, focusing on the Radio Resource Control (RRC) connection process. We first identify protocol-level vulnerabilities of user credentials via formal methods. Following this, we implement bit-level fuzzing to evaluate potential impacts and risks of integrity-vulnerable identifier variation. Concurrently, we conduct command-level mutation-based fuzzing by fixing the assumption identifier to assess the potential impacts and risks of confidentiality-vulnerable identifiers. During this approach, we established 1 attack model and detected 53 vulnerabilities. The vulnerabilities identified used to fortify protocol-level assumptions could further refine search space for the following detection cycles. Consequently, it addresses the prevalent scalability challenges in detecting vulnerabilities and unintended emergent behaviors in large-scale systems in 5G and beyond.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (20)
  1. J. Alcaraz-Calero, I. P. Belikaidis, C. J. B. Cano, P. Bisson, D. Bourse, M. Bredel, D. Camps-Mur, T. Chen, X. Costa-Perez, P. Demestichas, M. Doll, S. E. Elayoubi, A. Georgakopoulos, A. Mämmelä, H. P. Mayer, M. Payaro, B. Sayadi, M. S. Siddiqui, M. Tercero, and Q. Wang, “Leading innovations towards 5G: Europe’s perspective in 5G Infrastructure Public-Private Partnership (5G-PPP),” in IEEE International Symposium on Personal, Indoor and Mobile Radio Communications, PIMRC, vol. 2017-October, 2018.
  2. M. Shatnawi, H. Altaleb, and R. Zoltán, “The digital revolution with nesas assessment and evaluation,” in 2022 IEEE 10th Jubilee International Conference on Computational Cybernetics and Cyber-Medical Systems (ICCC).   IEEE, 2022, pp. 000 099–000 104.
  3. A. Peltonen, R. Sasse, and D. Basin, “A comprehensive formal analysis of 5g handover,” in Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks, 2021, pp. 1–12.
  4. S. R. Hussain, M. Echeverria, I. Karim, O. Chowdhury, and E. Bertino, “5Greasoner: A property-directed security and privacy analysis framework for 5G cellular network protocol,” in Proceedings of the ACM Conference on Computer and Communications Security.   Association for Computing Machinery, 11 2019, pp. 669–684.
  5. G. Klees, A. Ruef, B. Cooper, S. Wei, and M. Hicks, “Evaluating fuzz testing,” in Proceedings of the ACM Conference on Computer and Communications Security, 2018.
  6. S. Bratus, A. Hansen, and A. Shubina, “Lzfuzz: a fast compression-based fuzzer for poorly documented protocols,” 2008.
  7. D. G. Berbecaru and G. Petraglia, “Tls-monitor: A monitor for tls attacks,” in 2023 IEEE 20th Consumer Communications & Networking Conference (CCNC).   IEEE, 2023, pp. 1–6.
  8. O-RAN Alliance, “O-RAN: Towards an Open and Smart RAN,” O-RAN Alliance, no. October, 2018.
  9. Software Radio Systems, “srsRAN is a 4G/5G software radio suite developed by SRS,” 2021.
  10. B. Blanchet, “Modeling and verifying security protocols with the applied pi calculus and proverif,” Foundations and Trends® in Privacy and Security, vol. 1, no. 1-2, pp. 1–135, 2016. [Online]. Available: http://dx.doi.org/10.1561/3300000004
  11. J. Yang, Y. Wang, T. X. Tran, and Y. Pan, “5g rrc protocol and stack vulnerabilities detection via listen-and-learn.”   2023 IEEE Consumer Communications & Networking Conference, January 2023.
  12. Y. Wang, A. Gorski, and A. da Silva, “Development of a Data-Driven Mobile 5G Testbed: Platform for Experimental Research,” in IEEE International Mediterranean Conference on Communications and Networking, 2021.
  13. I. Gomez-Miguelez, A. Garcia-Saavedra, P. D. Sutton, P. Serrano, C. Cano, and D. J. Leith, “srslte: An open-source platform for lte evolution and experimentation,” in Proceedings of the Tenth ACM International Workshop on Wireless Network Testbeds, Experimental Evaluation, and Characterization, 2016, pp. 25–32.
  14. J.-K. Tsay and S. F. Mjølsnes, “A vulnerability in the umts and lte authentication and key agreement protocols,” in Computer Network Security: 6th International Conference on Mathematical Methods, Models and Architectures for Computer Network Security, MMM-ACNS 2012, St. Petersburg, Russia, October 17-19, 2012. Proceedings 6.   Springer, 2012, pp. 65–76.
  15. J. B. Bou Abdo, H. Chaouchi, and M. Aoude, “Ensured confidentiality authentication and key agreement protocol for eps,” in 2012 Symposium on Broadband Networks and Fast Internet (RELABIRA), 2012, pp. 73–77.
  16. 3GPP, “Universal Mobile Telecommunications System (UMTS); LTE; Mobility Management Entity (MME) Visitor Location Register (VLR) SGs interface specification,” 3rd Generation Partnership Project (3GPP), Technical Specification (TS) 29.118, 01 2015, version 8.5.0. [Online]. Available: https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1601
  17. M. Khan, P. Ginzboorg, K. Järvinen, and V. Niemi, “Defeating the downgrade attack on identity privacy in 5g,” in International Conference on Research in Security Standardisation.   Springer, 2018, pp. 95–119.
  18. M. T. Raza, F. M. Anwar, and S. Lu, “Exposing lte security weaknesses at protocol inter-layer, and inter-radio interactions,” in Security and Privacy in Communication Networks: 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22–25, 2017, Proceedings 13.   Springer, 2018, pp. 312–338.
  19. J. Yang, Y. Wang, Y. Pan, and T. X. Tran, “Systematic meets unintended: Prior knowledge adaptive 5g vulnerability detection via multi-fuzzing,” arXiv preprint arXiv:2305.08039, 2023.
  20. Z. Salazar, H. N. Nguyen, W. Mallouli, A. R. Cavalli, and E. M. Montes De Oca, “5Greplay: A 5G Network Traffic Fuzzer - Application to Attack Injection,” in ACM International Conference Proceeding Series.   Association for Computing Machinery, 8 2021.
Citations (5)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now