Abstract:4G and 5G represent the current cellular communication standards utilized daily by billions of users for various applications. Consequently, ensuring the security of 4G and 5G network implementations is critically important. This paper introduces an automated fuzzing framework designed to test the security of 4G and 5G attach procedure implementations. Our framework provides a comprehensive solution for uplink and downlink fuzzing in 4G, as well as downlink fuzzing in 5G, while supporting fuzzing on all layers except the physical layer. To guide the fuzzing process, we introduce a novel algorithm that assigns probabilities to packet fields and adjusts these probabilities based on coverage information from the device-under-test (DUT). For cases where coverage information from the DUT is unavailable, we propose a novel methodology to estimate it. When evaluating our framework, we first run the random fuzzing experiments, where the mutation probabilities are fixed throughout the fuzzing, and give an insight into how those probabilities should be chosen to optimize the Random fuzzer to achieve the best coverage. Next, we evaluate the efficiency of the proposed coverage-based algorithms by fuzzing open-source 4G stack (srsRAN) instances and show that the fuzzer guided by our algorithm outperforms the optimized Random fuzzer in terms of DUT's code coverage. In addition, we run fuzzing tests on 12 commercial off-the-shelf (COTS) devices. In total, we discovered vulnerabilities in 10 COTS devices and all of the srsRAN 4G instances.

What problem does this paper attempt to address?

The problem that this paper attempts to solve is the security issues in the implementation of 4G and 5G networks, especially the vulnerabilities in the Attach process. Specifically, the paper introduces a Coverage - based fuzzer, aiming to automate the security testing of the implementation of 4G and 5G attachment processes. This framework can perform fuzz testing on the 4G uplink and downlink as well as the 5G downlink, and supports the testing of all protocol layers except the physical layer. ### Main contributions of the paper 1. **Fuzzing framework**: Based on the open - source projects srsRAN and Open5Gs, a fuzzing framework suitable for 4G uplink and downlink and 5G downlink is constructed. This framework can perform packet mutation on all layers (except the physical layer) of the 4G and 5G protocol stacks. 2. **Field mutation probability**: The concept of field mutation probability is introduced, and two types of fuzzers are implemented: the Random fuzzer and the Coverage - based fuzzer. Through a large number of experiments, the optimal initial mutation probability of the Random fuzzer is determined. 3. **Coverage - based fuzzing algorithm**: A novel gray - box fuzzing algorithm is proposed, which can efficiently use coverage feedback to fuzz 4G and 5G networks. In the case where the coverage information of the target device (DUT) cannot be obtained, an estimation method is also proposed, which estimates the coverage information of the DUT based on the code coverage of the open - source base stations and user equipment that generate benign packets. 4. **Performance evaluation**: Using code coverage as a metric, the efficiency of the implemented fuzzers is evaluated. The results show that the Coverage - based fuzzer is superior to the optimized Random fuzzer in both gray - box scenarios (increasing the downlink coverage by 47.6% and the uplink coverage by 11.9% respectively) and black - box scenarios (increasing the downlink coverage by 23.9% and the uplink coverage by 11.3% respectively). 5. **Practical application**: Fuzz testing was performed on 12 Commercial - Off - The - Shelf (COTS) 4G and 5G devices, and vulnerabilities were found in 10 COTS devices and all srsRAN 4G instances. ### Framework architecture 1. **4G/5G protocol stack implementation**: Responsible for generating benign packets. The srsRAN 4G suite is used to generate 4G benign packets, and the srsRAN project and Open5Gs are used to generate 5G benign packets. Functions such as packet interception hooks, LLVM addresses, and coverage instrumentation are integrated in these open - source instances. 2. **Target device (DUT)**: The target of fuzz testing. For 4G and 5G downlink fuzz testing, the DUT can be various devices, such as mobile phones, Internet of Things devices, simulated User Equipment (UE), or stand - alone 4G/5G modems. For 4G uplink fuzz testing, the DUT includes eNodeB or EPC. 3. **Fuzz controller**: A key component that coordinates the entire fuzz testing process. The main responsibilities include receiving intercepted packets and sending fuzzed packets through the shared memory interface, recording the fuzz testing process, monitoring the status of each component of the framework and restarting if necessary, starting and terminating the fuzz testing process, and collecting coverage feedback from 4G/5G protocol stack components. ### Fuzz testing methods 1. **Packet operations**: Two packet operation methods are supported - Replay and Mutation. Replay involves completely replacing the intercepted packet, while Mutation operates on a single field in the packet. 2. **Creating patches**: The patch class is a basic component for implementing packet fuzz testing, and two types of patches are supported: MutationPatch (which contains a set of mutations to be applied to the packet) and ReplayPatch (which contains a Replay instance for replacing the intercepted packet). 3. **Creating seeds**: Seeds encapsulate all patches applied to the packet in a specific fuzz testing iteration. Storing seeds can accurately replicate fuzz testing iterations and ensure the repeatability of experiments. ### Conclusion By proposing a Coverage - based fuzzing framework, this paper significantly improves the security testing effect of 4G and 5G network implementations, discovers vulnerabilities in multiple commercial devices and open - source implementations, and provides a powerful tool for future security research.

CovFUZZ: Coverage-based fuzzer for 4G&5G protocols

Systematic Meets Unintended: Prior Knowledge Adaptive 5G Vulnerability Detection via Multi-Fuzzing

Formal-Guided Fuzz Testing: Targeting Security Assurance from Specification to Implementation for 5G and Beyond

Formal and Fuzzing Amplification: Targeting Vulnerability Detection in 5G and Beyond

Smart Fuzzing of 5G Wireless Software Implementation

MorFuzz: Fuzzing Processor Via Runtime Instruction Morphing Enhanced Synchronizable Co-simulation.

Fw‐fuzz: A code coverage‐guided fuzzing framework for network protocols on firmware

HFuzz: Towards automatic fuzzing testing of NB-IoT core network protocols implementations

MultiFuzz: A Coverage-Based Multiparty-Protocol Fuzzer for IoT Publish/Subscribe Protocols

NDFuzz: a non-intrusive coverage-guided fuzzing framework for virtualized network devices

FuzzWiz -- Fuzzing Framework for Efficient Hardware Coverage

FuzzFactory: domain-specific fuzzing with waypoints

PAVFuzz: State-Sensitive Fuzz Testing of Protocols in Autonomous Vehicles

Constructing Cyber-Physical System Testing Suites Using Active Sensor Fuzzing

SFuzz: Slice-based Fuzzing for Real-Time Operating Systems

StateFuzz: System Call-Based State-Aware Linux Driver Fuzzing

Berserker: ASN.1-based Fuzzing of Radio Resource Control Protocol for 4G and 5G

5Greplay: a 5G Network Traffic Fuzzer -- Application to Attack Injection

NoCFuzzer: Automating NoC Verification in UVM

Labrador: Response Guided Directed Fuzzing for Black-box IoT Devices

CatchFuzz: Reliable active anti-fuzzing techniques against coverage-guided fuzzer