Jingda Yang,Ying Wang,Yanjun Pan,Tuyen X. Tran

DOI: https://doi.org/10.48550/arXiv.2305.08039

2024-01-05

Abstract:The virtualization and softwarization of 5G and NextG are critical enablers of the shift to flexibility, but they also present a potential attack surface for threats. However, current security research in communication systems focuses on specific aspects of security challenges and lacks a holistic perspective. To address this challenge, a novel systematic fuzzing approach is proposed to reveal, detect, and predict vulnerabilities with and without prior knowledge assumptions from attackers. It also serves as a digital twin platform for system testing and defense simulation pipeline. Three fuzzing strategies are proposed: Listen-and-Learn (LAL), Synchronize-and-Learn (SyAL), and Source-and-Learn (SoAL). The LAL strategy is a black-box fuzzing strategy used to discover vulnerabilities without prior protocol knowledge, while the SyAL strategy, also a black-box fuzzing method, targets vulnerabilities more accurately with attacker-accessible user information and a novel probability-based fuzzing approach. The white-box fuzzing strategy, SoAL, is then employed to identify and explain vulnerabilities through fuzzing of significant bits. Using the srsRAN 5G platform, the LAL strategy identifies 129 RRC connection vulnerabilities with an average detection duration of 0.072s. Leveraging the probability-based fuzzing algorithm, the SyAL strategy outperforms existing models in precision and recall, using significantly fewer fuzzing cases. SoAL detects three man-in-the-middle vulnerabilities stemming from 5G protocol vulnerabilities. The proposed solution is scalable to other open-source and commercial 5G platforms and protocols beyond RRC. Extensive experimental results demonstrate that the proposed solution is an effective and efficient approach to validate 5G security; meanwhile, it serves as real-time vulnerability detection and proactive defense.

Cryptography and Security

Jingda Yang,Ying Wang

DOI: https://doi.org/10.48550/arXiv.2307.05758

2023-07-12

Abstract:Softwarization and virtualization in 5G and beyond require rigorous testing against vulnerabilities and unintended emergent behaviors for critical infrastructure and network security assurance. Formal methods operates efficiently in protocol-level abstract specification models, and fuzz testing offers comprehensive experimental evaluation of system implementations. In this paper, we propose a novel framework that leverages the respective advantages and coverage of both formal and fuzzing methods to efficiently detect vulnerabilities from protocol logic to implementation stacks hierarchically. The detected attack traces from the formal verification results in critical protocols guide the case generation of fuzz testing, and the feedbacks from fuzz testing further broaden the scope of the formal verification. We examine the proposed framework with the 5G Non Standard-Alone (NSA) security processes, focusing on the Radio Resource Control (RRC) connection process. We first identify protocol-level vulnerabilities of user credentials via formal methods. Following this, we implement bit-level fuzzing to evaluate potential impacts and risks of integrity-vulnerable identifier variation. Concurrently, we conduct command-level mutation-based fuzzing by fixing the assumption identifier to assess the potential impacts and risks of confidentiality-vulnerable identifiers. During this approach, we established 1 attack model and detected 53 vulnerabilities. The vulnerabilities identified used to fortify protocol-level assumptions could further refine search space for the following detection cycles. Consequently, it addresses the prevalent scalability challenges in detecting vulnerabilities and unintended emergent behaviors in large-scale systems in 5G and beyond.

Cryptography and Security

Yanmiao Zhang,Xiaoyu Ji,Yushi Cheng,Wenyuan Xu

DOI: https://doi.org/10.23919/ChiCC.2019.8866144

2019-01-01

Abstract:As a modern power transmission network, smart grid connects abundant terminal devices and plays an important role in our daily life. However, along with its growth are the security threats. Different from the separated environment previously, an adversary nowadays can destroy the power system by attacking its terminal devices. As a result, it's critical to ensure the security and safety of terminal devices. To achieve it, detecting the pre-existing vulnerabilities in the terminal program and enhancing its security, are of great importance and necessity. In this paper. we introduce Cker, a novel vulnerability detection tool for smart grid devices, which generates an program model based on device sources and sets rules to perform model checking. We utilize the static analysis to extract necessary information and build corresponding program models. By further checking the model with pre-defined vulnerability patterns, we achieve security detection and error reporting. The evaluation results demonstrate that our method can effectively detect vulnerabilities in smart devices with an acceptable accuracy and false positive rate. In addition, as Cker is realized by pure python. it can be easily scaled to other platforms.

Jingda Yang,Sudhanshu Arya,Ying Wang

2023-07-21

Abstract:Softwarization and virtualization in 5G and beyond necessitate thorough testing to ensure the security of critical infrastructure and networks, requiring the identification of vulnerabilities and unintended emergent behaviors from protocol designs to their software stack implementation. To provide an efficient and comprehensive solution, we propose a novel and first-of-its-kind approach that connects the strengths and coverage of formal and fuzzing methods to efficiently detect vulnerabilities across protocol logic and implementation stacks in a hierarchical manner. We design and implement formal verification to detect attack traces in critical protocols, which are used to guide subsequent fuzz testing and incorporate feedback from fuzz testing to broaden the scope of formal verification. This innovative approach significantly improves efficiency and enables the auto-discovery of vulnerabilities and unintended emergent behaviors from the 3GPP protocols to software stacks. Following this approach, we discover one identifier leakage model, one DoS attack model, and two eavesdrop attack models due to the absence of rudimentary MITM protection within the protocol, despite the existence of a Transport Layer Security (TLS) solution to this issue for over a decade. More remarkably, guided by the identified formal analysis and attack models, we exploit 61 vulnerabilities using fuzz testing demonstrated on srsRAN platforms. These identified vulnerabilities contribute to fortifying protocol-level assumptions and refining the search space. Compared to state-of-the-art fuzz testing, our united formal and fuzzing methodology enables auto-assurance by systematically discovering vulnerabilities. It significantly reduces computational complexity, transforming the non-practical exponential growth in computational cost into linear growth.

Cryptography and Security

Tanujay Saha,Najwa Aaraj,Niraj K. Jha

DOI: https://doi.org/10.48550/arXiv.2108.03514

2021-08-08

Abstract:The core network architecture of telecommunication systems has undergone a paradigm shift in the fifth-generation (5G)networks. 5G networks have transitioned to software-defined infrastructures, thereby reducing their dependence on hardware-based network functions. New technologies, like network function virtualization and software-defined networking, have been incorporated in the 5G core network (5GCN) architecture to enable this transition. This has resulted in significant improvements in efficiency, performance, and robustness of the networks. However, this has also made the core network more vulnerable, as software systems are generally easier to compromise than hardware systems. In this article, we present a comprehensive security analysis framework for the 5GCN. The novelty of this approach lies in the creation and analysis of attack graphs of the software-defined and virtualized 5GCN through machine learning. This analysis points to 119 novel possible exploits in the 5GCN. We demonstrate that these possible exploits of 5GCN vulnerabilities generate five novel attacks on the 5G Authentication and Key Agreement protocol. We combine the attacks at the network, protocol, and the application layers to generate complex attack vectors. In a case study, we use these attack vectors to find four novel security loopholes in WhatsApp running on a 5G network.

Networking and Internet Architecture,Artificial Intelligence,Cryptography and Security,Machine Learning

Shibo Luo,Jun Wu,Jianhua Li,Longhua Guo,Bei Pei

DOI: https://doi.org/10.1109/smartcity.2015.50

2015-01-01

Abstract:For 5G, Software-Defined Networking have emerged as a future mobile network architecture. It is so called Software-Defined Networking based Mobile Networks (SDN-MN). Because of the dynamic and virtual features of SDN-MN, most traditional network vulnerability assessment methodologies cannot be applied in SDN-MN directly. As a result, a new methodology of vulnerability assessment for SDN-MN is needed. In this paper, an effective vulnerability assessment mechanism is proposed for SDN-MN using attack graph algorithm and analytic hierarchy process (AHP). An optimized attack graph is given to alleviate scalability problem. In order to quantify security level, we define node minimal effort to quantify attack cost and then derive system security level. Aiming to calculate node minimal effort of attack graph in SDN-MN dynamic environment, AHP and Technique for Order Preference by Similarity to an Ideal Solution (TOPSIS) are integrated into the methodology with regard to dynamic vulnerability factors in SDN-MN. Finally, we offer a case study to validate the methodology. The case study and evaluation show the advantages of the proposed vulnerability assessment mechanism.

Dong Wang,Xiaosong Zhang,Ting Chen,Jingwei Li

DOI: https://doi.org/10.1155/2019/5076324

IF: 1.968

2019-01-01

Security and Communication Networks

Abstract:A novel approach for discovering vulnerability in commercial off-the-shelf (COTS) IoT devices is proposed in this paper, which will revolutionize the area. Unlike previous work, the web management interface in IoT was used to detect vulnerabilities by leveraging fuzzing technology. To validate and evaluate this scheme, a tool named WMIFuzzer was designed and implemented. There were also two challenges: (1) due to the diversity of web interface implementations, there were no existing seed messages for fuzzing this interface and it was inefficient while taking random messages to launch the fuzzing and (2) because of the highly structured seed message, fuzzing with byte-level mutation could conduce to be rejected by the device at an early stage. To address these challenges, a brute-force UI automation was designed to drive the web interface to generate initial seed messages automatically, as well as a weighted message parse tree (WMPT) was proposed to guide the mutation to generate mostly structure-valid messages. The extensive experimental results show that WMIFuzzer could achieve expected result while 10 vulnerabilities including 6 zero-days in 7 COTS IoT devices were discovered.

Huan Wu,Brian Fang,Fei Xie

2023-09-23

Abstract:In this paper, we introduce a comprehensive approach to bolstering the security, reliability, and comprehensibility of OpenAirInterface5G (OAI5G), an open-source software framework for the exploration, development, and testing of 5G wireless communication systems. Firstly, we employ AFL++, a powerful fuzzing tool, to fuzzy-test OAI5G with respect to its configuration files rigorously. This extensive testing process helps identify errors, defects, and security vulnerabilities that may evade conventional testing methods. Secondly, we harness the capabilities of Large Language Models such as Google Bard to automatically decipher and document the meanings of parameters within the OAI5G codebase that are used in fuzzing. This automated parameter interpretation streamlines subsequent analyses and facilitates more informed decision-making. Together, these two techniques contribute to fortifying the OAI5G system, making it more robust, secure, and understandable for developers and analysts alike.

Software Engineering

Tong Li,Hai Zhao,Shouyou Song,Chao Yang,Chunlai Du,Yang Liu

DOI: https://doi.org/10.3389/fenrg.2022.950611

IF: 3.4

2022-07-22

Frontiers in Energy Research

Abstract:The purpose is to guarantee the security of fifth generation mobile communication technology (5G) network in power Internet of Things environment and improve the ability of wireless network communication to resist attacks. First, in terms of attack prevention, the 5G network security structure is proposed to replace the plaintext information commonly used in the original system with Ciphertext based on software defined network (SDN), thereby alleviating the security risks of the data dimension. Second, concerning attack detection, the signal is identified by using the imperfections and differences of equipment manufacturing based on the above security structure, preventing the attacker from further harming the sensitive data leaked. Researchers found that the SDN-based 5G network attack prevention scheme avoids the centralized exposure of sensitive data, improves security, reduces computational overhead, and simplifies encryption logic. Without affecting the bandwidth, the existing 5G network system is greatly prevented from attacks. The detection mechanism is not limited by the low-dimensional feature space, and it demonstrates strong robustness and stability. It can effectively detect the attacks on 5G network system in power Internet of Things (IoT). This study provides an important reference for the protection of 5G communication network attacks under IoT.

energy & fuels

Zhuzhu Wang,Ying Wang

DOI: https://doi.org/10.48550/arXiv.2305.08226

2023-05-15

Abstract:The effectiveness and efficiency of 5G software stack vulnerability and unintended behavior detection are essential for 5G assurance, especially for its applications in critical infrastructures. Scalability and automation are the main challenges in testing approaches and cybersecurity research. In this paper, we propose an innovative approach for automatically detecting vulnerabilities, unintended emergent behaviors, and performance degradation in 5G stacks via run-time profiling documents corresponding to fuzz testing in code repositories. Piloting on srsRAN, we map the run-time profiling via Logging Information (LogInfo) generated by fuzzing test to a high dimensional metric space first and then construct feature spaces based on their timestamp information. Lastly, we further leverage machine learning-based classification algorithms, including Logistic Regression, K-Nearest Neighbors, and Random Forest to categorize the impacts on performance and security attributes. The performance of the proposed approach has high accuracy, ranging from $ 93.4 \% $ to $ 95.9 \% $, in detecting the fuzzing impacts. In addition, the proof of concept could identify and prioritize real-time vulnerabilities on 5G infrastructures and critical applications in various verticals.

Cryptography and Security,Machine Learning,Software Engineering

Zhihong Tian,Yanbin Sun,Shen Su,Mohan Li,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.48550/arXiv.1902.04009

2019-02-12

Abstract:The 5th generation (5G) network adopts a great number of revolutionary technologies to fulfill continuously increasing requirements of a variety of applications, including ultra-high bandwidth, ultra-low latency, ultra-massive device access, ultra-reliability, and so on. Correspondingly, traditional security focuses on the core network, and the logical (non-physical) layer is no longer suitable for the 5G network. 5G security presents a tendency to extend from the network center to the network edge and from the logical layer to the physical layer. The physical layer security is also an essential part of 5G security. However, the security of each layer in 5G is mostly studied separately, which causes a lack of comprehensive analysis for security issues across layers. Meanwhile, potential security threats are lack of automated solutions. This article explores the 5G security by combining the physical layer and the logical layer from the perspective of automated attack and defense, and dedicate to provide automated solution framework for 5G security.

Networking and Internet Architecture

Harsh Sanjay Pacherkar,Guanhua Yan

DOI: https://doi.org/10.1145/3643833.3656129

2024-05-27

Abstract:As 5G networks become part of the critical infrastructures whose dysfunctions can cause severe damages to society, their security has been increasingly scrutinized. Recent works have revealed multiple specification-level flaws in 5G core networks but there are no easy solutions to patch the vulnerabilities in practice. Against this backdrop, this work proposes a unified framework called PROV5GC to detect and attribute various attacks that exploit these vulnerabilities in real-world 5G networks. PROV5GC tackles three technical challenges faced when deploying existing intrusion detection system (IDS) frameworks to protect 5G core networks, namely, message encryption, partial observability, and identity ephemerality. The key idea of PROV5GC is to use provenance graphs, which are constructed from the communication messages logged by various 5G core network functions. Based on these graphs, PROV5GC infers the original call flows to identify those with malicious intentions. We demonstrate how PROV5GC can be used to detect three different kinds of attacks, which aim to compromise the confidentiality, integrity, and/or availability of 5G core networks. We build a prototype of PROV5GC and evaluate its execution performance on commodity cluster servers. We observe that due to stateless instrumentation, the logging overhead incurred to each network function is low. We also show that PROV5GC can be used to detect the three 5G-specific attacks with high accuracy.

Computer Science,Engineering

Mohamad Saalim Wani,Michael Rademacher,Thorsten Horstmann,Mathias Kretschmer

DOI: https://doi.org/10.3390/jcp4010002

2024-01-02

Journal of Cybersecurity and Privacy

Abstract:5G networks, pivotal for our digital mobile societies, are transitioning from 4G to 5G Stand-Alone (SA) networks. However, during this transition, 5G Non-Stand-Alone (NSA) networks are widely used. This paper examines potential security vulnerabilities in 5G NSA networks. Through an extensive literature review, we identify known 4G attacks that can theoretically be applied to 5G NSA. We organize these attacks into a structured taxonomy. Our findings reveal that 5G NSA networks may offer a false sense of security, as most security and privacy improvements are concentrated in 5G SA networks. To underscore this concern, we implement three attacks with severe consequences and successfully validate them on various commercially available smartphones. Notably, one of these attacks, the IMSI Leak, consistently exposes user information with no apparent security mitigation in 5G NSA networks. This highlights the ease of tracking individuals on current 5G networks.

computer science, information systems, interdisciplinary applications, software engineering

Hisham A Kholidy,Hisham A. Kholidy

DOI: https://doi.org/10.3390/s22010009

IF: 3.9

2021-12-21

Sensors

Abstract:Overall, 5G networks are expected to become the backbone of many critical IT applications. With 5G, new tech advancements and innovation are expected; 5G currently operates on software-defined networking. This enables 5G to implement network slicing to meet the unique requirements of every application. As a result, 5G is more flexible and scalable than 4G LTE and previous generations. To avoid the growing risks of hacking, 5G cybersecurity needs some significant improvements. Some security concerns involve the network itself, while others focus on the devices connected to 5G. Both aspects present a risk to consumers, governments, and businesses alike. There is currently no real-time vulnerability assessment framework that specifically addresses 5G Edge networks, with regard to their real-time scalability and dynamic nature. This paper studies the vulnerability assessment in the 5G networks and develops an optimized dynamic method that integrates the Technique for Order of Preference by Similarity to Ideal Solution (TOPSIS) with the hexagonal fuzzy numbers to accurately analyze the vulnerabilities in 5G networks. The proposed method considers both the vulnerability and 5G network dynamic factors such as latency and accessibility to find the potential attack graph paths where the attack might propagate in the network and quantifies the attack cost and security level of the network. We test and validate the proposed method using our 5G testbed and we compare the optimized method to the classical TOPSIS and the known vulnerability scanner tool, Nessus.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Zhiwei Cui,Baojiang Cui,Li Su,Haitao Du,Hongxin Wang,Junsong Fu

2023-03-20

Abstract:The security context used in 5G authentication is generated during the Authentication and Key Agreement (AKA) procedure and stored in both the user equipment (UE) and the network sides for the subsequent fast registration procedure. Given its importance, it is imperative to formally analyze the security mechanism of the security context. The security context in the UE can be stored in the Universal Subscriber Identity Module (USIM) card or in the baseband chip. In this work, we present a comprehensive and formal verification of the fast registration procedure based on the security context under the two scenarios in ProVerif. Our analysis identifies two vulnerabilities, including one that has not been reported before. Specifically, the security context stored in the USIM card can be read illegally, and the validity checking mechanism of the security context in the baseband chip can be bypassed. Moreover, these vulnerabilities also apply to 4G networks. As a consequence, an attacker can exploit these vulnerabilities to register to the network with the victim's identity and then launch other attacks, including one-tap authentication bypass leading to privacy disclosure, location spoofing, etc. To ensure that these attacks are indeed realizable in practice, we have responsibly confirmed them through experimentation in three operators. Our analysis reveals that these vulnerabilities stem from design flaws of the standard and unsafe practices by operators. We finally propose several potential countermeasures to prevent these attacks. We have reported our findings to the GSMA and received a coordinated vulnerability disclosure (CVD) number CVD-2022-0057.

Cryptography and Security

Xiaosong Zhang,Lin Shao,Jiong Zheng

DOI: https://doi.org/10.1109/ICACIA.2008.4770021

2008-01-01

Abstract:Buffer overflow vulnerabilities can cause attacks that result in serious consequences. However the techniques of buffer overflow vulnerability detection are limited to manual analysis, binary-patch comparison, fuzzing and so on. They rely on manual analysis, thus cause high overhead. In this paper, we propose a novel method of detection of buffer overflow vulnerabilities, which is based on fuzzing, data-flow dynamic analysis and automated exception analysis. This new method effectively improves the detection of unknown security vulnerabilities (0 Day). Moreover, it is more automated and has better performance in finding new security vulnerabilities.

Su, Li,Du, Haitao

DOI: https://doi.org/10.1007/s00500-023-09486-x

IF: 3.732

2024-01-11

Soft Computing

Abstract:The security context, generally stored in the universal subscriber identity module card or the baseband chip, is the critical information applied by the subscriber to access the 5G network during the fast authentication procedure. Once exposed or illegally used, the security context can be exploited to derive various keys for authentication and encryption. Despite its importance, challenges and questions still remain in the previous relevant research. To fill this gap, by adopting the security protocol verification tool ProVerif, we provide a comprehensive formal model of the fast authentication procedure based on the security context to analyze whether security goals can be met. Unfortunately, we uncover two vulnerabilities, including one never reported before. Our analysis shows that these vulnerabilities stem from fundamental design flaws in the cellular network protocol and thus apply to the 4G network. These vulnerabilities could be exploited to launch several attacks, including impersonation and eavesdropping. We have validated these attacks using 5 mobile phones from 5 different baseband manufacturers through experimentation in three mobile carriers. We find an insecure implementation of one of these phones, which exposed it to replay attacks. And we further discuss the security threats posed by the impersonation attack, such as location spoofing and one-tap authentication bypass, which is verified on 10 popular apps. We finally propose several countermeasures to eliminate these security issues. Actually, we have reported the novel vulnerability to the GSM Association and received a confirmation in the form of a coordinated vulnerability disclosure (CVD) number CVD-2022-0057.

computer science, artificial intelligence, interdisciplinary applications

Zhiping Yan,Chonglin Gu,Hejiao Huang

DOI: https://doi.org/10.1109/icct52962.2021.9657852

2021-01-01

Abstract:Using 5G Authentication and Key Agreement (AKA) protocol in communication is extremely critical to ensure the security of personal data. In this paper, we apply formal method and automated verification tools to analyze the security properties of 5G AKA protocol. Petri net is applied to model the protocol for its advantages such as having graphical nature and firm mathematical foundation. CPN Tools is used for verification. Based on the reasonable assumptions in this paper, two attack methods mainly occurring in wireless channel and utilizing fake serving network (SN) are proposed. Our automated analysis identifies the effectiveness of each attack method. Finally, in order to improve the reliability of the 5G AKA protocol, we give an enhancement scheme with provably secure fixes. In our novel scheme, the unique id (UNI) is designed for reinforcing the security of messages transmitted in wireless channel, while the challenge-response authentication mechanism is used for ensuring the security of SN.

Shameng Wen,Qingkun Meng,Chao Feng,Chaojing Tang

DOI: https://doi.org/10.1371/journal.pone.0186188

IF: 3.7

2017-10-19

PLoS ONE

Abstract:Network protocol vulnerability detection plays an important role in many domains, including protocol security analysis, application security, and network intrusion detection. In this study, by analyzing the general fuzzing method of network protocols, we propose a novel approach that combines network traffic analysis with the binary reverse engineering method. For network traffic analysis, the block-based protocol description language is introduced to construct test scripts, while the binary reverse engineering method employs the genetic algorithm with a fitness function designed to focus on code coverage. This combination leads to a substantial improvement in fuzz testing for network protocols. We build a prototype system and use it to test several real-world network protocol implementations. The experimental results show that the proposed approach detects vulnerabilities more efficiently and effectively than general fuzzing methods such as SPIKE.

Xuewei Feng,Qi Li,Kun Sun,Ke Xu,Jianping Wu

2024-11-19

Abstract:After more than 40 years of development, the fundamental TCP/IP protocol suite, serving as the backbone of the Internet, is widely recognized for having achieved an elevated level of robustness and security. Distinctively, we take a new perspective to investigate the security implications of cross-layer interactions within the TCP/IP protocol suite caused by ICMP error messages. Through a comprehensive analysis of interactions among Wi-Fi, IP, ICMP, UDP, and TCP due to ICMP errors, we uncover several significant vulnerabilities, including information leakage, desynchronization, semantic gaps, and identity spoofing. These vulnerabilities can be exploited by off-path attackers to manipulate network traffic stealthily, affecting over 20% of popular websites and more than 89% of public Wi-Fi networks, thus posing risks to the Internet. By responsibly disclosing these vulnerabilities to affected vendors and proposing effective countermeasures, we enhance the robustness of the TCP/IP protocol suite, receiving acknowledgments from well-known organizations such as the Linux community, the OpenWrt community, the FreeBSD community, Wi-Fi Alliance, Qualcomm, HUAWEI, China Telecom, Alibaba, and H3C.

Cryptography and Security