TY - GEN
T1 - From Control to Chaos
T2 - 46th IEEE Symposium on Security and Privacy, SP 2025
AU - Akon, Mujtahid
AU - Toufikuzzaman, Md
AU - Hussain, Syed Rafiul
N1 - Publisher Copyright:
© 2025 IEEE.
PY - 2025
Y1 - 2025
N2 - We develop CoreScan, a comprehensive formal analysis framework for analyzing the access control mechanism of 5G core networks. In doing so, we build the first comprehensive formal model for the access control mechanism of 5G core network that considers the indirect communication mode and 5G roaming. Given a global property, CoreScan employs the compositional verification technique that leverages the assume-guarantee style reasoning approach to decompose the system model into multiple disjoint components and applies the split assertion principle to identify local assumptions and guarantees. The model's global security property holds if and only if all local guarantees derived from the global property are verified in their respective components. CoreScan features a configurable adversary model, enabling the evaluation of access control properties under diverse adversary capabilities. We tested 61 access control properties with CoreScan and uncovered five new classes of exploitable privilege escalation vulnerabilities in the 5G standards. Additionally, we found that most previously known overprivilege vulnerabilities in direct communication also extend to indirect communication and roaming settings.
AB - We develop CoreScan, a comprehensive formal analysis framework for analyzing the access control mechanism of 5G core networks. In doing so, we build the first comprehensive formal model for the access control mechanism of 5G core network that considers the indirect communication mode and 5G roaming. Given a global property, CoreScan employs the compositional verification technique that leverages the assume-guarantee style reasoning approach to decompose the system model into multiple disjoint components and applies the split assertion principle to identify local assumptions and guarantees. The model's global security property holds if and only if all local guarantees derived from the global property are verified in their respective components. CoreScan features a configurable adversary model, enabling the evaluation of access control properties under diverse adversary capabilities. We tested 61 access control properties with CoreScan and uncovered five new classes of exploitable privilege escalation vulnerabilities in the 5G standards. Additionally, we found that most previously known overprivilege vulnerabilities in direct communication also extend to indirect communication and roaming settings.
UR - https://www.scopus.com/pages/publications/105009333854
UR - https://www.scopus.com/pages/publications/105009333854#tab=citedBy
U2 - 10.1109/SP61157.2025.00141
DO - 10.1109/SP61157.2025.00141
M3 - Conference contribution
AN - SCOPUS:105009333854
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 1081
EP - 1100
BT - Proceedings - 46th IEEE Symposium on Security and Privacy, SP 2025
A2 - Blanton, Marina
A2 - Enck, William
A2 - Nita-Rotaru, Cristina
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 12 May 2025 through 15 May 2025
ER -