Hermes: Unlocking Security Analysis of Cellular Network Protocols by Synthesizing Finite State Machines from Natural Language Specifications

Abdullah Al Ishtiaq; Sarkar Snigdha Sarathi Das; Syed Md Mukit Rashid; Ali Ranjbar; Kai Tu; Tianwei Wu; Zhezheng Song; Weixuan Wang; Mujtahid Akon; Rui Zhang; Syed Rafiul Hussain

Hermes: Unlocking Security Analysis of Cellular Network Protocols by Synthesizing Finite State Machines from Natural Language Specifications

Abdullah Al Ishtiaq, Sarkar Snigdha Sarathi Das, Syed Md Mukit Rashid, Ali Ranjbar, Kai Tu, Tianwei Wu, Zhezheng Song, Weixuan Wang, Mujtahid Akon, Rui Zhang, Syed Rafiul Hussain

School of Electrical Engineering and Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

2 Scopus citations

Abstract

In this paper, we present Hermes, an end-to-end framework to automatically generate formal representations from natural language cellular specifications. We first develop a neural constituency parser, NEUTREX, to process transition-relevant texts and extract transition components (i.e., states, conditions, and actions). We also design a domain-specific language to translate these transition components to logical formulas by leveraging dependency parse trees. Finally, we compile these logical formulas to generate transitions and create the formal model as finite state machines. To demonstrate the effectiveness of Hermes, we evaluate it on 4G NAS, 5G NAS, and 5G RRC specifications and obtain an overall accuracy of 81-87%, which is a substantial improvement over the state-of-the-art. Our security analysis of the extracted models uncovers 3 new vulnerabilities and identifies 19 previous attacks in 4G and 5G specifications, and 7 deviations in commercial 4G basebands.

Original language	English (US)
Title of host publication	Proceedings of the 33rd USENIX Security Symposium
Publisher	USENIX Association
Pages	4445-4462
Number of pages	18
ISBN (Electronic)	9781939133441
State	Published - 2024
Event	33rd USENIX Security Symposium, USENIX Security 2024 - Philadelphia, United States Duration: Aug 14 2024 → Aug 16 2024

Publication series

Name	Proceedings of the 33rd USENIX Security Symposium

Conference

Conference	33rd USENIX Security Symposium, USENIX Security 2024
Country/Territory	United States
City	Philadelphia
Period	8/14/24 → 8/16/24

All Science Journal Classification (ASJC) codes

Computer Networks and Communications
Information Systems
Safety, Risk, Reliability and Quality

Cite this

Al Ishtiaq, A., Das, S. S. S., Rashid, S. M. M., Ranjbar, A., Tu, K., Wu, T., Song, Z., Wang, W., Akon, M., Zhang, R., & Hussain, S. R. (2024). Hermes: Unlocking Security Analysis of Cellular Network Protocols by Synthesizing Finite State Machines from Natural Language Specifications. In Proceedings of the 33rd USENIX Security Symposium (pp. 4445-4462). (Proceedings of the 33rd USENIX Security Symposium). USENIX Association.

Al Ishtiaq, Abdullah ; Das, Sarkar Snigdha Sarathi ; Rashid, Syed Md Mukit et al. / Hermes : Unlocking Security Analysis of Cellular Network Protocols by Synthesizing Finite State Machines from Natural Language Specifications. Proceedings of the 33rd USENIX Security Symposium. USENIX Association, 2024. pp. 4445-4462 (Proceedings of the 33rd USENIX Security Symposium).

@inproceedings{7199b26e28334fe5b2c4c5193bed72a3,

title = "Hermes: Unlocking Security Analysis of Cellular Network Protocols by Synthesizing Finite State Machines from Natural Language Specifications",

abstract = "In this paper, we present Hermes, an end-to-end framework to automatically generate formal representations from natural language cellular specifications. We first develop a neural constituency parser, NEUTREX, to process transition-relevant texts and extract transition components (i.e., states, conditions, and actions). We also design a domain-specific language to translate these transition components to logical formulas by leveraging dependency parse trees. Finally, we compile these logical formulas to generate transitions and create the formal model as finite state machines. To demonstrate the effectiveness of Hermes, we evaluate it on 4G NAS, 5G NAS, and 5G RRC specifications and obtain an overall accuracy of 81-87%, which is a substantial improvement over the state-of-the-art. Our security analysis of the extracted models uncovers 3 new vulnerabilities and identifies 19 previous attacks in 4G and 5G specifications, and 7 deviations in commercial 4G basebands.",

author = "{Al Ishtiaq}, Abdullah and Das, {Sarkar Snigdha Sarathi} and Rashid, {Syed Md Mukit} and Ali Ranjbar and Kai Tu and Tianwei Wu and Zhezheng Song and Weixuan Wang and Mujtahid Akon and Rui Zhang and Hussain, {Syed Rafiul}",

note = "Publisher Copyright: {\textcopyright} USENIX Security Symposium 2024.All rights reserved.; 33rd USENIX Security Symposium, USENIX Security 2024 ; Conference date: 14-08-2024 Through 16-08-2024",

year = "2024",

language = "English (US)",

series = "Proceedings of the 33rd USENIX Security Symposium",

publisher = "USENIX Association",

pages = "4445--4462",

booktitle = "Proceedings of the 33rd USENIX Security Symposium",

}

Al Ishtiaq, A, Das, SSS, Rashid, SMM, Ranjbar, A, Tu, K, Wu, T, Song, Z, Wang, W, Akon, M, Zhang, R & Hussain, SR 2024, Hermes: Unlocking Security Analysis of Cellular Network Protocols by Synthesizing Finite State Machines from Natural Language Specifications. in Proceedings of the 33rd USENIX Security Symposium. Proceedings of the 33rd USENIX Security Symposium, USENIX Association, pp. 4445-4462, 33rd USENIX Security Symposium, USENIX Security 2024, Philadelphia, United States, 8/14/24.

Hermes: Unlocking Security Analysis of Cellular Network Protocols by Synthesizing Finite State Machines from Natural Language Specifications. / Al Ishtiaq, Abdullah; Das, Sarkar Snigdha Sarathi; Rashid, Syed Md Mukit et al.
Proceedings of the 33rd USENIX Security Symposium. USENIX Association, 2024. p. 4445-4462 (Proceedings of the 33rd USENIX Security Symposium).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Hermes

T2 - 33rd USENIX Security Symposium, USENIX Security 2024

AU - Al Ishtiaq, Abdullah

AU - Das, Sarkar Snigdha Sarathi

AU - Rashid, Syed Md Mukit

AU - Ranjbar, Ali

AU - Tu, Kai

AU - Wu, Tianwei

AU - Song, Zhezheng

AU - Wang, Weixuan

AU - Akon, Mujtahid

AU - Zhang, Rui

AU - Hussain, Syed Rafiul

PY - 2024

Y1 - 2024

N2 - In this paper, we present Hermes, an end-to-end framework to automatically generate formal representations from natural language cellular specifications. We first develop a neural constituency parser, NEUTREX, to process transition-relevant texts and extract transition components (i.e., states, conditions, and actions). We also design a domain-specific language to translate these transition components to logical formulas by leveraging dependency parse trees. Finally, we compile these logical formulas to generate transitions and create the formal model as finite state machines. To demonstrate the effectiveness of Hermes, we evaluate it on 4G NAS, 5G NAS, and 5G RRC specifications and obtain an overall accuracy of 81-87%, which is a substantial improvement over the state-of-the-art. Our security analysis of the extracted models uncovers 3 new vulnerabilities and identifies 19 previous attacks in 4G and 5G specifications, and 7 deviations in commercial 4G basebands.

AB - In this paper, we present Hermes, an end-to-end framework to automatically generate formal representations from natural language cellular specifications. We first develop a neural constituency parser, NEUTREX, to process transition-relevant texts and extract transition components (i.e., states, conditions, and actions). We also design a domain-specific language to translate these transition components to logical formulas by leveraging dependency parse trees. Finally, we compile these logical formulas to generate transitions and create the formal model as finite state machines. To demonstrate the effectiveness of Hermes, we evaluate it on 4G NAS, 5G NAS, and 5G RRC specifications and obtain an overall accuracy of 81-87%, which is a substantial improvement over the state-of-the-art. Our security analysis of the extracted models uncovers 3 new vulnerabilities and identifies 19 previous attacks in 4G and 5G specifications, and 7 deviations in commercial 4G basebands.

UR - http://www.scopus.com/inward/record.url?scp=85205027592&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85205027592&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:85205027592

T3 - Proceedings of the 33rd USENIX Security Symposium

SP - 4445

EP - 4462

BT - Proceedings of the 33rd USENIX Security Symposium

PB - USENIX Association

Y2 - 14 August 2024 through 16 August 2024

ER -

Hermes: Unlocking Security Analysis of Cellular Network Protocols by Synthesizing Finite State Machines from Natural Language Specifications

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Other files and links

Fingerprint

Cite this