Logic Gone Astray: A Security Analysis Framework for the Control Plane Protocols of 5G Basebands

Kai Tu; Abdullah Al Ishtiaq; Syed Md Mukit Rashid; Yilu Dong; Weixuan Wang; Tianwei Wu; Syed Rafiul Hussain

Logic Gone Astray: A Security Analysis Framework for the Control Plane Protocols of 5G Basebands

Kai Tu, Abdullah Al Ishtiaq, Syed Md Mukit Rashid, Yilu Dong, Weixuan Wang, Tianwei Wu, Syed Rafiul Hussain

School of Electrical Engineering and Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

We develop 5GBaseChecker- an efficient, scalable, and dynamic security analysis framework based on differential testing for analyzing 5G basebands' control plane protocol interactions. 5GBaseChecker first captures basebands' protocol behaviors as a finite state machine (FSM) through black-box automata learning. To facilitate efficient learning and improve scalability, 5GBaseChecker introduces novel hybrid and collaborative learning techniques. 5GBaseChecker then identifies input sequences for which the extracted FSMs provide deviating outputs. Finally, 5GBaseChecker leverages these deviations to efficiently identify the security properties from specifications and use those to triage if the deviations found in 5G basebands violate any properties. We evaluated 5GBaseChecker with 17 commercial 5G basebands and 2 open-source UE implementations and uncovered 22 implementation-level issues, including 13 exploitable vulnerabilities and 2 interoperability issues.

Original language	English (US)
Title of host publication	Proceedings of the 33rd USENIX Security Symposium
Publisher	USENIX Association
Pages	3063-3080
Number of pages	18
ISBN (Electronic)	9781939133441
State	Published - 2024
Event	33rd USENIX Security Symposium, USENIX Security 2024 - Philadelphia, United States Duration: Aug 14 2024 → Aug 16 2024

Publication series

Name	Proceedings of the 33rd USENIX Security Symposium

Conference

Conference	33rd USENIX Security Symposium, USENIX Security 2024
Country/Territory	United States
City	Philadelphia
Period	8/14/24 → 8/16/24

All Science Journal Classification (ASJC) codes

Computer Networks and Communications
Information Systems
Safety, Risk, Reliability and Quality

Cite this

@inproceedings{8f970b171e21479ca284555b4d3754ad,

title = "Logic Gone Astray: A Security Analysis Framework for the Control Plane Protocols of 5G Basebands",

abstract = "We develop 5GBaseChecker- an efficient, scalable, and dynamic security analysis framework based on differential testing for analyzing 5G basebands' control plane protocol interactions. 5GBaseChecker first captures basebands' protocol behaviors as a finite state machine (FSM) through black-box automata learning. To facilitate efficient learning and improve scalability, 5GBaseChecker introduces novel hybrid and collaborative learning techniques. 5GBaseChecker then identifies input sequences for which the extracted FSMs provide deviating outputs. Finally, 5GBaseChecker leverages these deviations to efficiently identify the security properties from specifications and use those to triage if the deviations found in 5G basebands violate any properties. We evaluated 5GBaseChecker with 17 commercial 5G basebands and 2 open-source UE implementations and uncovered 22 implementation-level issues, including 13 exploitable vulnerabilities and 2 interoperability issues.",

author = "Kai Tu and {Al Ishtiaq}, Abdullah and Rashid, {Syed Md Mukit} and Yilu Dong and Weixuan Wang and Tianwei Wu and Hussain, {Syed Rafiul}",

note = "Publisher Copyright: {\textcopyright} USENIX Security Symposium 2024.All rights reserved.; 33rd USENIX Security Symposium, USENIX Security 2024 ; Conference date: 14-08-2024 Through 16-08-2024",

year = "2024",

language = "English (US)",

series = "Proceedings of the 33rd USENIX Security Symposium",

publisher = "USENIX Association",

pages = "3063--3080",

booktitle = "Proceedings of the 33rd USENIX Security Symposium",

}

Tu, K, Al Ishtiaq, A, Rashid, SMM, Dong, Y, Wang, W, Wu, T & Hussain, SR 2024, Logic Gone Astray: A Security Analysis Framework for the Control Plane Protocols of 5G Basebands. in Proceedings of the 33rd USENIX Security Symposium. Proceedings of the 33rd USENIX Security Symposium, USENIX Association, pp. 3063-3080, 33rd USENIX Security Symposium, USENIX Security 2024, Philadelphia, United States, 8/14/24.

Logic Gone Astray: A Security Analysis Framework for the Control Plane Protocols of 5G Basebands. / Tu, Kai; Al Ishtiaq, Abdullah; Rashid, Syed Md Mukit et al.
Proceedings of the 33rd USENIX Security Symposium. USENIX Association, 2024. p. 3063-3080 (Proceedings of the 33rd USENIX Security Symposium).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Logic Gone Astray

T2 - 33rd USENIX Security Symposium, USENIX Security 2024

AU - Tu, Kai

AU - Al Ishtiaq, Abdullah

AU - Rashid, Syed Md Mukit

AU - Dong, Yilu

AU - Wang, Weixuan

AU - Wu, Tianwei

AU - Hussain, Syed Rafiul

PY - 2024

Y1 - 2024

N2 - We develop 5GBaseChecker- an efficient, scalable, and dynamic security analysis framework based on differential testing for analyzing 5G basebands' control plane protocol interactions. 5GBaseChecker first captures basebands' protocol behaviors as a finite state machine (FSM) through black-box automata learning. To facilitate efficient learning and improve scalability, 5GBaseChecker introduces novel hybrid and collaborative learning techniques. 5GBaseChecker then identifies input sequences for which the extracted FSMs provide deviating outputs. Finally, 5GBaseChecker leverages these deviations to efficiently identify the security properties from specifications and use those to triage if the deviations found in 5G basebands violate any properties. We evaluated 5GBaseChecker with 17 commercial 5G basebands and 2 open-source UE implementations and uncovered 22 implementation-level issues, including 13 exploitable vulnerabilities and 2 interoperability issues.

AB - We develop 5GBaseChecker- an efficient, scalable, and dynamic security analysis framework based on differential testing for analyzing 5G basebands' control plane protocol interactions. 5GBaseChecker first captures basebands' protocol behaviors as a finite state machine (FSM) through black-box automata learning. To facilitate efficient learning and improve scalability, 5GBaseChecker introduces novel hybrid and collaborative learning techniques. 5GBaseChecker then identifies input sequences for which the extracted FSMs provide deviating outputs. Finally, 5GBaseChecker leverages these deviations to efficiently identify the security properties from specifications and use those to triage if the deviations found in 5G basebands violate any properties. We evaluated 5GBaseChecker with 17 commercial 5G basebands and 2 open-source UE implementations and uncovered 22 implementation-level issues, including 13 exploitable vulnerabilities and 2 interoperability issues.

UR - http://www.scopus.com/inward/record.url?scp=85205029867&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85205029867&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:85205029867

T3 - Proceedings of the 33rd USENIX Security Symposium

SP - 3063

EP - 3080

BT - Proceedings of the 33rd USENIX Security Symposium

PB - USENIX Association

Y2 - 14 August 2024 through 16 August 2024

ER -

Logic Gone Astray: A Security Analysis Framework for the Control Plane Protocols of 5G Basebands

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Other files and links

Fingerprint

Cite this