TY - GEN
T1 - Noncompliance as Deviant Behavior
T2 - 27th ACM Annual Conference on Computer and Communication Security, CCS 2021
AU - Hussain, Syed Rafiul
AU - Karim, Imtiaz
AU - Ishtiaq, Abdullah Al
AU - Chowdhury, Omar
AU - Bertino, Elisa
N1 - Funding Information:
This work is supported by NSF grants IIS-2112471, CNS-2006556, DARPA YFA D19AP00039 and Intel. We thank GSMA and the baseband vendors and manufacturers for coordinating with us for the vulnerability disclosure process.
Publisher Copyright:
© 2021 ACM.
PY - 2021/11/12
Y1 - 2021/11/12
N2 - The paper focuses on developing an automated black-box testing approach called DIKEUE that checks 4G Long Term Evolution (LTE) control-plane protocol implementations in commercial-off-the-shelf (COTS) cellular devices (also, User Equipments or UEs) for noncompliance with the standard. Unlike prior noncompliance checking approaches which rely on property-guided testing, DIKEUE adopts a property-agnostic, differential testing approach, which leverages the existence of many different control-plane protocol implementations in COTS UEs. DIKEUE uses deviant behavior observed during differential analysis of pairwise COTS UEs as a proxy for identifying noncompliance instances. For deviant behavior identification, DIKEUE first uses black-box automata learning, specialized for 4G LTE control-plane protocols, to extract input-output finite state machine (FSM) for a given UE. It then reduces the identification of deviant behavior in two extracted FSMs as a model checking problem. We applied DIKEUE in checking noncompliance in 14 COTS UEs from 5 vendors and identified 15 new deviant behavior as well as 2 previous implementation issues. Among them, 11 are exploitable whereas 3 can cause potential interoperability issues.
AB - The paper focuses on developing an automated black-box testing approach called DIKEUE that checks 4G Long Term Evolution (LTE) control-plane protocol implementations in commercial-off-the-shelf (COTS) cellular devices (also, User Equipments or UEs) for noncompliance with the standard. Unlike prior noncompliance checking approaches which rely on property-guided testing, DIKEUE adopts a property-agnostic, differential testing approach, which leverages the existence of many different control-plane protocol implementations in COTS UEs. DIKEUE uses deviant behavior observed during differential analysis of pairwise COTS UEs as a proxy for identifying noncompliance instances. For deviant behavior identification, DIKEUE first uses black-box automata learning, specialized for 4G LTE control-plane protocols, to extract input-output finite state machine (FSM) for a given UE. It then reduces the identification of deviant behavior in two extracted FSMs as a model checking problem. We applied DIKEUE in checking noncompliance in 14 COTS UEs from 5 vendors and identified 15 new deviant behavior as well as 2 previous implementation issues. Among them, 11 are exploitable whereas 3 can cause potential interoperability issues.
UR - http://www.scopus.com/inward/record.url?scp=85119361568&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85119361568&partnerID=8YFLogxK
U2 - 10.1145/3460120.3485388
DO - 10.1145/3460120.3485388
M3 - Conference contribution
AN - SCOPUS:85119361568
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 1082
EP - 1099
BT - CCS 2021 - Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery
Y2 - 15 November 2021 through 19 November 2021
ER -