TY - GEN
T1 - Stateful Analysis and Fuzzing of Commercial Baseband Firmware
AU - Ranjbar, Ali
AU - Yang, Tianchang
AU - Tu, Kai
AU - Khalilollahi, Saaman
AU - Hussain, Syed Rafiul
N1 - Publisher Copyright:
© 2025 IEEE.
PY - 2025
Y1 - 2025
N2 - Baseband firmware plays a critical role in cellular communication, yet its proprietary, closed-source nature and complex, stateful processing logic make systematic security testing challenging. Existing methods often fail to account for the interdependencies between baseband tasks and the statefulness of input processing logic, limiting their scope and effectiveness. We present Loris, a stateful fuzz testing frame-work designed to explore and analyze baseband firmware implementations effectively. We employ iterative symbolic analysis to progressively identify state variables and the predicates over them that define different protocol states, while alleviating the state explosion problem. It enables Loris to perform targeted exploration and fuzzing of program regions with high potential for vulnerabilities. We evaluated Loris across 5 commercial devices from two major vendors, covering both 4G Long-Term Evolution (LTE) and 5G New Radio (NR), demonstrating its broad applicability. Our testing revealed 7 new vulnerabilities exploitable by over-the-air attackers, potentially leading to baseband crashes, remote code execution, and denial of service.
AB - Baseband firmware plays a critical role in cellular communication, yet its proprietary, closed-source nature and complex, stateful processing logic make systematic security testing challenging. Existing methods often fail to account for the interdependencies between baseband tasks and the statefulness of input processing logic, limiting their scope and effectiveness. We present Loris, a stateful fuzz testing frame-work designed to explore and analyze baseband firmware implementations effectively. We employ iterative symbolic analysis to progressively identify state variables and the predicates over them that define different protocol states, while alleviating the state explosion problem. It enables Loris to perform targeted exploration and fuzzing of program regions with high potential for vulnerabilities. We evaluated Loris across 5 commercial devices from two major vendors, covering both 4G Long-Term Evolution (LTE) and 5G New Radio (NR), demonstrating its broad applicability. Our testing revealed 7 new vulnerabilities exploitable by over-the-air attackers, potentially leading to baseband crashes, remote code execution, and denial of service.
UR - https://www.scopus.com/pages/publications/105009320010
UR - https://www.scopus.com/pages/publications/105009320010#tab=citedBy
U2 - 10.1109/SP61157.2025.00143
DO - 10.1109/SP61157.2025.00143
M3 - Conference contribution
AN - SCOPUS:105009320010
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 1120
EP - 1139
BT - Proceedings - 46th IEEE Symposium on Security and Privacy, SP 2025
A2 - Blanton, Marina
A2 - Enck, William
A2 - Nita-Rotaru, Cristina
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 46th IEEE Symposium on Security and Privacy, SP 2025
Y2 - 12 May 2025 through 15 May 2025
ER -