skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: Logic Gone Astray: A Security Analysis Framework for the Control Plane Protocols of 5G Basebands
We develop 5GBaseChecker— an efficient, scalable, and dynamic security analysis framework based on differential testing for analyzing 5G basebands' control plane protocol interactions. 5GBaseChecker first captures basebands' protocol behaviors as a finite state machine (FSM) through black-box automata learning. To facilitate efficient learning and improve scalability, 5GBaseChecker introduces novel hybrid and collaborative learning techniques. 5GBaseChecker then identifies input sequences for which the extracted FSMs provide deviating outputs. Finally, 5GBaseChecker leverages these deviations to efficiently identify the security properties from specifications and use those to triage if the deviations found in 5G basebands violate any properties. We evaluated 5GBaseChecker with 17 commercial 5G basebands and 2 open-source UE implementations and uncovered 22 implementation-level issues, including 13 exploitable vulnerabilities and 2 interoperability issues.  more » « less
Award ID(s):
2326898
PAR ID:
10535455
Author(s) / Creator(s):
; ; ; ; ; ;
Publisher / Repository:
USENIX Association
Date Published:
ISBN:
978-1-939133-44-1
Format(s):
Medium: X
Location:
Philadelphia, PA, USA
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; ; ; (, 2020 IEEE Globecom Workshops (GC Wkshps))
    null (Ed.)
    As 5G systems are starting to be deployed and becoming part of many daily life applications, there is an increasing interest on the security of the overall system as 5G network architecture is significantly different than LTE systems. For instance, through application specific virtual network slices, one can trigger additional security measures depending on the sensitivity of the running application. Drones utilizing 5G could be a perfect example as they pose several safety threats if they are compromised. To this end, we propose a stronger authentication mechanism inspired from the idea of second-factor authentication in IT systems. Specifically, once the primary 5G authentication is executed, a specific slice can be tasked to trigger a second-factor authentication utilizing different factors from the primary one. This trigger mechanism utilizes the re-authentication procedure as specified in the 3GPP 5G standards for easy integration. Our second-factor authentication uses a special challenge-response protocol, which relies on unique drone digital ID as well as a seed and nonce generated from the slice to enable freshness. We implemented the proposed protocol in ns-3 that supports mmWave-based communication in 5G. We demonstrate that the proposed protocol is lightweight and can scale while enabling stronger security for the drones. 
    more » « less
  2. ; ; ; (, IEEE Global Communications Conference)
    5G and open radio access networks (Open RANs) will result in vendor-neutral hardware deployment that will require additional diligence towards managing security risks. This new paradigm will allow the same network infrastructure to support virtual network slices for transmit different waveforms, such as 5G New Radio, LTE, WiFi, at different times. In this multi- vendor, multi-protocol/waveform setting, we propose an additional physical layer authentication method that detects a specific emitter through a technique called as RF fingerprinting. Our deep learning approach uses convolutional neural networks augmented with triplet loss, where examples of similar/dissimilar signal samples are shown to the classifier over the training duration. We demonstrate the feasibility of RF fingerprinting base stations over the large-scale over-the-air experimental POWDER platform in Salt Lake City, Utah, USA. Using real world datasets, we show how our approach overcomes the challenges posed by changing channel conditions and protocol choices with 99.86% detection accuracy for different training and testing days. 
    more » « less
  3. ; ; (, International Journal of Wireless & Mobile Networks)
    With the proliferation of 5G networks, evaluating security vulnerabilities is crucial. This paper presents an implemented 5G standalone testbed operating in the mmWave frequency range for research and analysis. Over-the-air testing validates expected throughputs up to 5Gbps downlink and 1Gbps uplink, low latency, and robust connectivity. Detailed examination of captured network traffic provides insights into protocol distribution and signalling flows. The comparative evaluation shows only 0.45% packet loss on the testbed versus 2.7% in prior simulations, proving improved reliability. The results highlight the efficacy of the testbed for security assessments, performance benchmarking, and progression towards 6G systems. This paper demonstrates a robust platform to facilitate innovation in 5G and beyond through practical experimentation.For access to the code, data, and experimental results, visit our GitHub repository(https://github.com/Didilish/5G-SA-Testbed-Analysis) 
    more » « less
  4. ; (, Academy & Industry Research Collaboration Center)
    With the proliferation of 5G networks, evaluating security vulnerabilities is crucial. This paper presents an implemented 5G standalone testbed operating in the mmWave frequency range for research and analysis. Over-the-air testing validates expected throughputs up to 5Gbps downlink and 1Gbps uplink, low latency, and robust connectivity. Detailed examination of captured network traffic provides insights into protocol distribution and signalling flows. The comparative evaluation shows only 0.45% packet loss on the testbed versus 2.7% in prior simulations, proving improved reliability. Thetestbed achieved a throughput of up to 5Gbps downlink and 1Gbps uplink with minimal latency, meeting expected 5G network benchmarks. The results highlight the efficacy of the testbed for security assessments, performance benchmarking, and progression towards 6G systems. This paper demonstrates a robust platform to facilitate innovation in 5G and beyond through practical experimentation. 
    more » « less
  5. ; ; ; ; ; ; ; ; ; ; et al (, USENIX Association)
    In this paper, we present Hermes, an end-to-end framework to automatically generate formal representations from natural language cellular specifications. We first develop a neural constituency parser, NEUTREX, to process transition-relevant texts and extract transition components (i.e., states, conditions, and actions). We also design a domain-specific language to translate these transition components to logical formulas by leveraging dependency parse trees. Finally, we compile these logical formulas to generate transitions and create the formal model as finite state machines. To demonstrate the effectiveness of Hermes, we evaluate it on 4G NAS, 5G NAS, and 5G RRC specifications and obtain an overall accuracy of 81-87%, which is a substantial improvement over the state-of-the-art. Our security analysis of the extracted models uncovers 3 new vulnerabilities and identifies 19 previous attacks in 4G and 5G specifications, and 7 deviations in commercial 4G basebands. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email