一种基于加权状态选择的LTE NAS协议模糊测试方法

摘要/Abstract

摘要： NAS协议是LTE(longterm evolution)网络中移动设备与核心网络之间的主要控制面协议，其安全性对于保障整个4G网络稳健安全运行具有重要意义.模糊测试是一种广泛使用的漏洞挖掘技术，现有的模糊测试方法应用于NAS(nonaccess stratum)协议时存在测试效率低、测试用例难以构建等问题.为了解决这些问题，提出了一种基于权重的测试状态选择算法：以NAS协议状态机为基础，根据测试反馈动态地调整每个测试状态的权重；以消息元素IE为最小单位设计了测试用例生成算法；实现了模糊测试工具NASFuzzer并对开源核心网open5GS及真实终端设备进行测试.测试结果表明，该方法能够有效挖掘LTE NAS协议实现中的漏洞.

关键词: LTE, NAS, 模糊测试, 状态选择, 漏洞挖掘

Abstract: NAS protocol is the main control plane protocol between mobile devices and LTE core network, and its security is of great significance to ensure the robustness and safety of the whole 4G network. Fuzz testing is a widely used vulnerability mining technique, and existing fuzz testing methods for NAS Protocol have problems such as low testing efficiency and difficulty test case formulation. In order to solve these problems, this paper e proposes a weight based test state selection algorithm, which is based on NAS protocol state machine and can dynamically adjust the weight of test states based on feedback; Additionally, this paper devises a test case generation strategy rooted in the information element and develops the fuzzing tool named NASFuzzer, which is tested on open source core networks open5GS and real terminal devices. The test result shows that the method in this paper can effectively find the vulnerabilities in the LTE NAS protocol implementation.

Key words: LTE, NAS, fuzz testing, state selection, vulnerability mining

中图分类号:

TP393

廖显锋, 吴礼发, . 一种基于加权状态选择的LTE NAS协议模糊测试方法[J]. 信息安全研究, 2025, 11(1): 12-.

参考文献

［1］Hussain S, Chowdhury O, Mehnaz S, et al. LTEInspector: A systematic approach for adversarial testing of 4G LTE［C］ Proc of Network and Distributed Systems Security Symp (NDSS). Rosten, VA, USA: Internet Society, 2018: 115［2］Hernandez G, Muench M, Maier D, et al. FIRMWIRE: Transparent dynamic analysis for cellular baseband firmware［C］ Proc of Network and Distributed Systems Security Symp (NDSS). San Rosten, VA, USA: Internet Society, 2022: 119［3］Chen Y, Yao Y, Wang X F, et al. Bookworm game: Automatic discovery of lte vulnerabilities through documentation analysis［C］ Proc of 2021 IEEE Symp on Security and Privacy (SP). Piscataway, NJ: IEEE, 2021: 11971214［4］Golde N, Komaromy D. Breaking Band: Reverse engineering and exploiting the shannon baseband［EBOL］. ［20230828］. https:comsecuris.comslidesrecon2016breaking_band.pdf［5］Raza M T, Anwar F M, Lu S. Exposing LTE security weaknesses at protocol interlayer, and interradio interactions［C］ Proc of the 13th Security and Privacy in Communication Networks. Berlin: Springer, 2018: 312338［6］Shaik A, Borgaonkar R, Park S, et al. New vulnerabilities in 4G and 5G cellular access network protocols: exposing device capabilities［C］ Proc of the 12th Conf on Security and Privacy in Wireless and Mobile Networks. New York: ACM, 2019: 221231［7］Chlosta M, Rupprecht D, Holz T, et al. LTE security disabled: Misconfiguration in commercial networks［C］ Proc of the 12th Conf on Security and Privacy in Wireless and Mobile Networks. New York: ACM, 2019: 261266［8］Kim E, Kim D, Park C J, et al. BaseSpec: Comparative analysis of baseband software and cellular specifications for L3 protocols［C］ Proc of Network and Distributed Systems Security Symp (NDSS). Rosten, VA, USA: Internet Society, 2021: 118［9］Kim H, Lee J, Lee E, et al. Touching the untouchables: Dynamic security analysis of the LTE control plane［C］ Proc of 2019 IEEE Symp on Security and Privacy (SP). Piscataway, NJ: IEEE, 2019: 11531168［10］Li W, Wu Q, Cui B. Statebased fuzzing for S1AP［C］ Proc of the 13th Int Conf on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS2019). Berlin: Springer, 2020: 362372［11］Garbelini M E, Shang Z, Chattopadhyay S, et al. Towards automated fuzzing of 4G5G protocol implementations over the air［C］ Proc of IEEE Global Communications Conf 2022. Piscataway, NJ: IEEE, 2022: 8692［12］3rd Generation Partnership Project (3GPP). 3GPP TS 24.301, NonAccessStratum (NAS) protocol for Evolved Packet System (EPS); Stage 3［EBOL］. (20220923) ［20230828］. https:www.3gpp.orgftpSpecsarchive24_series［13］Hussain S R, Karim I, Ishtiaq A A, et al. Noncompliance as deviant behavior: An automated blackbox noncompliance checker for 4g lte cellular devices［C］ Proc of the 2021 ACM SIGSAC Conf on Computer and Communications Security (CCS’21). New York: ACM, 2021: 10821099［14］Pham V T, Bhme M, Roychoudhury A. AFLNet: A greybox fuzzer for network protocols ［C］ Proc of the 13th IEEE Int Conf on Software Testing, Validation and Verification (ICST). Piscataway, NJ: IEEE, 2020: 460465［15］Johansson W, Svensson M, Larson U E, et al. TFuzz: Modelbased fuzzing for robustness testing of telecommunication protocols［C］ Proc of the 7th IEEE Int Conf on Software Testing, Verification and Validation. Piscataway, NJ: IEEE, 2014: 323332［16］王洪义, 沙乐天. 基于静态分析和模糊测试的路由器漏洞检测方法［J］. 信息安全研究, 2024, 10(1): 4047［17］吴礼发. 网络协议工程［M］. 北京: 电子工业出版社, 2011: 235240［18］陈涛, 潘雪增, 陈健, 等. 基于FSM的协议一致性测试序列生成算法研究［J］.计算机工程与应用, 2010, 46(6): 6062［19］Li J, Li S, Sun G, et al. SNPSFuzzer: A fast greybox fuzzer for stateful network protocols using snapshots［J］. IEEE Trans on Information Forensics and Security, 2022, 17(1): 26732687［20］3rd Generation Partnership Project (3GPP). 3GPP TS 24.007, Mobile radio interface signalling layer 3; General aspects［EBOL］. (20220923) ［20230828］. https:www.3gpp.orgftpSpecsarchive24_series

[1]	黄正, 马哲宇, 李媛, 张超, 吴长禾, 周昌令, . 面向信创操作系统的闭源内核模糊测试框架[J]. 信息安全研究, 2024, 10(E2): 7-.
[2]	汪美琴, 夏旸, 贾琼, 陈志浩, 刘明哲, . 模糊测试技术的研究进展与挑战[J]. 信息安全研究, 2024, 10(7): 668-.
[3]	靳文京, 卜哲, 秦博阳, . 基于序列生成对抗网络的智能模糊测试方法[J]. 信息安全研究, 2024, 10(6): 490-.
[4]	陈斌, 董平, 谢晓刚, 宋涤非, . 5G网络安全测评技术研究与实践[J]. 信息安全研究, 2024, 10(6): 539-.
[5]	王朋成, 高思淼, 王斯奋, 洪晟, 李众豪, . 自动驾驶系统模糊测试技术综述[J]. 信息安全研究, 2024, 10(11): 982-.
[6]	钟宏, 夏云浩, 张金鑫, . 基于权重反馈的WiFi协议模糊测试用例优化方法[J]. 信息安全研究, 2024, 10(11): 1049-.
[7]	王洪义, 沙乐天, . 基于静态分析和模糊测试的路由器漏洞检测方法[J]. 信息安全研究, 2024, 10(1): 40-.
[8]	尘兴灿, 万明明, 王仲宇, 刘昊, 李程, . 智能网联汽车安全合规测试平台研究[J]. 信息安全研究, 2023, 9(E2): 109-.
[9]	步桐, 杨超, 黄田田, 张柏迪, 李超凡, . 基于模糊测试的自动驾驶功能安全测试系统[J]. 信息安全研究, 2023, 9(E2): 77-.
[10]	李文越, 张王俊杰, 徐俊, 何伊圣, . 基于CAN结构分析的车内协议模糊测试[J]. 信息安全研究, 2023, 9(E1): 42-.
[11]	刘宝旭, 李昊, 孙钰杰, 董放明, 孙天琦, 陈潇, . 智能化漏洞挖掘与网络空间威胁发现综述[J]. 信息安全研究, 2023, 9(10): 932-.
[12]	苏文超, 费洪晓. 覆盖率引导的灰盒模糊测试综述[J]. 信息安全研究, 2022, 8(7): 643-.
[13]	彭祯方, 邢国强, 陈兴跃, . 人工智能在网络安全领域的应用及技术综述[J]. 信息安全研究, 2022, 8(2): 110-.
[14]	唐枭. 基于动态污点分析的反馈式模糊测试改进方法[J]. 信息安全研究, 2019, 5(2): 145-151.
[15]	石晓朦张光华刘会梦杨耀红. 基于模糊测试的Android浏览器漏洞挖掘技术研究[J]. 信息安全研究, 2017, 3(11): 1028-1033.