A LTE NAS Protocol Fuzzing Method Based on Weighted State Selection

Abstract

Abstract: NAS protocol is the main control plane protocol between mobile devices and LTE core network, and its security is of great significance to ensure the robustness and safety of the whole 4G network. Fuzz testing is a widely used vulnerability mining technique, and existing fuzz testing methods for NAS Protocol have problems such as low testing efficiency and difficulty test case formulation. In order to solve these problems, this paper e proposes a weight based test state selection algorithm, which is based on NAS protocol state machine and can dynamically adjust the weight of test states based on feedback; Additionally, this paper devises a test case generation strategy rooted in the information element and develops the fuzzing tool named NASFuzzer, which is tested on open source core networks open5GS and real terminal devices. The test result shows that the method in this paper can effectively find the vulnerabilities in the LTE NAS protocol implementation.

Key words: LTE, NAS, fuzz testing, state selection, vulnerability mining

摘要： NAS协议是LTE(longterm evolution)网络中移动设备与核心网络之间的主要控制面协议，其安全性对于保障整个4G网络稳健安全运行具有重要意义.模糊测试是一种广泛使用的漏洞挖掘技术，现有的模糊测试方法应用于NAS(nonaccess stratum)协议时存在测试效率低、测试用例难以构建等问题.为了解决这些问题，提出了一种基于权重的测试状态选择算法：以NAS协议状态机为基础，根据测试反馈动态地调整每个测试状态的权重；以消息元素IE为最小单位设计了测试用例生成算法；实现了模糊测试工具NASFuzzer并对开源核心网open5GS及真实终端设备进行测试.测试结果表明，该方法能够有效挖掘LTE NAS协议实现中的漏洞.

关键词: LTE, NAS, 模糊测试, 状态选择, 漏洞挖掘

CLC Number:

TP393

廖显锋, 吴礼发, . 一种基于加权状态选择的LTE NAS协议模糊测试方法[J]. 信息安全研究, 2025, 11(1): 12-.

References

［1］Hussain S, Chowdhury O, Mehnaz S, et al. LTEInspector: A systematic approach for adversarial testing of 4G LTE［C］ Proc of Network and Distributed Systems Security Symp (NDSS). Rosten, VA, USA: Internet Society, 2018: 115［2］Hernandez G, Muench M, Maier D, et al. FIRMWIRE: Transparent dynamic analysis for cellular baseband firmware［C］ Proc of Network and Distributed Systems Security Symp (NDSS). San Rosten, VA, USA: Internet Society, 2022: 119［3］Chen Y, Yao Y, Wang X F, et al. Bookworm game: Automatic discovery of lte vulnerabilities through documentation analysis［C］ Proc of 2021 IEEE Symp on Security and Privacy (SP). Piscataway, NJ: IEEE, 2021: 11971214［4］Golde N, Komaromy D. Breaking Band: Reverse engineering and exploiting the shannon baseband［EBOL］. ［20230828］. https:comsecuris.comslidesrecon2016breaking_band.pdf［5］Raza M T, Anwar F M, Lu S. Exposing LTE security weaknesses at protocol interlayer, and interradio interactions［C］ Proc of the 13th Security and Privacy in Communication Networks. Berlin: Springer, 2018: 312338［6］Shaik A, Borgaonkar R, Park S, et al. New vulnerabilities in 4G and 5G cellular access network protocols: exposing device capabilities［C］ Proc of the 12th Conf on Security and Privacy in Wireless and Mobile Networks. New York: ACM, 2019: 221231［7］Chlosta M, Rupprecht D, Holz T, et al. LTE security disabled: Misconfiguration in commercial networks［C］ Proc of the 12th Conf on Security and Privacy in Wireless and Mobile Networks. New York: ACM, 2019: 261266［8］Kim E, Kim D, Park C J, et al. BaseSpec: Comparative analysis of baseband software and cellular specifications for L3 protocols［C］ Proc of Network and Distributed Systems Security Symp (NDSS). Rosten, VA, USA: Internet Society, 2021: 118［9］Kim H, Lee J, Lee E, et al. Touching the untouchables: Dynamic security analysis of the LTE control plane［C］ Proc of 2019 IEEE Symp on Security and Privacy (SP). Piscataway, NJ: IEEE, 2019: 11531168［10］Li W, Wu Q, Cui B. Statebased fuzzing for S1AP［C］ Proc of the 13th Int Conf on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS2019). Berlin: Springer, 2020: 362372［11］Garbelini M E, Shang Z, Chattopadhyay S, et al. Towards automated fuzzing of 4G5G protocol implementations over the air［C］ Proc of IEEE Global Communications Conf 2022. Piscataway, NJ: IEEE, 2022: 8692［12］3rd Generation Partnership Project (3GPP). 3GPP TS 24.301, NonAccessStratum (NAS) protocol for Evolved Packet System (EPS); Stage 3［EBOL］. (20220923) ［20230828］. https:www.3gpp.orgftpSpecsarchive24_series［13］Hussain S R, Karim I, Ishtiaq A A, et al. Noncompliance as deviant behavior: An automated blackbox noncompliance checker for 4g lte cellular devices［C］ Proc of the 2021 ACM SIGSAC Conf on Computer and Communications Security (CCS’21). New York: ACM, 2021: 10821099［14］Pham V T, Bhme M, Roychoudhury A. AFLNet: A greybox fuzzer for network protocols ［C］ Proc of the 13th IEEE Int Conf on Software Testing, Validation and Verification (ICST). Piscataway, NJ: IEEE, 2020: 460465［15］Johansson W, Svensson M, Larson U E, et al. TFuzz: Modelbased fuzzing for robustness testing of telecommunication protocols［C］ Proc of the 7th IEEE Int Conf on Software Testing, Verification and Validation. Piscataway, NJ: IEEE, 2014: 323332［16］王洪义, 沙乐天. 基于静态分析和模糊测试的路由器漏洞检测方法［J］. 信息安全研究, 2024, 10(1): 4047［17］吴礼发. 网络协议工程［M］. 北京: 电子工业出版社, 2011: 235240［18］陈涛, 潘雪增, 陈健, 等. 基于FSM的协议一致性测试序列生成算法研究［J］.计算机工程与应用, 2010, 46(6): 6062［19］Li J, Li S, Sun G, et al. SNPSFuzzer: A fast greybox fuzzer for stateful network protocols using snapshots［J］. IEEE Trans on Information Forensics and Security, 2022, 17(1): 26732687［20］3rd Generation Partnership Project (3GPP). 3GPP TS 24.007, Mobile radio interface signalling layer 3; General aspects［EBOL］. (20220923) ［20230828］. https:www.3gpp.orgftpSpecsarchive24_series

[1]	. Research Advance and Challenges of Fuzzing Techniques [J]. Journal of Information Security Reserach, 2024, 10(7): 668-.
[2]	. Intelligent Fuzzy Testing Method Based on Sequence Generative Adversarial Networks [J]. Journal of Information Security Reserach, 2024, 10(6): 490-.
[3]	. Prediction of Industrial Control System Vulnerability Exploitation Relationships Based on Knowledge Graphreasoning [J]. Journal of Information Security Reserach, 2024, 10(6): 498-.
[4]	. Research and Practice of 5G Network Security Assessment Technologies [J]. Journal of Information Security Reserach, 2024, 10(6): 539-.
[5]	. Survey of Research on Key Technologies of Internet Content Security [J]. Journal of Information Security Reserach, 2024, 10(3): 248-.
[6]	. A Review of Fuzz Testing Techniques for Autonomous Driving Systems [J]. Journal of Information Security Reserach, 2024, 10(11): 982-.
[7]	. Optimization Method for Fuzz Testing Cases of WiFi Protocol Based on Weight Feedback#br# [J]. Journal of Information Security Reserach, 2024, 10(11): 1049-.
[8]	. Router Vulnerability Detection Method Based on Static Analysis and Fuzzing [J]. Journal of Information Security Reserach, 2024, 10(1): 40-.
[9]	. Detection for Linear Deception Attacks in Wireless Network Transmission [J]. Journal of Information Security Reserach, 2023, 9(9): 892-.
[10]	. Civil Aviation Passenger Privacy Data Protection Method Based on Multiparty Security Attack and Defense Game [J]. Journal of Information Security Reserach, 2023, 9(8): 799-.
[11]	. Research on a Collaborative Filtering Recommendation Algorithm Based on Twostage Joint Prediction [J]. Journal of Information Security Reserach, 2023, 9(3): 291-.
[12]	. Survey of Intelligent Vulnerability Mining and Cyberspace Threat Detection [J]. Journal of Information Security Reserach, 2023, 9(10): 932-.
[13]	. An Overview of Application and Technology of Artificial Intelligence in Cybersecurity [J]. Journal of Information Security Reserach, 2022, 8(2): 110-.
[14]	. Design and Implementation of CSRF Defense Module Based on MD5 [J]. Journal of Information Security Research, 2019, 5(3): 223-229.
[15]	. An Improved Feedback Fuzz Testing Method Based on Dynamic Taint Analysis [J]. Journal of Information Security Research, 2019, 5(2): 145-151.