针对5G核心网协议的自动化漏洞挖掘方法

doi:10.11959/j.issn.2096-109x.2024006

摘要/Abstract

摘要：

随着5G在全球范围内的广泛商用，5G网络安全问题广泛受到关注。针对5G核心网协议的自动化漏洞挖掘手段主要以黑盒模糊测试为主，但由于5G核心网协议设计复杂，黑盒模糊测试存在效率低、通用性差、拓展性不足等问题，不能有效检测到 5G 核心网协议安全漏洞。针对上述问题，深入了解 5G 核心网架构和重点接口协议的工作原理，总结在5G核心网场景下基于静态分析的自动化漏洞挖掘方法相较传统黑盒模糊测试方法的优势。对5G核心网的开源解决方案进行了源代码审计，发现在 5G 核心网协议实现中一类变量生命周期管理不当而导致的内存泄露安全问题，可导致5G核心网网元被拒绝服务攻击。基于此，提出了针对此类安全问题的通用漏洞模型，设计并实现了基于控制流和数据流混合分析的自动化漏洞挖掘方法。通过实验对该方法进行了有效性测试和效率评估，成功挖掘到了通用 5G 开源解决方案——Open5GS 中的5个未公开安全漏洞，涵盖多个接口协议应用场景，获得了4个CVE 编号。通过模拟环境，验证了该系列漏洞的影响范围广且利用条件低，充分证明了所提自动化漏洞挖掘方法的有效性，并向相关厂商进行了披露。

关键词: 5G核心网, 开源解决方案, 协议安全, 静态分析, 漏洞挖掘

Abstract:

With the widespread development of fifth-generation (5G) mobile communication technology, concerns regarding 5G network security have also increased.Blackbox fuzzing is a commonly used method for automated vulnerability discovery in software security.However, applying dynamic approaches like fuzzing to discover vulnerabilities in the complex design of 5G core network protocols poses challenges such as low efficiency, poor versatility, and lack of scalability.Therefore, a novel static method to examine the open-source solution of the 5G core network was proposed.Through this method, a series of memory leak security issues caused by improper variable life cycle management were identified, which can lead to denial-of-service attacks on the 5G core network.To summarize these weaknesses, a general vulnerability model and an automated vulnerability discovery method called HoI were presented, which utilized hybrid analysis based on control and data flow.By successfully discovering five zero-day bugs in Open5GS, an open-source solution for the 5G core network, vulnerabilities that cover practical application scenarios of multiple interface protocols in the 5G core network were identified.These vulnerabilities have wide-ranging impact, are highly detrimental, and can be easily exploited.They have been reported to the vendor and assigned four Common Vulnerabilities and Exposures (CVE) numbers, demonstrating the effectiveness of this automated vulnerability discovery method.

Key words: 5G core network, open-source solution, protocol security, static analysis, vulnerability discovery

中图分类号:

TN915.08

吴佩翔, 张志龙, 陈力波, 王轶骏, 薛质. 针对5G核心网协议的自动化漏洞挖掘方法[J]. 网络与信息安全学报, 2024, 10(1): 156-168.

Peixiang WU, Zhilong ZHANG, Libo CHEN, Yijun WANG, Zhi XUE. Automated vulnerability discovery method for 5G core network protocol[J]. Chinese Journal of Network and Information Security, 2024, 10(1): 156-168.

图/表 12

图1

表1

图2

图3

图4

图5

图6

图7

表2

表3

表4

图8

参考文献 26

[1]	3GPP. 5G,System architecture for the 5G System (5GS)[S]. ETSI TS 123 501-2018.
[2]	冯登国, 徐静, 兰晓 . 5G 移动通信网络安全研究[J]. 软件学报, 2018,29(6): 1813-1825.
	FENG D G , XU J , LAN X . Study on 5G mobile communication network security[J]. Journal of Software, 2018,29(6): 1813-1825.
[3]	LIU Y . Evaluation of Free5GC Forwarding performance on private and public clouds[C]// 2022 IEEE Cloud Summit. 2022: 9-16.
[4]	JUSTUS R . 5G campus networks:a first measurement study[J]. IEEE Access 2021. 2021,(99): 121786-121803.
[5]	穆佳, 王勇, 马瑞涛 ,等. 面向3GPP R16的5G核心网演进策略研究[J]. 邮电设计技术, 2022(2).
	MU J , WANG Y , MA R T ,et al. Research on 5G core network evolution strategies for 3GPP R16[J]. Designing Techniques of Posts and Telecommunications, 2022(2).
[6]	TANG Q , ERMIS O , NGUYEN C D ,et al. A systematic analysis of 5G networks with a focus on 5G core security[J]. IEEE Access, 2022,10: 298-319.
[7]	ZHAO B , LI Z , QIN S ,et al. StateFuzz:system call-based state-aware linux driver fuzzing[C]// Proceedings of the 31st USENIX Security Symposium (USENIX Security 22). 2022.
[8]	ZHOU S , YANG Z , QIAO D ,et al. Ferry:state-aware symbolic execution for exploring state-dependent program paths[C]// Proceedings of the 31st USENIX Security Symposium (USENIX Security 22). 2022.
[9]	CHEN L , WANG Y , CAI Q ,et al. Sharing more and checking less:leveraging common input keywords to detect bugs in embedded systems[C]// Proceedings of the 30th USENIX Security Symposium (USENIX Security 21). 2021.
[10]	YOUN D , LEE S , RYU S . Declarative static analysis for multilingual programs using CodeQL[J]. Software:Practice and Experience. 2023,9(3).
[11]	DOLENTE F , GARROPPO R G , PAGANO M . A vulnerability assessment of open-source implementations of fifth-generation core network functions[J]. Future Internet, 2023,16(1).
[12]	TECHNOLOGIES P . Threat vector:GTP vulnerabilities in LTE and 5G networks 2020[EB].
[13]	HU X , LIU C , LIU S ,et al. Signalling security analysis:is HTTP/2 secure in 5G core network[C]// Proceedings of 2018 10th International Conference on Wireless Communications and Signal Processing (WCSP). 2018.
[14]	KQIEN G M . On threats to the 5G service based architecture[J]. Wireless Personal Communications, 2021,119(1): 97-116.
[15]	BORGAONKAR R , HIRSCHI L , PARK S ,et al. New privacy threat on 3G,4G,and upcoming 5G AKA protocols[J]. Proceedings on Privacy Enhancing Technologies, 2019,2019(3): 108-127.
[16]	HUSSAIN S R , ECHEVERRIA M , CHOWDHURY O ,et al. Privacy attacks to the 4G and 5G cellular paging protocols using side channel information[C]// Proceedings of Network and Distributed Systems Security (NDSS) Symposium2019. 2019.
[17]	SILVEIRA L B , DE RESENDE H C , BOTH C B ,et al. Tutorial on communication between access networks and the 5G core[J]. Computer Networks, 2022:109301.
[18]	OPENAIRINTERFACE An open-source 5G core network solution under development[EB].
[19]	GROUP N The challenges of fuzzing 5G protocols[EB].
[20]	NCCGROUP . An 5G core network protocol fuzzer[EB].
[21]	DEMANTZ . A coverage-guided blackbox fuzzer based on the Frida instrumentation framework[EB].
[22]	PHAM V-T , B?HME M , ROYCHOUDHURY A . AFLNet:a greybox fuzzer for network protocols[C]// Proceedings of 2020 IEEE 13th International Conference on Software Testing,Validation and Verification (ICST). 2020.
[23]	SALAZAR Z , NGUYEN H N , MALLOULI W ,et al. 5Greplay:a 5G network traffic fuzzer - application to attack injection[C]// Proceedings of the 16th International Conference on Availability,Reliability and Security. 2021.
[24]	HU Y , YANG W , CUI B ,et al. Fuzzing method based on selection mutation of partition weight table for 5G core network NGAP protocol[M]. Springer Nature Switzerland AG, 2022.
[25]	CAO Y , CHEN Y , ZHOU W . Detection of PFCP protocol based on fuzz method[C]// Proceedings of 2022 2nd International Conference on Computer,Control and Robotics (ICCCR). 2022: 207-211.
[26]	JAIN A , LOPEZ-AGUILERA E , DEMIRKOL I . Improved handover signaling for 5G networks[C]// Proceedings of 2018 IEEE 29th Annual International Symposium on Personal,Indoor and Mobile Radio Communications (PIMRC). 2018: 164-170.

重要网元及接口名称	功能介绍
UE (User Equipment)	5G用户终端
(R)AN ((Radio) Access Network)	5G无线接入网
AMF (Access and Mobility Management Function)	接入和移动性管理功能，主要负责终端接入和移动性管理
UPF (User Plane Function)	用户面功能，主要负责数据包的路由转发、与外部数据网络的数据交互等
SMF (Session Management Function)	会话管理功能，主要负责会话管理、策略执行和QoS控制部分
N1接口	UE和AMF间的协议接口，N1是逻辑概念的接口，应用层协议为NAS，由N2接口协议进行封装承载
N2接口	(R)AN和AMF间的协议接口，传输层协议为流控制传输协议（SCTP，stream control transmission protocol），应用层协议为NGAP
N3接口	(R)AN与UPF间的协议接口，主要用于传递(R)AN与UPF间的上下行用户面数据， (R)AN与UPF之间通过GTP-U构建IP隧道，承载用户数据
N4接口	SMF和UPF间的协议接口，主要利用PFCP传输SMF和UPF间的控制面信令

网元	外部入口点发现	外部实体变量分配释放函数对
网元	发现入口点/有效入口点	发现函数对/有效函数对
AMF	3/3	4/4
AUSF	1/1	1/1
BSF	1/1	1/1
HSS	1/1	3/3
MME	5/5	10/10
NRF	2/2	0/0
NSSF	1/1	1/1
PCF	3/3	3/3
SCP	1/1	1/1
SGWC	2/2	4/4
SGWU	2/2	1/1
SMF	4/3	7/7
UDM	2/2	1/1
UDR	1/1	0/0
UPF	2/2	1/1
多网元交叉	4/0	22/18

网元	模型运行轮数	告警数/个
AMF	78	15
AUSF	23	3
BSF	23	5
HSS	26	4
MME	160	31
NRF	44	2
NSSF	23	3
PCF	78	7
SCP	23	4
SGWC	52	6
SGWU	46	6
SMF	116	22
UDM	46	5
UDR	22	3
UPF	46	9

5G核心网网元	外部实体变量	核心网接口协议	危害	漏洞编号
AMF	amf_gnb	NGAP	内存泄露导致AMF崩溃	CVE-2022-40890
AMF	ran_ue	NGAP	内存泄露导致AMF崩溃	CVE-2022-43223
AMF	amf_ue	NAS	内存泄露导致AMF崩溃	已获厂商确认
SMF	pfcp_node	PFCP	内存泄露导致SMF崩溃	CVE-2022-43222
UPF	pfcp_node	PFCP	内存泄露导致UPF崩溃	CVE-2022-43221