针对5G核心网协议的自动化漏洞挖掘方法

doi:10.11959/j.issn.2096-109x.2024006

Abstract

Abstract:

With the widespread development of fifth-generation (5G) mobile communication technology, concerns regarding 5G network security have also increased.Blackbox fuzzing is a commonly used method for automated vulnerability discovery in software security.However, applying dynamic approaches like fuzzing to discover vulnerabilities in the complex design of 5G core network protocols poses challenges such as low efficiency, poor versatility, and lack of scalability.Therefore, a novel static method to examine the open-source solution of the 5G core network was proposed.Through this method, a series of memory leak security issues caused by improper variable life cycle management were identified, which can lead to denial-of-service attacks on the 5G core network.To summarize these weaknesses, a general vulnerability model and an automated vulnerability discovery method called HoI were presented, which utilized hybrid analysis based on control and data flow.By successfully discovering five zero-day bugs in Open5GS, an open-source solution for the 5G core network, vulnerabilities that cover practical application scenarios of multiple interface protocols in the 5G core network were identified.These vulnerabilities have wide-ranging impact, are highly detrimental, and can be easily exploited.They have been reported to the vendor and assigned four Common Vulnerabilities and Exposures (CVE) numbers, demonstrating the effectiveness of this automated vulnerability discovery method.

Key words: 5G core network, open-source solution, protocol security, static analysis, vulnerability discovery

CLC Number:

TN915.08

Peixiang WU, Zhilong ZHANG, Libo CHEN, Yijun WANG, Zhi XUE. Automated vulnerability discovery method for 5G core network protocol[J]. Chinese Journal of Network and Information Security, 2024, 10(1): 156-168.

Figures/Tables 12

References 26

[1]	3GPP. 5G,System architecture for the 5G System (5GS)[S]. ETSI TS 123 501-2018.
[2]	冯登国, 徐静, 兰晓 . 5G 移动通信网络安全研究[J]. 软件学报, 2018,29(6): 1813-1825.
	FENG D G , XU J , LAN X . Study on 5G mobile communication network security[J]. Journal of Software, 2018,29(6): 1813-1825.
[3]	LIU Y . Evaluation of Free5GC Forwarding performance on private and public clouds[C]// 2022 IEEE Cloud Summit. 2022: 9-16.
[4]	JUSTUS R . 5G campus networks:a first measurement study[J]. IEEE Access 2021. 2021,(99): 121786-121803.
[5]	穆佳, 王勇, 马瑞涛 ,等. 面向3GPP R16的5G核心网演进策略研究[J]. 邮电设计技术, 2022(2).
	MU J , WANG Y , MA R T ,et al. Research on 5G core network evolution strategies for 3GPP R16[J]. Designing Techniques of Posts and Telecommunications, 2022(2).
[6]	TANG Q , ERMIS O , NGUYEN C D ,et al. A systematic analysis of 5G networks with a focus on 5G core security[J]. IEEE Access, 2022,10: 298-319.
[7]	ZHAO B , LI Z , QIN S ,et al. StateFuzz:system call-based state-aware linux driver fuzzing[C]// Proceedings of the 31st USENIX Security Symposium (USENIX Security 22). 2022.
[8]	ZHOU S , YANG Z , QIAO D ,et al. Ferry:state-aware symbolic execution for exploring state-dependent program paths[C]// Proceedings of the 31st USENIX Security Symposium (USENIX Security 22). 2022.
[9]	CHEN L , WANG Y , CAI Q ,et al. Sharing more and checking less:leveraging common input keywords to detect bugs in embedded systems[C]// Proceedings of the 30th USENIX Security Symposium (USENIX Security 21). 2021.
[10]	YOUN D , LEE S , RYU S . Declarative static analysis for multilingual programs using CodeQL[J]. Software:Practice and Experience. 2023,9(3).
[11]	DOLENTE F , GARROPPO R G , PAGANO M . A vulnerability assessment of open-source implementations of fifth-generation core network functions[J]. Future Internet, 2023,16(1).
[12]	TECHNOLOGIES P . Threat vector:GTP vulnerabilities in LTE and 5G networks 2020[EB].
[13]	HU X , LIU C , LIU S ,et al. Signalling security analysis:is HTTP/2 secure in 5G core network[C]// Proceedings of 2018 10th International Conference on Wireless Communications and Signal Processing (WCSP). 2018.
[14]	KQIEN G M . On threats to the 5G service based architecture[J]. Wireless Personal Communications, 2021,119(1): 97-116.
[15]	BORGAONKAR R , HIRSCHI L , PARK S ,et al. New privacy threat on 3G,4G,and upcoming 5G AKA protocols[J]. Proceedings on Privacy Enhancing Technologies, 2019,2019(3): 108-127.
[16]	HUSSAIN S R , ECHEVERRIA M , CHOWDHURY O ,et al. Privacy attacks to the 4G and 5G cellular paging protocols using side channel information[C]// Proceedings of Network and Distributed Systems Security (NDSS) Symposium2019. 2019.
[17]	SILVEIRA L B , DE RESENDE H C , BOTH C B ,et al. Tutorial on communication between access networks and the 5G core[J]. Computer Networks, 2022:109301.
[18]	OPENAIRINTERFACE An open-source 5G core network solution under development[EB].
[19]	GROUP N The challenges of fuzzing 5G protocols[EB].
[20]	NCCGROUP . An 5G core network protocol fuzzer[EB].
[21]	DEMANTZ . A coverage-guided blackbox fuzzer based on the Frida instrumentation framework[EB].
[22]	PHAM V-T , B?HME M , ROYCHOUDHURY A . AFLNet:a greybox fuzzer for network protocols[C]// Proceedings of 2020 IEEE 13th International Conference on Software Testing,Validation and Verification (ICST). 2020.
[23]	SALAZAR Z , NGUYEN H N , MALLOULI W ,et al. 5Greplay:a 5G network traffic fuzzer - application to attack injection[C]// Proceedings of the 16th International Conference on Availability,Reliability and Security. 2021.
[24]	HU Y , YANG W , CUI B ,et al. Fuzzing method based on selection mutation of partition weight table for 5G core network NGAP protocol[M]. Springer Nature Switzerland AG, 2022.
[25]	CAO Y , CHEN Y , ZHOU W . Detection of PFCP protocol based on fuzz method[C]// Proceedings of 2022 2nd International Conference on Computer,Control and Robotics (ICCCR). 2022: 207-211.
[26]	JAIN A , LOPEZ-AGUILERA E , DEMIRKOL I . Improved handover signaling for 5G networks[C]// Proceedings of 2018 IEEE 29th Annual International Symposium on Personal,Indoor and Mobile Radio Communications (PIMRC). 2018: 164-170.

Metrics

Recommended 0

No Suggested Reading articles found!

重要网元及接口名称	功能介绍
UE (User Equipment)	5G用户终端
(R)AN ((Radio) Access Network)	5G无线接入网
AMF (Access and Mobility Management Function)	接入和移动性管理功能，主要负责终端接入和移动性管理
UPF (User Plane Function)	用户面功能，主要负责数据包的路由转发、与外部数据网络的数据交互等
SMF (Session Management Function)	会话管理功能，主要负责会话管理、策略执行和QoS控制部分
N1接口	UE和AMF间的协议接口，N1是逻辑概念的接口，应用层协议为NAS，由N2接口协议进行封装承载
N2接口	(R)AN和AMF间的协议接口，传输层协议为流控制传输协议（SCTP，stream control transmission protocol），应用层协议为NGAP
N3接口	(R)AN与UPF间的协议接口，主要用于传递(R)AN与UPF间的上下行用户面数据， (R)AN与UPF之间通过GTP-U构建IP隧道，承载用户数据
N4接口	SMF和UPF间的协议接口，主要利用PFCP传输SMF和UPF间的控制面信令

网元	外部入口点发现	外部实体变量分配释放函数对
网元	发现入口点/有效入口点	发现函数对/有效函数对
AMF	3/3	4/4
AUSF	1/1	1/1
BSF	1/1	1/1
HSS	1/1	3/3
MME	5/5	10/10
NRF	2/2	0/0
NSSF	1/1	1/1
PCF	3/3	3/3
SCP	1/1	1/1
SGWC	2/2	4/4
SGWU	2/2	1/1
SMF	4/3	7/7
UDM	2/2	1/1
UDR	1/1	0/0
UPF	2/2	1/1
多网元交叉	4/0	22/18

网元	模型运行轮数	告警数/个
AMF	78	15
AUSF	23	3
BSF	23	5
HSS	26	4
MME	160	31
NRF	44	2
NSSF	23	3
PCF	78	7
SCP	23	4
SGWC	52	6
SGWU	46	6
SMF	116	22
UDM	46	5
UDR	22	3
UPF	46	9

5G核心网网元	外部实体变量	核心网接口协议	危害	漏洞编号
AMF	amf_gnb	NGAP	内存泄露导致AMF崩溃	CVE-2022-40890
AMF	ran_ue	NGAP	内存泄露导致AMF崩溃	CVE-2022-43223
AMF	amf_ue	NAS	内存泄露导致AMF崩溃	已获厂商确认
SMF	pfcp_node	PFCP	内存泄露导致SMF崩溃	CVE-2022-43222
UPF	pfcp_node	PFCP	内存泄露导致UPF崩溃	CVE-2022-43221

Automated vulnerability discovery method for 5G core network protocol

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 12

References 26

Related Articles 9

Metrics

Recommended 0

[1]	Zhongyuan CHEN, Jianbiao ZHANG. Multi-feature fusion malware detection method based on attention and gating mechanisms [J]. Chinese Journal of Network and Information Security, 2024, 10(1): 123-135.
[2]	Fan CHAO, Zhi YANG, Xuehui DU, Bing HAN. Classified risk assessment method of Android application based on multi-factor clustering selection [J]. Chinese Journal of Network and Information Security, 2021, 7(2): 161-173.
[3]	Tianyu ZHOU,Wenbo SHEN,Nanzi YANG,Jinku LI,Chenggang QIN,Wang YU. Analysis of DoS attacks on Docker inter-component stdio copy [J]. Chinese Journal of Network and Information Security, 2020, 6(6): 45-56.
[4]	Fan CHAO,Zhi YANG,Xuehui DU,Yan SUN. Android malware detection method based on deep neural network [J]. Chinese Journal of Network and Information Security, 2020, 6(5): 67-79.
[5]	Xiaokang YIN,Liu LIU,Long LIU,Shengli LIU. Function argument number identification in stripped binary under PPC and MIPS instruction set [J]. Chinese Journal of Network and Information Security, 2020, 6(4): 95-103.
[6]	Dong ZHANG,Yao ZHANG,Gang LIU,Gui-xiang SONG. Research on host malcode detection using machine learning [J]. Chinese Journal of Network and Information Security, 2017, 3(7): 25-32.
[7]	Bo-wen SUN,Yan-yi HUANG,Qiao-kun WEN,Bin TIAN,Peng WU,Qi LI. Malware classification method based on static multiple-feature fusion [J]. Chinese Journal of Network and Information Security, 2017, 3(11): 68-76.
[8]	Yue-xiu XING,Ai-qun HU,Yong-jian WANG,Ran ZHAO. Research on multi-dimensional iOS privacy disclosure evaluation model [J]. Chinese Journal of Network and Information Security, 2016, 2(4): 73-79.
[9]	Jia CHEN,Shan-qing1 GUO. Toward discovering and exploiting private server-side Web API [J]. Chinese Journal of Network and Information Security, 2016, 2(12): 27-38.