File Download

There are no files associated with this item.

  Links for fulltext
     (May Require Subscription)
Supplementary

Conference Paper: Bookworm game: Automatic discovery of LTE vulnerabilities through documentation analysis

TitleBookworm game: Automatic discovery of LTE vulnerabilities through documentation analysis
Authors
Keywords4G
Attack
Cellular Network
Documentation Analysis
LTE
NLP
Vulnerability
Issue Date2021
Citation
Proceedings - IEEE Symposium on Security and Privacy, 2021, v. 2021-May, p. 1197-1214 How to Cite?
AbstractIn the past decade, the security of cellular networks has been increasingly under scrutiny, leading to the discovery of numerous vulnerabilities that expose the network and its users to a wide range of security risks, from denial of service to information leak. However, most of these findings have been made through ad-hoc manual analysis, which is inadequate for fundamentally enhancing the security assurance of a system as complex as the cellular network. An important observation is that the massive amount of technical documentation of cellular network can provide key insights into the protection it puts in place and help identify potential security flaws. Particularly, we found that such documentation often contains hazard indicators (HIs) - the statement that describes a risky operation (e.g., abort an ongoing procedure) when a certain event happens at a state, which can guide a test on the system to find out whether the operation can indeed be triggered by an unauthorized party to cause harm to the cellular core or legitimate users' equipment. Based upon this observation, we present in this paper a new framework that makes the first step toward intelligent and systematic security analysis of cellular networks. Our approach, called Atomic, utilizes natural-language processing and machine learning techniques to scan a large amount of LTE documentation for HIs. The HIs discovered are further parsed and analyzed to recover state and event information for generating test cases. These test cases are further utilized to automatically construct tests in an LTE simulation environment, which runs the tests to detect the vulnerabilities in the LTE that allow the risky operations to happen without proper protection. In our research, we implemented Atomic and ran it on the LTE NAS specification, including 549 pages with 13, 598 sentences and 283, 850 words. In less than 5 hours, our prototype reported 42 vulnerabilities from 192 HIs discovered, including 10 never reported before, under two threat models. All these vulnerabilities have been confirmed through end-to-end attacks, which lead to unauthorized disruption of the LTE service a legitimate user's equipment receives. We reported our findings to authorized parties and received their confirmation that these vulnerabilities indeed exist in major commercial carriers and $2, 000 USD reward from Google.
Persistent Identifierhttp://hdl.handle.net/10722/350224
ISSN
2020 SCImago Journal Rankings: 2.407

 

DC FieldValueLanguage
dc.contributor.authorChen, Yi-
dc.contributor.authorYao, Yepeng-
dc.contributor.authorWang, Xiaofeng-
dc.contributor.authorXu, Dandan-
dc.contributor.authorYue, Chang-
dc.contributor.authorLiu, Xiaozhong-
dc.contributor.authorChen, Kai-
dc.contributor.authorTang, Haixu-
dc.contributor.authorLiu, Baoxu-
dc.date.accessioned2024-10-21T04:35:10Z-
dc.date.available2024-10-21T04:35:10Z-
dc.date.issued2021-
dc.identifier.citationProceedings - IEEE Symposium on Security and Privacy, 2021, v. 2021-May, p. 1197-1214-
dc.identifier.issn1081-6011-
dc.identifier.urihttp://hdl.handle.net/10722/350224-
dc.description.abstractIn the past decade, the security of cellular networks has been increasingly under scrutiny, leading to the discovery of numerous vulnerabilities that expose the network and its users to a wide range of security risks, from denial of service to information leak. However, most of these findings have been made through ad-hoc manual analysis, which is inadequate for fundamentally enhancing the security assurance of a system as complex as the cellular network. An important observation is that the massive amount of technical documentation of cellular network can provide key insights into the protection it puts in place and help identify potential security flaws. Particularly, we found that such documentation often contains hazard indicators (HIs) - the statement that describes a risky operation (e.g., abort an ongoing procedure) when a certain event happens at a state, which can guide a test on the system to find out whether the operation can indeed be triggered by an unauthorized party to cause harm to the cellular core or legitimate users' equipment. Based upon this observation, we present in this paper a new framework that makes the first step toward intelligent and systematic security analysis of cellular networks. Our approach, called Atomic, utilizes natural-language processing and machine learning techniques to scan a large amount of LTE documentation for HIs. The HIs discovered are further parsed and analyzed to recover state and event information for generating test cases. These test cases are further utilized to automatically construct tests in an LTE simulation environment, which runs the tests to detect the vulnerabilities in the LTE that allow the risky operations to happen without proper protection. In our research, we implemented Atomic and ran it on the LTE NAS specification, including 549 pages with 13, 598 sentences and 283, 850 words. In less than 5 hours, our prototype reported 42 vulnerabilities from 192 HIs discovered, including 10 never reported before, under two threat models. All these vulnerabilities have been confirmed through end-to-end attacks, which lead to unauthorized disruption of the LTE service a legitimate user's equipment receives. We reported our findings to authorized parties and received their confirmation that these vulnerabilities indeed exist in major commercial carriers and $2, 000 USD reward from Google.-
dc.languageeng-
dc.relation.ispartofProceedings - IEEE Symposium on Security and Privacy-
dc.subject4G-
dc.subjectAttack-
dc.subjectCellular Network-
dc.subjectDocumentation Analysis-
dc.subjectLTE-
dc.subjectNLP-
dc.subjectVulnerability-
dc.titleBookworm game: Automatic discovery of LTE vulnerabilities through documentation analysis-
dc.typeConference_Paper-
dc.description.naturelink_to_subscribed_fulltext-
dc.identifier.doi10.1109/SP40001.2021.00104-
dc.identifier.scopuseid_2-s2.0-85110058416-
dc.identifier.volume2021-May-
dc.identifier.spage1197-
dc.identifier.epage1214-

Export via OAI-PMH Interface in XML Formats


OR


Export to Other Non-XML Formats