Papers
Topics
Authors
Recent
Search
2000 character limit reached

CellularLint: A Systematic Approach to Identify Inconsistent Behavior in Cellular Network Specifications

Published 18 Jul 2024 in cs.CR, cs.AI, and cs.IR | (2407.13742v1)

Abstract: In recent years, there has been a growing focus on scrutinizing the security of cellular networks, often attributing security vulnerabilities to issues in the underlying protocol design descriptions. These protocol design specifications, typically extensive documents that are thousands of pages long, can harbor inaccuracies, underspecifications, implicit assumptions, and internal inconsistencies. In light of the evolving landscape, we introduce CellularLint--a semi-automatic framework for inconsistency detection within the standards of 4G and 5G, capitalizing on a suite of natural language processing techniques. Our proposed method uses a revamped few-shot learning mechanism on domain-adapted LLMs. Pre-trained on a vast corpus of cellular network protocols, this method enables CellularLint to simultaneously detect inconsistencies at various levels of semantics and practical use cases. In doing so, CellularLint significantly advances the automated analysis of protocol specifications in a scalable fashion. In our investigation, we focused on the Non-Access Stratum (NAS) and the security specifications of 4G and 5G networks, ultimately uncovering 157 inconsistencies with 82.67% accuracy. After verification of these inconsistencies on open-source implementations and 17 commercial devices, we confirm that they indeed have a substantial impact on design decisions, potentially leading to concerns related to privacy, integrity, availability, and interoperability.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (64)
  1. Baseband attacks: Remote exploitation of memory corruptions in cellular protocol stacks. In WOOT, 2012.
  2. https://www.3gpp.org/.
  3. 5G Security Architecture, 2023. https://www.etsi.org/deliver/etsi_ts/133500_133599/133501/17.05.00_60/ts_133501v170500p.pdf.
  4. Ericsson, 2023. https://www.ericsson.com/en/reports-and-papers/mobility-report/dataforecasts/mobile-subscriptions-outlook.
  5. Global Mobile Suppliers Association, 2023. https://gsacom.com/paper/5g-subscribers-march-2023-update/.
  6. Huggingface Transformers, 2023. https://huggingface.co/docs/transformers/index.
  7. LTE Security Architecture, 2023. https://www.etsi.org/deliver/etsi_ts/133400_133499/133401/17.01.00_60/ts_133401v170100p.pdf.
  8. Non-Access-Stratum (NAS) protocol for 5G System (5GS), 2023. https://www.etsi.org/deliver/etsi_ts/124500_124599/124501/17.07.01_60/ts_124501v170701p.pdf.
  9. Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS), 2023. https://www.etsi.org/deliver/etsi_ts/124300_124399/124301/17.06.00_60/ts_124301v170600p.pdf.
  10. https://www.open5gs.org/.
  11. OpenAirInterface | 5G software alliance for democratising wireless innovation, 2023. https://www.openairinterface.org.
  12. SrsRAN Project, 2023. https://www.srslte.com/5g.
  13. CellularLint: A Systematic Approach to Identify Inconsistent Behavior in Cellular Network Specifications, 2024. https://cellularlint.github.io/.
  14. PolicyLint: Investigating internal privacy policy contradictions on google play. In USENIX Security, 2019.
  15. Actions speak louder than words: Entity-Sensitive privacy policy and data flow analysis with PoliCheck. In USENIX Security, 2020.
  16. Daniele Antonioli. Bluffs: Bluetooth forward and future secrecy attacks and defenses. In Proc. of CCS, 2023.
  17. Ue security reloaded: Developing a 5g standalone user-side security testing framework. In Proc. of ACM WiSec, 2023.
  18. A large annotated corpus for learning natural language inference. In Proc. of EMNLP, 2015.
  19. Language models are few-shot learners. Advances in NeurIPS, 2020.
  20. Universal sentence encoder for English. In Proc. of EMNLP: System Demonstrations, 2018.
  21. LEGAL-BERT: The muppets straight out of law school. In Findings of EMNLP, 2020.
  22. Sherlock on specs: Building LTE conformance tests through automated reasoning. In USENIX Security, 2023.
  23. Seeing the forest for the trees: Understanding security hazards in the 3GPP ecosystem through intelligent analysis on change requests. In USENIX Security, 2022.
  24. Bookworm game: Automatic discovery of lte vulnerabilities through documentation analysis. In IEEE Security and Privacy (SP), 2021.
  25. Lte security disabled: Misconfiguration in commercial networks. In Proc. of WiSec, 2019.
  26. Component-based formal analysis of 5g-aka: Channel assumptions and session confusion. In NDSS, 2019.
  27. BERT: pre-training of deep bidirectional transformers for language understanding. CoRR, abs/1810.04805, 2018.
  28. D. Dolev and A. Yao. On the security of public key protocols. IEEE Transactions on Information Theory, 1983.
  29. Active learning for bert: an empirical study. In Proc. of EMNLP, 2020.
  30. Making pre-trained language models better few-shot learners. In Proc. of ACL-IJCNLP (Volume 1: Long Papers), 2021.
  31. Domain-specific language model pretraining for biomedical natural language processing. ACM Transactions on Computing for Healthcare (HEALTH), 2021.
  32. Guti reallocation demystified: Cellular location tracking with changing temporary identifier. In NDSS Symposium, 2018.
  33. OCNLI: Original Chinese Natural Language Inference. In Findings of EMNLP, 2020.
  34. Lteinspector: A systematic approach for adversarial testing of 4g lte. In NDSS Symposium, 2018.
  35. Privacy attacks to the 4g and 5g cellular paging protocols using side channel information. Proc. of NDSS Symposium, 2019.
  36. 5greasoner: A property-directed security and privacy analysis framework for 5g cellular network protocol. In Proc. of ACM CCS, 2019.
  37. Noncompliance as deviant behavior: An automated black-box noncompliance checker for 4g lte cellular devices. In Proc. of CCS, 2021.
  38. Distance-based self-attention network for natural language inference. arXiv preprint arXiv:1712.02047, 2017.
  39. Hermes: Unlocking security analysis of cellular network protocols by synthesizing finite state machines from natural language specifications, 2023.
  40. Never let me down again: Bidding-down attacks and mitigations in 5g and 4g. In Proc. of WiSec, 2023.
  41. Spec5g: A dataset for 5g cellular network protocol analysis. In Proc. of IJCNLP-AACL, 2023.
  42. Basespec: Comparative analysis of baseband software and cellular specifications for l3 protocols. Proc. of NDSS Symposium, 2021.
  43. Breaking and fixing volte: Exploiting hidden data channels and mis-implementations. In Proc. of CCS, 2015.
  44. Touching the untouchables: Dynamic security analysis of the lte control plane. In IEEE Security and Privacy (SP), 2019.
  45. Instructions unclear: Undefined behaviour in cellular network specifications. In USENIX Security, 2023.
  46. Distributed representations of sentences and documents. In Eric P. Xing and Tony Jebara, editors, Proc. of ICML, 2014.
  47. Insecurity of voice solution volte in lte mobile networks. In Proc. of CCS, 2015.
  48. Roberta: A robustly optimized BERT pretraining approach. CoRR, abs/1907.11692, 2019.
  49. Basesafe: Baseband sanitized fuzzing through emulation. In Proc. of WiSec, 2020.
  50. Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781, 2013.
  51. Robert Munro Monarch. Human-in-the-Loop Machine Learning: Active learning and annotation for human-centered AI. Simon and Schuster, 2021.
  52. Automated attack synthesis by extracting finite state machines from protocol specification documents. In IEEE Security and Privacy (SP), 2022.
  53. overshadowt: In-depth downlink negative testing framework for LTE devices. In USENIX Security, 2022.
  54. Med-bert: pretrained contextualized embeddings on large-scale structured electronic health records for disease prediction. NPJ digital medicine, 2021.
  55. Sentence-BERT: Sentence embeddings using Siamese BERT-networks. In Proc. of EMNLP-IJCNLP, 2019.
  56. Imp4gt: Impersonation attacks in 4g networks. In ISOC NDSS, 2020.
  57. Scinli: A corpus for natural language inference on scientific text, 2022.
  58. Towards contradiction detection in german: a translation-driven approach. In IEEE SSCI, 2019.
  59. Karen Sparck Jones. A statistical interpretation of term specificity and its application in retrieval. Journal of documentation, 1972.
  60. Attention is all you need. Advances in NeurIPS, 2017.
  61. EDA: Easy data augmentation techniques for boosting performance on text classification tasks. In Proc. of EMNLP-IJCNLP, 2019.
  62. Transformers: State-of-the-art natural language processing. In Proc. of EMNLP: System Demonstrations, 2020.
  63. Hiding in plain signal: Physical signal overshadowing attack on LTE. In USENIX Security, 2019.
  64. Xlnet: Generalized autoregressive pretraining for language understanding. Advances in NeurIPS, 2019.
Citations (1)
View on Semantic Scholar

Summary

No one has generated a summary of this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Summarize

Paper to Video (Beta)

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up

Tweets

Sign up for free to view the 1 tweet with 0 likes about this paper.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up for Free