Go to DBLP homepageStateful Analysis and Fuzzing of Commercial Baseband Firmware
Abstract: Baseband firmware plays a critical role in cellular communication, yet its proprietary, closed-source nature and complex, stateful processing logic make systematic security testing challenging. Existing methods often fail to account for the interdependencies between baseband tasks and the statefulness of input processing logic, limiting their scope and effectiveness. We present Loris, a stateful fuzz testing frame-work designed to explore and analyze baseband firmware implementations effectively. We employ iterative symbolic analysis to progressively identify state variables and the predicates over them that define different protocol states, while alleviating the state explosion problem. It enables Loris to perform targeted exploration and fuzzing of program regions with high potential for vulnerabilities. We evaluated Loris across 5 commercial devices from two major vendors, covering both 4G Long-Term Evolution (LTE) and 5G New Radio (NR), demonstrating its broad applicability. Our testing revealed 7 new vulnerabilities exploitable by over-the-air attackers, potentially leading to baseband crashes, remote code execution, and denial of service.
External IDs:dblp:conf/sp/RanjbarYTKH25
Loading