Go to OpenReview Archive homepage5GC-Fuzz: Finding Deep Stateful Vulnerabilities in 5G Core Network with Black-box Fuzzing
Abstract: Given the large-scale deployment of 5G, rigorous testing of its core network (5GC) is essential to ensure security and robustness. Fuzzing is currently one of the most popular vulnerability discovery techniques. However, existing fuzzers suffer from low coverage of 3GPP-specified 5GC states, invalid long signaling sequence generation when exploring deep 5GC states, and coarse-grained feedback of closed-source 5G systems. This paper presents 5GC-Fuzz, a black-box fuzzing framework to detect deep stateful vulnerabilities in 5GC implementations. 5GC-Fuzz integrates three innovative techniques: (1) a systematic construction of a 5GC state machine derived from 3GPP specifications to guide the fuzzing process; (2) a 5G grammar-aware signaling sequence mutation method based on protocol stack interception to generate test cases while maximally guaranteeing the syntactic, semantic, and cryptographic correctness; and (3) a fine-grained state-transition-path feedback mechanism based on 5GC logs to optimize test states and sequences selection. The 5GC-Fuzz was evaluated on three popular 5GC implementations and achieves 152.6% more states and 206.7% more state transition paths than the state-of-the-art fuzzers. Moreover, 5GC-Fuzz exposed 22 security-critical vulnerabilities, with 6 CVEs assigned. In general, 5GC-Fuzz could explore deeper states and uncover more vulnerabilities in 5GC, significantly enhancing the security of mobile communication infrastructures.
Loading