CovFUZZ: Coverage-based fuzzer for 4G&5G protocols Article Swipe

PDF

Ilja Siroš , Dave Singelée , Bart Preneel ·

YOU? · · 2024 · Open Access · · DOI: https://doi.org/10.48550/arxiv.2410.20958

4G and 5G represent the current cellular communication standards utilized daily by billions of users for various applications. Consequently, ensuring the security of 4G and 5G network implementations is critically important. This paper introduces an automated fuzzing framework designed to test the security of 4G and 5G attach procedure implementations. Our framework provides a comprehensive solution for uplink and downlink fuzzing in 4G, as well as downlink fuzzing in 5G, while supporting fuzzing on all layers except the physical layer. To guide the fuzzing process, we introduce a novel algorithm that assigns probabilities to packet fields and adjusts these probabilities based on coverage information from the device-under-test (DUT). For cases where coverage information from the DUT is unavailable, we propose a novel methodology to estimate it. When evaluating our framework, we first run the random fuzzing experiments, where the mutation probabilities are fixed throughout the fuzzing, and give an insight into how those probabilities should be chosen to optimize the Random fuzzer to achieve the best coverage. Next, we evaluate the efficiency of the proposed coverage-based algorithms by fuzzing open-source 4G stack (srsRAN) instances and show that the fuzzer guided by our algorithm outperforms the optimized Random fuzzer in terms of DUT's code coverage. In addition, we run fuzzing tests on 12 commercial off-the-shelf (COTS) devices. In total, we discovered vulnerabilities in 10 COTS devices and all of the srsRAN 4G instances.

Related Topics

Computer Science

Programming Language

Concepts

Fuzz testing Computer science Programming language Software

Metadata

Type: preprint
Language: en
Landing Page: http://arxiv.org/abs/2410.20958
PDF: https://arxiv.org/pdf/2410.20958
OA Status: green
Related Works: 10
OpenAlex ID: https://openalex.org/W4404314651

All OpenAlex metadata

Raw OpenAlex JSON

OpenAlex ID: https://openalex.org/W4404314651

Canonical identifier for this work in OpenAlex
DOI: https://doi.org/10.48550/arxiv.2410.20958

Digital Object Identifier
Title: CovFUZZ: Coverage-based fuzzer for 4G&5G protocols

Work title
Type: preprint

OpenAlex work type
Language: en

Primary language
Publication year: 2024

Year of publication
Publication date: 2024-10-28

Full publication date if available
Authors: Ilja Siroš, Dave Singelée, Bart Preneel

List of authors in order
Landing page: https://arxiv.org/abs/2410.20958

Publisher landing page
PDF URL: https://arxiv.org/pdf/2410.20958

Direct link to full text PDF
Open access: Yes

Whether a free full text is available
OA status: green

Open access status per OpenAlex
OA URL: https://arxiv.org/pdf/2410.20958

Direct OA link when available
Concepts: Fuzz testing, Computer science, Programming language, Software

Top concepts (fields/topics) attached by OpenAlex
Cited by: 0

Total citation count in OpenAlex
Related works (count): 10

Other works algorithmically related by OpenAlex

Full payload

id	https://openalex.org/W4404314651
doi	https://doi.org/10.48550/arxiv.2410.20958
ids.doi	https://doi.org/10.48550/arxiv.2410.20958
ids.openalex	https://openalex.org/W4404314651
fwci
type	preprint
title	CovFUZZ: Coverage-based fuzzer for 4G&5G protocols
biblio.issue
biblio.volume
biblio.last_page
biblio.first_page
topics[0].id	https://openalex.org/T13905
topics[0].field.id	https://openalex.org/fields/22
topics[0].field.display_name	Engineering
topics[0].score	0.8240000009536743
topics[0].domain.id	https://openalex.org/domains/3
topics[0].domain.display_name	Physical Sciences
topics[0].subfield.id	https://openalex.org/subfields/2214
topics[0].subfield.display_name	Media Technology
topics[0].display_name	Telecommunications and Broadcasting Technologies
is_xpac	False
apc_list
apc_paid
concepts[0].id	https://openalex.org/C111065885
concepts[0].level	3
concepts[0].score	0.6789579391479492
concepts[0].wikidata	https://www.wikidata.org/wiki/Q1189053
concepts[0].display_name	Fuzz testing
concepts[1].id	https://openalex.org/C41008148
concepts[1].level	0
concepts[1].score	0.5315677523612976
concepts[1].wikidata	https://www.wikidata.org/wiki/Q21198
concepts[1].display_name	Computer science
concepts[2].id	https://openalex.org/C199360897
concepts[2].level	1
concepts[2].score	0.11655858159065247
concepts[2].wikidata	https://www.wikidata.org/wiki/Q9143
concepts[2].display_name	Programming language
concepts[3].id	https://openalex.org/C2777904410
concepts[3].level	2
concepts[3].score	0.058421552181243896
concepts[3].wikidata	https://www.wikidata.org/wiki/Q7397
concepts[3].display_name	Software
keywords[0].id	https://openalex.org/keywords/fuzz-testing
keywords[0].score	0.6789579391479492
keywords[0].display_name	Fuzz testing
keywords[1].id	https://openalex.org/keywords/computer-science
keywords[1].score	0.5315677523612976
keywords[1].display_name	Computer science
keywords[2].id	https://openalex.org/keywords/programming-language
keywords[2].score	0.11655858159065247
keywords[2].display_name	Programming language
keywords[3].id	https://openalex.org/keywords/software
keywords[3].score	0.058421552181243896
keywords[3].display_name	Software
language	en
locations[0].id	pmh:oai:arXiv.org:2410.20958
locations[0].is_oa	True
locations[0].source.id	https://openalex.org/S4306400194
locations[0].source.issn
locations[0].source.type	repository
locations[0].source.is_oa	True
locations[0].source.issn_l
locations[0].source.is_core	False
locations[0].source.is_in_doaj	False
locations[0].source.display_name	arXiv (Cornell University)
locations[0].source.host_organization	https://openalex.org/I205783295
locations[0].source.host_organization_name	Cornell University
locations[0].source.host_organization_lineage	https://openalex.org/I205783295
locations[0].license
locations[0].pdf_url	https://arxiv.org/pdf/2410.20958
locations[0].version	submittedVersion
locations[0].raw_type	text
locations[0].license_id
locations[0].is_accepted	False
locations[0].is_published	False
locations[0].raw_source_name
locations[0].landing_page_url	http://arxiv.org/abs/2410.20958
locations[1].id	doi:10.48550/arxiv.2410.20958
locations[1].is_oa	True
locations[1].source.id	https://openalex.org/S4306400194
locations[1].source.issn
locations[1].source.type	repository
locations[1].source.is_oa	True
locations[1].source.issn_l
locations[1].source.is_core	False
locations[1].source.is_in_doaj	False
locations[1].source.display_name	arXiv (Cornell University)
locations[1].source.host_organization	https://openalex.org/I205783295
locations[1].source.host_organization_name	Cornell University
locations[1].source.host_organization_lineage	https://openalex.org/I205783295
locations[1].license
locations[1].pdf_url
locations[1].version
locations[1].raw_type	article
locations[1].license_id
locations[1].is_accepted	False
locations[1].is_published
locations[1].raw_source_name
locations[1].landing_page_url	https://doi.org/10.48550/arxiv.2410.20958
indexed_in	arxiv, datacite
authorships[0].author.id	https://openalex.org/A5099230540
authorships[0].author.orcid
authorships[0].author.display_name	Ilja Siroš
authorships[0].author_position	first
authorships[0].raw_author_name	Siroš, Ilja
authorships[0].is_corresponding	False
authorships[1].author.id	https://openalex.org/A5009111901
authorships[1].author.orcid	https://orcid.org/0000-0001-9084-698X
authorships[1].author.display_name	Dave Singelée
authorships[1].author_position	middle
authorships[1].raw_author_name	Singelée, Dave
authorships[1].is_corresponding	False
authorships[2].author.id	https://openalex.org/A5039506639
authorships[2].author.orcid	https://orcid.org/0000-0003-2005-9651
authorships[2].author.display_name	Bart Preneel
authorships[2].author_position	last
authorships[2].raw_author_name	Preneel, Bart
authorships[2].is_corresponding	False
has_content.pdf	False
has_content.grobid_xml	False
is_paratext	False
open_access.is_oa	True
open_access.oa_url	https://arxiv.org/pdf/2410.20958
open_access.oa_status	green
open_access.any_repository_has_fulltext	False
created_date	2024-11-14T00:00:00
display_name	CovFUZZ: Coverage-based fuzzer for 4G&5G protocols
has_fulltext	False
is_retracted	False
updated_date	2025-11-06T06:51:31.235846
primary_topic.id	https://openalex.org/T13905
primary_topic.field.id	https://openalex.org/fields/22
primary_topic.field.display_name	Engineering
primary_topic.score	0.8240000009536743
primary_topic.domain.id	https://openalex.org/domains/3
primary_topic.domain.display_name	Physical Sciences
primary_topic.subfield.id	https://openalex.org/subfields/2214
primary_topic.subfield.display_name	Media Technology
primary_topic.display_name	Telecommunications and Broadcasting Technologies
related_works	https://openalex.org/W4391375266, https://openalex.org/W2899084033, https://openalex.org/W2748952813, https://openalex.org/W2511770387, https://openalex.org/W3120811337, https://openalex.org/W2766647240, https://openalex.org/W4385301282, https://openalex.org/W2990186179, https://openalex.org/W3203597304, https://openalex.org/W4248424560
cited_by_count	0
locations_count	2
best_oa_location.id	pmh:oai:arXiv.org:2410.20958
best_oa_location.is_oa	True
best_oa_location.source.id	https://openalex.org/S4306400194
best_oa_location.source.issn
best_oa_location.source.type	repository
best_oa_location.source.is_oa	True
best_oa_location.source.issn_l
best_oa_location.source.is_core	False
best_oa_location.source.is_in_doaj	False
best_oa_location.source.display_name	arXiv (Cornell University)
best_oa_location.source.host_organization	https://openalex.org/I205783295
best_oa_location.source.host_organization_name	Cornell University
best_oa_location.source.host_organization_lineage	https://openalex.org/I205783295
best_oa_location.license
best_oa_location.pdf_url	https://arxiv.org/pdf/2410.20958
best_oa_location.version	submittedVersion
best_oa_location.raw_type	text
best_oa_location.license_id
best_oa_location.is_accepted	False
best_oa_location.is_published	False
best_oa_location.raw_source_name
best_oa_location.landing_page_url	http://arxiv.org/abs/2410.20958
primary_location.id	pmh:oai:arXiv.org:2410.20958
primary_location.is_oa	True
primary_location.source.id	https://openalex.org/S4306400194
primary_location.source.issn
primary_location.source.type	repository
primary_location.source.is_oa	True
primary_location.source.issn_l
primary_location.source.is_core	False
primary_location.source.is_in_doaj	False
primary_location.source.display_name	arXiv (Cornell University)
primary_location.source.host_organization	https://openalex.org/I205783295
primary_location.source.host_organization_name	Cornell University
primary_location.source.host_organization_lineage	https://openalex.org/I205783295
primary_location.license
primary_location.pdf_url	https://arxiv.org/pdf/2410.20958
primary_location.version	submittedVersion
primary_location.raw_type	text
primary_location.license_id
primary_location.is_accepted	False
primary_location.is_published	False
primary_location.raw_source_name
primary_location.landing_page_url	http://arxiv.org/abs/2410.20958
publication_date	2024-10-28
publication_year	2024
referenced_works_count	0
abstract_inverted_index.a	53, 87, 120
abstract_inverted_index.10	222
abstract_inverted_index.12	211
abstract_inverted_index.4G	0, 23, 44, 180, 230
abstract_inverted_index.5G	2, 25, 46
abstract_inverted_index.In	204, 216
abstract_inverted_index.To	80
abstract_inverted_index.an	34, 148
abstract_inverted_index.as	63, 65
abstract_inverted_index.be	155
abstract_inverted_index.by	11, 177, 190
abstract_inverted_index.in	61, 68, 198, 221
abstract_inverted_index.is	28, 116
abstract_inverted_index.of	13, 22, 43, 172, 200, 227
abstract_inverted_index.on	73, 101, 210
abstract_inverted_index.to	39, 93, 123, 157, 162
abstract_inverted_index.we	85, 118, 130, 168, 206, 218
abstract_inverted_index.4G,	62
abstract_inverted_index.5G,	69
abstract_inverted_index.DUT	115
abstract_inverted_index.For	108
abstract_inverted_index.Our	50
abstract_inverted_index.all	74, 226
abstract_inverted_index.and	1, 24, 45, 58, 96, 146, 184, 225
abstract_inverted_index.are	141
abstract_inverted_index.for	15, 56
abstract_inverted_index.how	151
abstract_inverted_index.it.	125
abstract_inverted_index.our	128, 191
abstract_inverted_index.run	132, 207
abstract_inverted_index.the	4, 20, 41, 77, 82, 105, 114, 133, 138, 144, 159, 164, 170, 173, 187, 194, 228
abstract_inverted_index.COTS	223
abstract_inverted_index.This	31
abstract_inverted_index.When	126
abstract_inverted_index.best	165
abstract_inverted_index.code	202
abstract_inverted_index.from	104, 113
abstract_inverted_index.give	147
abstract_inverted_index.into	150
abstract_inverted_index.show	185
abstract_inverted_index.test	40
abstract_inverted_index.that	90, 186
abstract_inverted_index.well	64
abstract_inverted_index.DUT's	201
abstract_inverted_index.Next,	167
abstract_inverted_index.based	100
abstract_inverted_index.cases	109
abstract_inverted_index.daily	10
abstract_inverted_index.first	131
abstract_inverted_index.fixed	142
abstract_inverted_index.guide	81
abstract_inverted_index.novel	88, 121
abstract_inverted_index.paper	32
abstract_inverted_index.stack	181
abstract_inverted_index.terms	199
abstract_inverted_index.tests	209
abstract_inverted_index.these	98
abstract_inverted_index.those	152
abstract_inverted_index.users	14
abstract_inverted_index.where	110, 137
abstract_inverted_index.while	70
abstract_inverted_index.(COTS)	214
abstract_inverted_index.(DUT).	107
abstract_inverted_index.Random	160, 196
abstract_inverted_index.attach	47
abstract_inverted_index.chosen	156
abstract_inverted_index.except	76
abstract_inverted_index.fields	95
abstract_inverted_index.fuzzer	161, 188, 197
abstract_inverted_index.guided	189
abstract_inverted_index.layer.	79
abstract_inverted_index.layers	75
abstract_inverted_index.packet	94
abstract_inverted_index.random	134
abstract_inverted_index.should	154
abstract_inverted_index.srsRAN	229
abstract_inverted_index.total,	217
abstract_inverted_index.uplink	57
abstract_inverted_index.achieve	163
abstract_inverted_index.adjusts	97
abstract_inverted_index.assigns	91
abstract_inverted_index.current	5
abstract_inverted_index.devices	224
abstract_inverted_index.fuzzing	36, 60, 67, 72, 83, 135, 178, 208
abstract_inverted_index.insight	149
abstract_inverted_index.network	26
abstract_inverted_index.propose	119
abstract_inverted_index.various	16
abstract_inverted_index.(srsRAN)	182
abstract_inverted_index.billions	12
abstract_inverted_index.cellular	6
abstract_inverted_index.coverage	102, 111
abstract_inverted_index.designed	38
abstract_inverted_index.devices.	215
abstract_inverted_index.downlink	59, 66
abstract_inverted_index.ensuring	19
abstract_inverted_index.estimate	124
abstract_inverted_index.evaluate	169
abstract_inverted_index.fuzzing,	145
abstract_inverted_index.mutation	139
abstract_inverted_index.optimize	158
abstract_inverted_index.physical	78
abstract_inverted_index.process,	84
abstract_inverted_index.proposed	174
abstract_inverted_index.provides	52
abstract_inverted_index.security	21, 42
abstract_inverted_index.solution	55
abstract_inverted_index.utilized	9
abstract_inverted_index.addition,	205
abstract_inverted_index.algorithm	89, 192
abstract_inverted_index.automated	35
abstract_inverted_index.coverage.	166, 203
abstract_inverted_index.framework	37, 51
abstract_inverted_index.instances	183
abstract_inverted_index.introduce	86
abstract_inverted_index.optimized	195
abstract_inverted_index.procedure	48
abstract_inverted_index.represent	3
abstract_inverted_index.standards	8
abstract_inverted_index.algorithms	176
abstract_inverted_index.commercial	212
abstract_inverted_index.critically	29
abstract_inverted_index.discovered	219
abstract_inverted_index.efficiency	171
abstract_inverted_index.evaluating	127
abstract_inverted_index.framework,	129
abstract_inverted_index.important.	30
abstract_inverted_index.instances.	231
abstract_inverted_index.introduces	33
abstract_inverted_index.supporting	71
abstract_inverted_index.throughout	143
abstract_inverted_index.information	103, 112
abstract_inverted_index.methodology	122
abstract_inverted_index.open-source	179
abstract_inverted_index.outperforms	193
abstract_inverted_index.experiments,	136
abstract_inverted_index.unavailable,	117
abstract_inverted_index.Consequently,	18
abstract_inverted_index.applications.	17
abstract_inverted_index.communication	7
abstract_inverted_index.comprehensive	54
abstract_inverted_index.off-the-shelf	213
abstract_inverted_index.probabilities	92, 99, 140, 153
abstract_inverted_index.coverage-based	175
abstract_inverted_index.implementations	27
abstract_inverted_index.vulnerabilities	220
abstract_inverted_index.implementations.	49
abstract_inverted_index.device-under-test	106
cited_by_percentile_year
countries_distinct_count	0
institutions_distinct_count	3
citation_normalized_percentile