CellScope: Automatically Specifying and Verifying Cellular Network Protocols
暂无分享,去创建一个
model is safe, the concrete model should also be safe. However, when a counterexample is found on the abstract model, it is either feasible on the concrete model, or a spurious example due to a high abstraction level. Therefore, CEGAR further refines the abstract model by generating new predicates to rule out the current spurious example. A number of heuristics have designed to generate predicates. Unfortunately, because the specification is usually written by humans, none of the heuristics are using any knowledge in addition to the explicit model itself. As a united platform, CellScope is able to share knowledge in between its specification and verification parts. Particularly, when constructing CFAs, CellScope distinguishes protocol related variables from program control related variables. In addition, dummy adversary variables are recorded by CellScope when building message channels. An abstract model consists of these variables can largely capture the behavior of the underlying protocol yet remains small in size. Therefore, after finding the set of contradicting predicates, our model checker prioritizes more essential variables over other variables. In this way, CellScope captures the essence of the concrete model and selects new predicates more wisely. Consequently, the model checking will terminate faster. 3.2 Model Decomposition with Weakest Precondition The execution time of verification grows fast as the size of the model grows. Nevertheless, formal models are always entangled, making decomposing them into separate ones infeasible. Cellular network models, on the other hand, can be easier decomposed into protocol layers. Meanwhile, a single layer can further be divided into function modules. The interactions in between are limited to a few messages. To verify a safety property, CellScope starts from verifying the function module in which the violation to the property can occur. Then, CellScope proceed by constructing the set of weakest preconditions on the interface between modules, from which the violation can be reached. In the same way it propagates backward, until reaches the initial module. ACKNOWLEDGMENT We would like to thank the anonymous reviewers for their valuable comments.
[1] Elisa Bertino,et al. LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE , 2018, NDSS.
[2] Songwu Lu,et al. Control-plane protocol interactions in cellular networks , 2014, SIGCOMM.
[3] Yongdae Kim,et al. Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane , 2019, 2019 IEEE Symposium on Security and Privacy (SP).
[4] Thorsten Holz,et al. Breaking LTE on Layer Two , 2019, 2019 IEEE Symposium on Security and Privacy (SP).