5GReasoner: A Property-Directed Security and Privacy Analysis Framework for 5G Cellular Network Protocol

The paper proposes 5GReasoner, a framework for property-guided formal verification of control-plane protocols spanning across multiple layers of the 5G protocol stack. The underlying analysis carried out by 5GReasoner can be viewed as an instance of the model checking problem with respect to an adversarial environment. Due to an effective use of behavior-specific abstraction in our manually extracted 5G protocol, 5GReasoner's analysis generalizes prior analyses of cellular protocols by reasoning about properties not only regarding packet payload but also multi-layer protocol interactions. We instantiated 5GReasoner with two model checkers and a cryptographic protocol verifier, lazily combining them through the use of abstraction-refinement principle. Our analysis of the extracted 5G protocol model covering 6 key control-layer protocols spanning across two layers of the 5G protocol stack with 5GReasoner has identified 11 design weaknesses resulting in attacks having both security and privacy implications. Our analysis also discovered 5 previous design weaknesses that 5G inherits from 4G, and can be exploited to violate its security and privacy guarantees.

[1]  David Rupprecht,et al.  Putting LTE Security Functions to the Test: A Framework to Evaluate Implementation Correctness , 2016, WOOT.

[2]  C. Devine,et al.  How to not break LTE crypto , 2016 .

[3]  Thorsten Holz,et al.  LTE security disabled: misconfiguration in commercial networks , 2019, WiSec.

[4]  Edgar R. Weippl,et al.  IMSI-catch me if you can: IMSI-catcher-catchers , 2014, ACSAC.

[5]  Mark Ryan,et al.  New privacy issues in mobile telephony: fix and verification , 2012, CCS.

[6]  Ulrike Meyer,et al.  A man-in-the-middle attack on UMTS , 2004, WiSe '04.

[7]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[8]  Jean-Pierre Seifert,et al.  On the Impact of Rogue Base Stations in 4G/LTE Self Organizing Networks , 2018, WISEC.

[9]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[10]  Valtteri Niemi,et al.  Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems , 2015, NDSS.

[11]  Yongdae Kim,et al.  Hiding in Plain Signal: Physical Signal Overshadowing Attack on LTE , 2019, USENIX Security Symposium.

[12]  Marco Roveri,et al.  The nuXmv Symbolic Model Checker , 2014, CAV.

[13]  Ralf Sasse,et al.  A Formal Analysis of 5G Authentication , 2018, CCS.

[14]  Cas J. F. Cremers,et al.  Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion , 2019, NDSS.

[15]  Bruno Blanchet,et al.  Automatic verification of correspondences for security protocols , 2008, J. Comput. Secur..

[16]  Elisa Bertino,et al.  Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information , 2019, NDSS.

[17]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[18]  Nicholas Hopper,et al.  Location leaks over the GSM air interface , 2012, NDSS.

[19]  Roger Piqueras Jover,et al.  Security attacks against the availability of LTE mobility networks: Overview and research directions , 2013, 2013 16th International Symposium on Wireless Personal Multimedia Communications (WPMC).

[20]  Danny Dolev,et al.  On the Security of Public Key Protocols (Extended Abstract) , 1981, FOCS.

[21]  Pascal Raymond,et al.  The synchronous data flow programming language LUSTRE , 1991, Proc. IEEE.

[22]  Yongdae Kim,et al.  Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations , 2015, CCS.

[23]  Roger Piqueras Jover,et al.  LTE security, protocol exploits and location tracking experimentation with low-cost software radio , 2016, ArXiv.

[24]  Cesare Tinelli,et al.  The Kind 2 Model Checker , 2016, CAV.

[25]  Ralf Küsters,et al.  A Comprehensive Formal Security Analysis of OAuth 2.0 , 2016, CCS.

[26]  Jean-Pierre Seifert,et al.  White-Stingray: Evaluating IMSI Catchers Detection Applications , 2017, WOOT.

[27]  Jean-Pierre Seifert,et al.  New vulnerabilities in 4G and 5G cellular access network protocols: exposing device capabilities , 2019, WiSec.

[28]  Songwu Lu,et al.  Exposing LTE Security Weaknesses at Protocol Inter-layer, and Inter-radio Interactions , 2017, SecureComm.

[29]  Kenneth L. McMillan,et al.  The SMV System , 1993 .

[30]  Yongdae Kim,et al.  Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[31]  Chris J. Mitchell,et al.  Trashing IMSI catchers in mobile networks , 2017, WISEC.

[32]  Thorsten Holz,et al.  Breaking LTE on Layer Two , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[33]  Cesare Tinelli,et al.  Satisfiability Modulo Theories , 2021, Handbook of Satisfiability.

[34]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[35]  Elisa Bertino,et al.  Insecure connection bootstrapping in cellular networks: the root of all evil , 2019, WiSec.

[36]  Mark Ryan,et al.  Privacy through Pseudonymity in Mobile Telephony Systems , 2014, NDSS.

[37]  Elisa Bertino,et al.  LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE , 2018, NDSS.

[38]  Yoan Miché,et al.  Some dangers from 2G networks legacy support and a possible mitigation , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[39]  Songwu Lu,et al.  Control-plane protocol interactions in cellular networks , 2014, SIGCOMM.

[40]  Yongdae Kim,et al.  Location Leaks on the GSM Air Interface , 2011 .

[41]  Yongdae Kim,et al.  GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier , 2018, NDSS.

[42]  Iosif Androulidakis Intercepting Mobile Phone Calls and Short Messages Using a GSM Tester , 2011, CN.

[43]  Thorsten Holz,et al.  Lost traffic encryption: fingerprinting LTE/4G traffic on layer two , 2019, WiSec.