Table of Contents
Fetching ...

CellSecInspector: Safeguarding Cellular Networks via Automated Security Analysis on Specifications

Ke Xie, Xingyi Zhao, Yiwen Hu, Munshi Saifuzzaman, Wen Li, Shuhan Yuan, Tian Xie, Guan-Hua Tu

TL;DR

The paper addresses security analysis of evolving 3GPP specifications by automating deep semantic understanding beyond rule-based approaches. CellSecInspector provides an end-to-end pipeline that learns domain knowledge, extracts SCA representations, builds function chains, and validates them against security properties. Security validation uses $9$ foundational properties under $4$ attack modalities to automatically generate test cases and discover vulnerabilities. Applied to 5G/4G NAS and RRC, it identifies $43$ vulnerabilities, including $8$ new ones, and comes with a public dataset of over $29{,}000$ normalized sentences, demonstrating scalability and practical impact.

Abstract

The complexity, interdependence, and rapid evolution of 3GPP specifications present fundamental challenges for ensuring the security of modern cellular networks. Manual reviews and existing automated approaches, which often depend on rule-based parsing or small sets of manually crafted security requirements, fail to capture deep semantic dependencies, cross-sentence/clause relationships, and evolving specification behaviors. In this work, we present CellSecInspector, an automated framework for security analysis of 3GPP specifications. CellSecInspector extracts structured state-condition-action (SCA) representations, models mobile network procedures with comprehensive function chains, systematically validates them against 9 foundational security properties under 4 adversarial scenarios, and automatically generates test cases. This end-to-end pipeline enables the automated discovery of vulnerabilities without relying on manually predefined security requirements or rules. Applying CellSecInspector to the well-studied 5G and 4G NAS and RRC specifications, it discovers 43 vulnerabilities, 8 of which are previously unreported. Our findings show that CellSecInspector is a scalable, adaptive, and effective solution to assess 3GPP specifications for safeguarding operational and next-generation cellular networks.

CellSecInspector: Safeguarding Cellular Networks via Automated Security Analysis on Specifications

TL;DR

The paper addresses security analysis of evolving 3GPP specifications by automating deep semantic understanding beyond rule-based approaches. CellSecInspector provides an end-to-end pipeline that learns domain knowledge, extracts SCA representations, builds function chains, and validates them against security properties. Security validation uses foundational properties under attack modalities to automatically generate test cases and discover vulnerabilities. Applied to 5G/4G NAS and RRC, it identifies vulnerabilities, including new ones, and comes with a public dataset of over normalized sentences, demonstrating scalability and practical impact.

Abstract

The complexity, interdependence, and rapid evolution of 3GPP specifications present fundamental challenges for ensuring the security of modern cellular networks. Manual reviews and existing automated approaches, which often depend on rule-based parsing or small sets of manually crafted security requirements, fail to capture deep semantic dependencies, cross-sentence/clause relationships, and evolving specification behaviors. In this work, we present CellSecInspector, an automated framework for security analysis of 3GPP specifications. CellSecInspector extracts structured state-condition-action (SCA) representations, models mobile network procedures with comprehensive function chains, systematically validates them against 9 foundational security properties under 4 adversarial scenarios, and automatically generates test cases. This end-to-end pipeline enables the automated discovery of vulnerabilities without relying on manually predefined security requirements or rules. Applying CellSecInspector to the well-studied 5G and 4G NAS and RRC specifications, it discovers 43 vulnerabilities, 8 of which are previously unreported. Our findings show that CellSecInspector is a scalable, adaptive, and effective solution to assess 3GPP specifications for safeguarding operational and next-generation cellular networks.
Paper Structure (37 sections, 2 equations, 7 figures, 9 tables)

This paper contains 37 sections, 2 equations, 7 figures, 9 tables.

Figures (7)

  • Figure 1: CellSecInspector Overview
  • Figure 2: SCA representation for Node 2037
  • Figure 3: 5G mobility management function chain
  • Figure 4: SCA representations and FSM states extracted from the same specifications
  • Figure 5: Emergency service DoS attacks
  • ...and 2 more figures