网络与信息安全学报2024,Vol.10Issue(1):156-168,13.DOI:10.11959/j.issn.2096-109x.2024006
针对5G核心网协议的自动化漏洞挖掘方法
Automated vulnerability discovery method for 5G core network protocol
摘要
Abstract
With the widespread development of fifth-generation(5G)mobile communication technology,concerns regarding 5G network security have also increased.Blackbox fuzzing is a commonly used method for automated vulnerability discovery in software security.However,applying dynamic approaches like fuzzing to discover vulnerabilities in the complex design of 5G core network protocols poses challenges such as low efficiency,poor versatility,and lack of scalability.Therefore,a novel static method to examine the open-source solution of the 5G core network was proposed.Through this method,a series of memory leak security issues caused by improper variable life cycle management were identified,which can lead to denial-of-service attacks on the 5G core network.To summarize these weaknesses,a general vulnerability model and an automated vulnerability discovery method called HoI were presented,which utilized hybrid analysis based on control and data flow.By successfully discovering five zero-day bugs in Open5GS,an open-source solution for the 5G core network,vulnerabilities that cover practical application scenarios of multiple interface protocols in the 5G core network were identified.These vulnerabilities have wide-ranging impact,are highly detrimental,and can be easily exploited.They have been reported to the vendor and assigned four Common Vulnerabilities and Exposures(CVE)numbers,demonstrating the effectiveness of this automated vulnerability discovery method.关键词
5G核心网/开源解决方案/协议安全/静态分析/漏洞挖掘Key words
5G core network/open-source solution/protocol security/static analysis/vulnerability discovery分类
信息技术与安全科学引用本文复制引用
吴佩翔,张志龙,陈力波,王轶骏,薛质..针对5G核心网协议的自动化漏洞挖掘方法[J].网络与信息安全学报,2024,10(1):156-168,13.基金项目
国家重点研发计划(2022QY1702)The National Key R&D Program of China(2022QY1702) (2022QY1702)
