Formal and Fuzzing Amplification: Targeting
Vulnerability Detection in 5G and Beyond
Jingda Yang∗ , Student Member, IEEE and Ying Wang† , Member, IEEE
School of Systems and Enterprises, Stevens Institute of Technology, Hoboken, USA
∗
[email protected]
, and †
[email protected]
Abstract—Softwarization and virtualization in 5G and beyond
require rigorous testing against vulnerabilities and unintended
emergent behaviors for critical infrastructure and network secu-
rity assurance. Formal methods operates efficiently in protocol-
arXiv:2307.05758v1 [cs.CR] 11 Jul 2023
level abstract specification models, and fuzz testing offers com-
prehensive experimental evaluation of system implementations.
In this paper, we propose a novel framework that leverages
the respective advantages and coverage of both formal and
fuzzing methods to efficiently detect vulnerabilities from proto-
col logic to implementation stacks hierarchically. The detected
attack traces from the formal verification results in critical
protocols guide the case generation of fuzz testing, and the
feedbacks from fuzz testing further broaden the scope of the
formal verification. We examine the proposed framework with
the 5G Non Standard-Alone (NSA) security processes, focusing
on the Radio Resource Control (RRC) connection process. We
first identify protocol-level vulnerabilities of user credentials via
formal methods. Following this, we implement bit-level fuzzing
to evaluate potential impacts and risks of integrity-vulnerable
identifier variation. Concurrently, we conduct command-level
mutation-based fuzzing by fixing the assumption identifier to as-
sess the potential impacts and risks of confidentiality-vulnerable
identifiers. During this approach, we established 1 attack model
and detected 53 vulnerabilities. The vulnerabilities identified used
to fortify protocol-level assumptions could further refine search
space for the following detection cycles. Compared to the state
of art fuzz testing, this unified methodology significantly reduces
computational complexity, transforming the computational cost
from exponential to linear growth. Consequently, it addresses
the prevalent scalability challenges in detecting vulnerabilities
and unintended emergent behaviors in large-scale systems in 5G
and beyond.
Index Terms—Formal verification, fuzz testing, reinforcing
loop, integrated solution, Non Standard-Alone 5G Network
I. I NTRODUCTION
Verticals in 5G and next-generation infrastructure create
a diverse and intricate environment consisting of software,
hardware, configurations, instruments, data, users, and various
stakeholders [1]. With system complexity and its lack of
security emphasis by domain scientists, the formed ecosystem
requires a comprehensive evaluation and in-depth validation
for improving transitional Critical Infrastructure (CI) security
posture [2].
Two major state-of-the-art approaches, formal verification
and fuzz testing, have been proposed to detect various vul-
nerabilities and unintended emergent behaviors of the 5G
network. Formal verification provides a high-level protocol
concept and logical proof of security and vulnerability [3].
For example, Hussian [4] et al. proposed a cross-layer formal
verification framework, which integrates model checkers and
cryptographic protocol verifiers by applying the abstraction-
refinement principle. In contrast, fuzz testing can offer a
detailed and comprehensive experimental evaluation and detect
potential vulnerabilities in the 5G code implementation plat-
form [5] and has been proven to be successful in discovering
critical security bugs in implemented software [6]. However,
the limitations of conventional pick-and-choose fuzz testing
and formal analysis still exist, especially with the large-scale
software stacks in the system. Given that each approach pos-
sesses unique strengths, we have proposed a tandem connec-
tion between the fuzz testing and formal methods to achieve
a more comprehensive vulnerability detection and enable high
assurance in the security analysis.
Further, we propose an integrated framework fortified by
a reinforcing loop to detect vulnerabilities and unintended
emergent behaviors in system design and implementations.
Our approach advocates for a harmonized application of fuzz
testing and formal analysis, aiming to establish a symbiotic
cycle between these two methods. This integrated strategy
is designed to facilitate the identification of vulnerabilities
throughout the entire search space, thereby providing a com-
prehensive and robust mechanism for vulnerability detection.
Formal verification provides valuable guidance and assump-
tions in reducing and directing fuzz testing. Conversely, fuzz
testing broaden formal verification’s scope by classifying
uncertainty areas. Importantly, this integrated approach enables
mutual amplification between the two methodologies. Follow-
ing this approach, we discover multiple vulnerabilities due to
absence of rudimentary man-in-the-middle (MITM) protection
within the protocol, which is unexpected considering that the
Transport Layer Security (TLS) solution to this issue has
been in existence for well over a decade [7]. Our framework,
characterized by robust automation, scalability, and usability,
promises to enhance security assurance and resilience across
both infrastructure and domain levels, striving to guarantee
the absence of additional security issues within the system.
Additionally, the proposed approach could be applied to vari-
ous open programmable communication platforms [8], [9] Our
major contributions are summarized below:
• We designed and implemented the integrated formal
guided fuzz testing framework, which significantly im-
proves efficiency and achieves scalability for large-scale
5G systems and discovery of new and exploited vulnera-
 bilities in the Non Standard-Alone (NSA) 5G communi-
cation authentication process.
• We performed in-depth formal analysis on the NSA 5G
authentication process by converting informal protocols
into a symbolic flowchart (Fig. 2), enabling comprehen-
sive formal analysis.
• We discover multiple vulnerabilities due to absence of
rudimentary MITM protection that needs to be addressed
the 3GPP technical standards and protocols, despite the
TLS solution to this issue has been in existence for well
over a decade.
• With the proposed integrated formal and fuzz testing
framework, we connected vulnerabilities detected by for-
mal analysis to real-life attack models and discovered new
vulnerabilities.
The rest of the paper is organized as follows. Section II-A
introduces the structure of our proposed framework. We then
discuss our design and formal symbolic transfer of the NSA
5G communication establishment process in Section II-B,
followed by a detailed analysis and illustration of the formal
verification results in Section III. Then, we propose proven
solutions for each detected formal attack model, along with
some novel suggestions. In Section IV, we use the assumptions
as a guide to apply our proposed fuzz testing framework.
Lastly, in Section V, we use mathematical proof to analyze the
efficiency of different fuzzing strategies across varied scopes
of fuzz testing.
II. S YSTEM D ESIGN
A. Architecture Overview
We design and implement a hybrid multi-model vulnerabil-
ity and unintended emergent behaviors detection framework
for 5G and other communication systems. As shown in Fig. 1,
to achieve the amplification and cross-validation of fuzz testing
and formal verification, the proposed framework composites
the following components to build up a reinforcing loop:
1) Protocol Abstraction: At the beginning of the system,
we abstract the protocol into symbolic language. Logical
transfer can easily exploit vulnerabilities in design.
2) Formal Analysis: In the formal verification process,
we employed Proverif [10], a robust tool, to conduct
an in-depth analysis of our system’s protocols. Proverif
offers a logical proof of security properties and potential
vulnerabilities, facilitating a robust and comprehensive
evaluation of the system’s security integrity.
3) Search Space Isolation: The output of formal veri-
fication divides the search space into three sets: no
vulnerabilities, attack trace detected, and uncertain areas
that need further investigation. The division of the search
space effectively narrows down the uncertain regions and
enables the scalability of vulnerability detection.
4) Formal Guided Fuzz Framework: With the guidance of
a formal verification conclusion, we initiate fuzz testing
on runtime binary systems, focusing particularly on the
predefined uncertain areas and those areas where attack
2) Formal
Verification
Start
3) Search Space
Isolation
Undefined
attack
Symbolic
Transfer Provable
Security
Provable
1) Protocol
Attack
Abstraction
End
5) Formal Verification
4)Fuzz Guide Fortification
Quantification
$ISMI
$RAND
Impletation ?/$d
Code ******
Vulnearbility
Detection
Fig. 1: System Design
traces have been detected. Fuzz testing serves a dual
purpose: it is not only deployed to identify runtime
vulnerabilities, thereby complementing the detection of
vulnerabilities through logical proofs on protocols, but it
also functions as a stochastic approach for those uncertain
areas that cannot be verified through formal methods.
5) Fortification of Protocol and Formal Verification :
We verify the vulnerabilities detected by fuzz testing
and feedback to the formal result and search space. By
defining the space more precisely, formal verification can
be further optimized, consequently extending the scope
of the security assurance area.
The proposed framework inter-connected with our previous
fuzzing platform [11] [12] is capable of performing mutation-
based identifiers fuzzing and permutation-based command
fuzzing following the direction from the formal method con-
clusion. Formal verification, guided fuzzing analysis of results
from the actual 5G testbed, and the real-time analysis and
feedback construct a reinforcing loop in our system.
B. Abstraction of NSA 5G Authentication Protocol
Compared to Standard-Alone (SA) 5G network architec-
ture, NSA 5G architecture is still widely adopted but more
vulnerable because the complexity introduced by the Long
Term Evolution (LTE) compatibility in protocol designs and
infrastructure implementation, especially for authentication
and authorization. Therefore, we focus on the authentication
process in NSA 5G architecture. As shown in Fig. 2, the
abstracted protocol authentication process in NSA architecture
includes four parts: Radio Resource Control (RRC) Connec-
tion Setup, Mutual Authentication, Non-Access Stratum
(NAS) Security Setup and Access Stratum (AS) Security
Setup. Considering the scope of this paper and the critical
level among them, we pilot on the RRC connection setup for
in-depth analysis.
The RRC Connection Setup is a pivotal step in the initial
establishment of communication between a mobile device and
the network in the LTE and 5G New Radio (NR) frameworks.
This procedure is instigated by the network upon receiving a
connection request from the User Equipment (UE), commonly
 Legend
UE gNB CN
UE-identity establishmentCause
Confidentiality
Integrity
RRC Con n ect i on Set u p RRC Connection Request
Authentication
(UE-identity, establishmentCause) Accounting
Same
RRC Connection Setup RRC
(radioResourceConfigDedicated) Con n ect i on radioResource Sequence
RRC Connection Setup Complete (RRC-Transaction ConfogDedocated
Identifier, selectedPLMN-Identity, dedicatedInfoNAS)
Set u p Integrity Confidentiality

Attach Request (IMSI, UE Capability, KSIASME = 7)

M u t u al Au t h en t i cat i on LTE K RAND SQN SN ID

LTE K RAND SQN SN ID Authentication Request (RAND, AUTNHSS, RRC-Transaction selectedPLMN dedicated
KSIASME = 1)[not ciphered, not integrity protected] EPS AKA Algorithm Identifier Authentication Accounting
-Identity InfoNAS
*:Deeper color represent higher
EPS AKA Algorithm Check (AUTNUE = AUTNHSS) security level in special property
AUTNHSS XRES K ASME
Authentication Response (RES)
AUTNUE RES K ASME [not ciphered, not integrity protected]
Check (AUTNUE = AUTNHSS)

NAS Secu i r t y Set u p Select (encryption/

K ASME Alg-ID Distinguisher
KDF
K NASenc K NASint
integrity algorithm)
Fig. 3: Dependency Graph of RRC Connection Setup
NAS Security Mode Command ( KSIASME = 1,
Replayed UE Capability, NAS Ciphering K ASME Alg-ID Distinguisher
Algorithm=EEA1, NAS Integrity Algorithm=EIA1,
NAS-MAC) [NAS integrity protected] KDF is depicted in Table I. We specifically focus on the RRC
NAS Secuirty mode Complete (NAS-MAC)
[NAS integrity protected]
K NASenc K NASint connection setup for an in-depth demonstration.

Ciphered and Integrity Protected NAS Signaling (K NASenc K NASint ) A. User Credentials Disclosure
K ASME NAS Uplink Count
In this attack, the adversary can exploit the transparency of
KDF
Attach Accept
(UE Capability, K eNB )
RRC Connection Setup process to effortlessly access critical
K eNB

AS Secu i r t y Set u p AS Security Mode Select (encryption/ user identity information, which includes but is not limited
integrity algorithm)
Command (AS Ciphering
Algorithm=EEA1, AS K eNB Alg-ID Distinguisher to the UE identity and establishment cause. This illicit access
Integrity Algorithm=EIA1,
MAC-I) [AS integrity
protected]
KDF enables the adversary to acquire user information and use the
Compute K eNB
K eNB Alg-ID Distinguisher AS Secuirty Mode
K RRCenc K RRCint K UPenc
ensuing session key for nefarious activities such as eavesdrop-
Complete (MAC-I)
KDF [AS integrity protected] ping and manipulation of subsequent communications.
K RRCenc K RRCint K UPenc Assumption. Analyzing Fig 3, we can conclude that the
Ciphered and Integrity Protected RRC Signaling (K RRCenc K RRCint ) adversary can exploit the transparency of RRC Connection
Ciphered User/ Data Plane (K UPenc ) Setup process to directly access any identifier within the mes-
sage. Furthermore, the adversary is also capable of establish
a fake UE or a MITM relay to eavesdrop and manipulate the
Fig. 2: 5G NSA Security Process. messages within the RRC Connection Setup process. To verify
the security properties of identifiers within the RRC Connec-
in response to an initiating event such as a call or data session
tion Setup process, including aspects such as confidentiality
initiation. RRC connection setup process aims to build up
and consistency, we converted the aforementioned assumptions
connections in RRC layer.
into ProVerif code.
Further, we abstract and derive the dependency table, pre-
Vulnerability. As depicted in Fig. 2, the UE initiates the
sented as Table II, from the defined protocol, considering
process by sending an RRC connection request to the core
four essential security properties: confidentiality, integrity,
network (CN). Upon receiving this request, the CN responds
authentication, and accounting. Utilizing Table II, we construct
by transmitting the radioResourceConf igDedicated back
the corresponding dependency graph, as depicted in Fig 3,
to the UE. The UE, in turn, obtains authentication from the
to provide a visual representation of the security dependency
CN and responds with the RRC − T ransactionIdentif ier,
relationships.
selectedP LM N − Identity and dedicatedInf oN AS to fi-
C. Formal Guided Fuzz Framework nalize the RRC connection setup. Nevertheless, this process
presents an exploitable vulnerability as an adversary can access
Compared to traditional fuzz testing, which needs a com- all message identifiers. Such unprotected identifiers run the
plete understanding of code implementation, like LZFUZZ [6], risk of being eavesdropped upon and modified, potentially
we propose a novel formal-guided identifier-based fuzzing enabling the adversary to orchestrate a MITM relay attack.
framework. In our proposed fuzzing framework, we first fix Attack Trace Description. Employing formal verification,
the value of critical identifiers under the assumption proved we analyzed the confidentiality of identifiers within the RRC
by the formal verification and collect the communicated com- Connection Setup process. Through this methodical investi-
mands. Then we set up a relay attack mechanism on srsRAN gation, we identified two categories of identifiers with the
platform [13] following the attack traces, which are detected most significant impact: user identities and RRC configuration
by formal verification. identifiers. As illustrated in Fig. 4, an attacker can access
the identifiers marked in red, delineating the pathway of the
III. F ORMAL D ETECTED ATTACK M ODEL AND A NALYSIS
attack. In the initial scenario, an adversary with the access to
In this section, we present a proof-of-concept via an il- the user identity, like U E − identity, is capable of launch
lustrative attack model detected using Proverif [10]. A com- DoS attack with real U E − identity. Contrary to traditional
prehensive summary of all identified attack models in 5G DoS attacks, which aim to overwhelm a system’s capac-
authentication and authorization process from our findings ity, an U E − identity-based DoS attack efficiently disrupts
 Assumpt- New at-
Attack Vulnerability Solution Guidance to fuzz
ion tack?
Modified commands known • Hash value protection for UE identity
Modification of RRC Inspired Fuzz testing can start with dif-
will disable the RRC C-RNTI • Integrity protection
Connection by [4] ferent RRC status.
functions or TMSI
• Ensured confidentiality Authentication
Deny of Service and Key agreement (EC-AKA) [15] Repeat authentication request
UE accepts authenti-
(DoS) or Disconnect Inspired • Hashed international mobile subscriber commands can be fuzzed at
cation request without No
using Authentication by [14] identity (IMSI) [16] random time to test DoS and
integrity.
Request. • Hashed IMSI with integrity check [17] cutting of device attack.

All NAS information known • Asymmetric encryption NAS fuzz testing can start
Exposing KN ASenc Inspired
will be monitored, hi- IMSI, • Hashed IMSI based encryption with known KN ASenc and
and KN ASint by [18]
jacked and modified. MITM KN ASint .
RRC fuzz testing start with
All RRC and UP
Exposing KRRCenc , known • Asymmetric encryption known KRRCenc and
information will be
KRRCint and IMSI, Yes • Hashed IMSI based encryption KRRCint ; User Plane (UP)
monitored, hijacked
KU P enc MITM fuzz testing start with known
and modified.
KU P enc .

TABLE I: Summary of Findings

Procedure Command Identifier Confidentiality Integrity Authentication Accounting and undetermined. While the safe area necessitates no further
RRC UE-identity N N N N
Connection
Request establishmentCause N N N N
scrutiny, the non-safe and undetermined areas warrant further
RRC
Connection
RadioResource-
ConfogDedicated N N N N investigation using fuzz testing. Specifically, we leverage fuzz
RRC
Con n ect i on
Set u p
RRC-Transaction
Identifier N N N N testing to evaluate the impact of the non-safe areas within
RRC
Connection
Setup
selectedPLMN
-Identity
N N N N implementation stacks, as well as to ascertain the security
Complete
dedicatedInfoNAS N N N N level within the regions previously undetermined. By lever-
TABLE II: Dependency Table aging our previously proposed framework [19], we effectively
assess the security status of regions initially verified through
formal methods. Due to the constraints of page length, we
UE Attacker CN
present a single example to illustrate the operation of our
formally guided fuzzing framework. This example specifically
RRC Connection Request (
UE-identity, Establishment RRC Connection Request demonstrates how the framework assess the impact of provable
Cause)
RRC Connection Setup attacks that have been identified through formal verification.
RRC Connection Setup (radioResourceConfig-
Dedicated)
RRC Connection Setup
A. MITM bit-level fuzzing
Complete (RRC-Transaction RRC Connection Setup
Identifier, selectedPLMN- Complete In light of the identified vulnerabilities relating to confi-
Identity, dedicatedInfoNAS)
dentiality and integrity, we have developed a bit-level fuzzing
Fig. 4: User Credentials Disclosure test to examine the effects of exposed U E − identity and
EstablishmentCause. The results, as displayed in Table
the CN verification mechanism through repeated use of the III, highlight two distinct outcomes. Modification of the
same U E − identity, leading to authentication confusion. U E − identity has a minimal impact on authentication and
And in second case, with computationally derived RRC − communication, albeit with an introduction of some latency.
T ransactionIdentif ier, the adversary can establish a fake Conversely, alterations to the EstablishmentCause lead to
base station or perform a MITM relay attack by manipulating a change in authentication types - a factor critical to the
these identifiers. In the latter case, the adversary positions authentication establishment process, such as transforming an
between the UE and the CN, intercepting and modifying emergency request to data mode. There are total 8 types
communications in real-time. Consequently, this attack model of vulnerabilities that leverage the EstablishmentCause.
presents a severe threat to the security and integrity of the Based on these bit-level fuzzing results, we can partition
mobile network’s communication. the provably insecure areas of the RRC Connection Request
Fortification via Formal Traced Vulnerability Given into two categories: areas with less impact, including U E −
the significance and susceptibility of identifiers within the identity, and areas with substantial impact, encompassing
RRC Connection Setup process, it is imperative to im- EstablishmentCause. Consequently, in subsequent fuzzing
plement integrity protection measures for the RRC − tests, we can strategically exclude U E − identity fuzzing,
T ransactionIdentif ier. Additionally, adopting a hash value focusing instead on the chain effects generated by high-risk
approach can assist in preventing the disclosure of UE identity, identifiers.
further reinforcing security measures in this critical process.
B. Command-level fuzzing
IV. F ORMAL G UIDED F UZZING A NALYSIS Assuming complete disclosure of all necessary UE identities
As detailed in Section III, formal verification delineates the and an unprotected RAND in the Authentication Request of
system’s security landscape into three zones: safe, non-safe, the Mutual Authentication process, it is a reasonable deduction

TABLE III: Fuzzing Result of User Credentials Disclosure
that an adversary can acquire the RNTI, which is derived from
UE identities, and RAND, a crucial identifier for generating
a session key. Unlike the boundless scenarios possible with
black-box fuzzing, our approach uses a fixed session key
to concentrate on the impact of a MITM attack, thereby
eliminating the computational waste associated with guessing
random identifiers and UE identities.
Building on our previously proposed probability-based
fuzzing strategy [19], we have established a more efficient
method for identifying unintended vulnerabilities that prove
challenging to detect via formal verification. A comparison
between random fuzzing and our probability-based approach
(Fig. 5) reveals that our proposed probability-based framework
requires only 36.5% of the number of fuzzing cases used in a
random fuzzing strategy to detect all 43 vulnerabilities [19].
Fig. 5: Comparison of Different Command-level Fuzzing
Strategy Efficiency
V. P ERFORMANCE AND E FFICIENCY A SSESSMENT
Our proposed fuzz testing framework, guided by formal
verification, affirms the viability of our integrative approach
combining both formal and fuzz testing frameworks. In this
section, we analyze the efficiency of fuzz testing and explore
the relationship between formal verification and fuzz testing,
underscoring the potential benefits of our innovative strategy.
Fuzz testing is a methodical, brute-force approach to detect-
ing vulnerabilities, accomplished by supplying an extensive
range of random data to uncover potential security threats.
However, due to computational constraints, exhaustive vulner-
ability detection for the entire 5G NSA protocol, even for a
singular command, is not practical. To increase the efficiency
of fuzz testing, the rule-based mutation fuzz testing strategy
has been proposed [20]. This strategy refines the scope of fuzz
testing to specific identifiers in line with protocol rules.
Although the rule-based mutation fuzz testing strategy
yields a substantial reduction in computational complexity, it
can still produce meaningless, randomly generated inputs. As a
response, we introduce a formal-guided fuzz testing strategy.
This strategy complies with formal verification assumptions
and generates three categories of representative inputs: formal-
based legal inputs, formal-based illegal inputs, and randomly
generated inputs. While formal-based inputs must adhere to the
protocol-defined rules or format, randomly generated inputs
are not bound by these restrictions. The comparative efficiency
of different fuzz strategies across four distinct processes is
depicted in Figure 6. A detailed performance analysis of these
varied fuzzing strategies is provided in the following section.
Based on the guidance of formal verification in Sec-
tion III-A, the RRC Connection Request command, which in-
cludes 40 bits of UE-Identity, 4 bits of EstablishmentCause,
and 1 bit of spare, is vulnerable to DoS or MITM attacks.
Traditional brute-force fuzz testing generates more than 245
fuzzing cases, and rule-based fuzzing generates 240 + 24 + 1
fuzzing cases based on the defined identifiers. However, our
formal guided fuzzing strategy requires only 9 fuzzing cases,
including one legal UE-Identity case, one illegal UE-Identity
case, one random out-of-rule UE-Identity case, 2 legal/il-
legal EstablishmentCause cases, one random out-of-rule
EstablishmentCause case, one legal spare case, one illegal
spare case, and one out-of-rule spare case.
1077 RRC Connection Request command bit-level fuzzing
Authentication Request command bit-level fuzzing
Number of fuzzing cases with
1067
different fuzzing strategies
NAS Security Mode command bit-level fuzzing
1057 AS Security Mode command bit-level fuzzing
1047
1037
1027
1017
107
Brute Force Fuzzing Rule-based Fuzzing Formal Guided Fuzzing
Fig. 6: Comparison of Different Bit-level Fuzzing Strategy
Efficiency
Our proposed framework has the capacity not only to
validate the impact and security of identifiers, but also to detect
unintended vulnerabilities based on high-risk assumptions,
such as an identifier set that is accessible to an adversary. As
corroborated by the evidence presented in Section IV-B, our
framework proves highly efficient in detecting vulnerabilities,
underscoring its potential utility in enhancing system security.
VI. C ONCLUSION
In this paper, we have introduced an innovative framework
that integrates formal verification and fuzz testing to fortify
the security of 5G systems, effectively addressing the vulner-
abilities from protocol logic to implementation stacks. The dy-
namic feedback loop within this framework has demonstrated
its strength in both the refinement of undefined areas and the
exhaustive detection of potential vulnerabilities. This work has
been illuminated through an application on a continuous loop
in the RRC Connection Setup process, illustrating the practi-
cability and effectiveness of our proposed methodology. In the
initial phase, our framework identifies a formal attack model
through the application of formal verification. Subsequently,
leveraging the protocol-level exposure of user credentials, the
proposed framework employs bit-level and command-level
fuzzing to execute comprehensive impact identification and
simulate plausible attacks. As a result, by relying on the
verified impact and the security status of the identifier or
command determined by the fuzz test, our framework robustly
reinforces protocol-level assumptions and refines the detection
area. Notably, this integrated approach significantly mitigates
computational complexity, transitioning it from exponential
to linear growth. This scalability ensures that the framework
can accommodate larger datasets or more complex scenarios
without a drastic increase in computational resources or pro-
cessing time, making it suitable for extensive applications in
5G security testing.
To conclude, our research presents a pioneering step towards
bolstering 5G security by employing an integrated, hierarchical
approach to vulnerability detection. This work contributes
substantially to the ongoing efforts to secure the next genera-
tion of wireless communications and provides a foundation
for future research in this domain. Further studies might
explore extending this approach to other advanced wireless
technologies to ensure robust security in our increasingly
connected world.
ACKNOWLEDGMENT
This effort was sponsored by the Defense Advanced
Research Project Agency (DARPA) under grant no.
D22AP00144. The views and conclusions contained herein
are those of the authors and should not be interpreted as
necessarily representing the official policies or endorsements,
either expressed or implied, of DARPA or the U.S.
Government.
R EFERENCES
[1] J. Alcaraz-Calero, I. P. Belikaidis, C. J. B. Cano, P. Bisson, D. Bourse,
M. Bredel, D. Camps-Mur, T. Chen, X. Costa-Perez, P. Demestichas,
M. Doll, S. E. Elayoubi, A. Georgakopoulos, A. Mämmelä, H. P. Mayer,
M. Payaro, B. Sayadi, M. S. Siddiqui, M. Tercero, and Q. Wang, “Lead-
ing innovations towards 5G: Europe’s perspective in 5G Infrastructure
Public-Private Partnership (5G-PPP),” in IEEE International Symposium
on Personal, Indoor and Mobile Radio Communications, PIMRC, vol.
2017-October, 2018.
[2] M. Shatnawi, H. Altaleb, and R. Zoltán, “The digital revolution with ne-
sas assessment and evaluation,” in 2022 IEEE 10th Jubilee International
Conference on Computational Cybernetics and Cyber-Medical Systems
(ICCC). IEEE, 2022, pp. 000 099–000 104.
[3] A. Peltonen, R. Sasse, and D. Basin, “A comprehensive formal analysis
of 5g handover,” in Proceedings of the 14th ACM Conference on Security
and Privacy in Wireless and Mobile Networks, 2021, pp. 1–12.
[4] S. R. Hussain, M. Echeverria, I. Karim, O. Chowdhury, and E. Bertino,
“5Greasoner: A property-directed security and privacy analysis frame-
work for 5G cellular network protocol,” in Proceedings of the ACM
Conference on Computer and Communications Security. Association
for Computing Machinery, 11 2019, pp. 669–684.
[5] G. Klees, A. Ruef, B. Cooper, S. Wei, and M. Hicks, “Evaluating
fuzz testing,” in Proceedings of the ACM Conference on Computer and
Communications Security, 2018.
[6] S. Bratus, A. Hansen, and A. Shubina, “Lzfuzz: a fast compression-
based fuzzer for poorly documented protocols,” 2008.
[7] D. G. Berbecaru and G. Petraglia, “Tls-monitor: A monitor for tls
attacks,” in 2023 IEEE 20th Consumer Communications & Networking
Conference (CCNC). IEEE, 2023, pp. 1–6.
[8] O-RAN Alliance, “O-RAN: Towards an Open and Smart RAN,” O-RAN
Alliance, no. October, 2018.
[9] Software Radio Systems, “srsRAN is a 4G/5G software radio suite
developed by SRS,” 2021.
[10] B. Blanchet, “Modeling and verifying security protocols with the
applied pi calculus and proverif,” Foundations and Trends® in Privacy
and Security, vol. 1, no. 1-2, pp. 1–135, 2016. [Online]. Available:
http://dx.doi.org/10.1561/3300000004
[11] J. Yang, Y. Wang, T. X. Tran, and Y. Pan, “5g rrc protocol and stack
vulnerabilities detection via listen-and-learn.” 2023 IEEE Consumer
Communications & Networking Conference, January 2023.
[12] Y. Wang, A. Gorski, and A. da Silva, “Development of a Data-
Driven Mobile 5G Testbed: Platform for Experimental Research,” in
IEEE International Mediterranean Conference on Communications and
Networking, 2021.
[13] I. Gomez-Miguelez, A. Garcia-Saavedra, P. D. Sutton, P. Serrano,
C. Cano, and D. J. Leith, “srslte: An open-source platform for lte
evolution and experimentation,” in Proceedings of the Tenth ACM
International Workshop on Wireless Network Testbeds, Experimental
Evaluation, and Characterization, 2016, pp. 25–32.
[14] J.-K. Tsay and S. F. Mjølsnes, “A vulnerability in the umts and lte
authentication and key agreement protocols,” in Computer Network Se-
curity: 6th International Conference on Mathematical Methods, Models
and Architectures for Computer Network Security, MMM-ACNS 2012,
St. Petersburg, Russia, October 17-19, 2012. Proceedings 6. Springer,
2012, pp. 65–76.
[15] J. B. Bou Abdo, H. Chaouchi, and M. Aoude, “Ensured confidentiality
authentication and key agreement protocol for eps,” in 2012 Symposium
on Broadband Networks and Fast Internet (RELABIRA), 2012, pp. 73–
77.
[16] 3GPP, “Universal Mobile Telecommunications System (UMTS); LTE;
Mobility Management Entity (MME) Visitor Location Register (VLR)
SGs interface specification,” 3rd Generation Partnership Project
(3GPP), Technical Specification (TS) 29.118, 01 2015, version
8.5.0. [Online]. Available: https://portal.3gpp.org/desktopmodules/
Specifications/SpecificationDetails.aspx?specificationId=1601
[17] M. Khan, P. Ginzboorg, K. Järvinen, and V. Niemi, “Defeating the
downgrade attack on identity privacy in 5g,” in International Conference
on Research in Security Standardisation. Springer, 2018, pp. 95–119.
[18] M. T. Raza, F. M. Anwar, and S. Lu, “Exposing lte security weaknesses
at protocol inter-layer, and inter-radio interactions,” in Security and
Privacy in Communication Networks: 13th International Conference,
SecureComm 2017, Niagara Falls, ON, Canada, October 22–25, 2017,
Proceedings 13. Springer, 2018, pp. 312–338.
[19] J. Yang, Y. Wang, Y. Pan, and T. X. Tran, “Systematic meets unintended:
Prior knowledge adaptive 5g vulnerability detection via multi-fuzzing,”
arXiv preprint arXiv:2305.08039, 2023.
[20] Z. Salazar, H. N. Nguyen, W. Mallouli, A. R. Cavalli, and E. M. Montes
De Oca, “5Greplay: A 5G Network Traffic Fuzzer - Application to
Attack Injection,” in ACM International Conference Proceeding Series.
Association for Computing Machinery, 8 2021.