4G and 5G represent the current cellular communication standards utilized daily by billions of users for various applications. Consequently, ensuring the security of 4G and 5G network implementations is critically important. This paper introduces an automated fuzzing framework designed to test the security of 4G and 5G attach procedure implementations. Our framework provides a comprehensive solution for uplink and downlink fuzzing in 4G, as well as downlink fuzzing in 5G, while supporting fuzzing on all layers except the physical layer. To guide the fuzzing process, we introduce a novel algorithm that assigns probabilities to packet fields and adjusts these probabilities based on coverage information from the device-under-test (DUT). For cases where coverage information from the DUT is unavailable, we propose a novel methodology to estimate it. When evaluating our framework, we first run the random fuzzing experiments, where the mutation probabilities are fixed throughout the fuzzing, and give an insight into how those probabilities should be chosen to optimize the Random fuzzer to achieve the best coverage. Next, we evaluate the efficiency of the proposed coverage-based algorithms by fuzzing open-source 4G stack (srsRAN) instances and show that the fuzzer guided by our algorithm outperforms the optimized Random fuzzer in terms of DUT's code coverage. In addition, we run fuzzing tests on 12 commercial off-the-shelf (COTS) devices. In total, we discovered vulnerabilities in 10 COTS devices and all of the srsRAN 4G instances.

翻译：4G与5G是当前数十亿用户日常使用的蜂窝通信标准，广泛应用于各类场景。因此，确保4G与5G网络实现的安全性至关重要。本文提出一种自动化模糊测试框架，专门用于测试4G与5G附着流程实现的安全性。该框架为4G网络的上行与下行链路模糊测试，以及5G网络的下行链路模糊测试提供完整解决方案，并支持除物理层外所有协议层的测试。为引导模糊测试过程，我们提出一种新颖算法，该算法基于被测设备（DUT）的覆盖率信息，为数据包字段分配概率并动态调整这些概率。针对无法从DUT直接获取覆盖率信息的情况，我们提出一种创新的覆盖率估算方法。在评估框架性能时，我们首先进行随机模糊测试实验（其中变异概率在测试过程中固定），深入探讨如何选择最优概率以最大化随机模糊测试器的覆盖率。随后，通过对开源4G协议栈（srsRAN）实例进行模糊测试，评估所提出的覆盖率引导算法的效率，结果表明采用本算法引导的模糊测试器在DUT代码覆盖率方面显著优于优化后的随机模糊测试器。此外，我们对12款商用现成（COTS）设备进行模糊测试，共在10款COTS设备及所有srsRAN 4G实例中发现安全漏洞。