The complexity, interdependence, and rapid evolution of 3GPP specifications present fundamental challenges for ensuring the security of modern cellular networks. Manual reviews and existing automated approaches, which often depend on rule-based parsing or small sets of manually crafted security requirements, fail to capture deep semantic dependencies, cross-sentence/clause relationships, and evolving specification behaviors. In this work, we present CellSecInspector, an automated framework for security analysis of 3GPP specifications. CellSecInspector extracts structured state-condition-action (SCA) representations, models mobile network procedures with comprehensive function chains, systematically validates them against 9 foundational security properties under 4 adversarial scenarios, and automatically generates test cases. This end-to-end pipeline enables the automated discovery of vulnerabilities without relying on manually predefined security requirements or rules. Applying CellSecInspector to the well-studied 5G and 4G NAS and RRC specifications, it discovers 43 vulnerabilities, 8 of which are previously unreported. Our findings show that CellSecInspector is a scalable, adaptive, and effective solution to assess 3GPP specifications for safeguarding operational and next-generation cellular networks.

翻译：3GPP规范的复杂性、相互依赖性和快速演进对确保现代蜂窝网络的安全性构成了根本性挑战。依赖基于规则的解析或少量人工构建安全需求的现有自动化方法及人工审查，难以捕捉深层的语义依赖、跨句子/子句关系以及不断演进的规范行为。本研究提出CellSecInspector，一个用于3GPP规范安全分析的自动化框架。该框架提取结构化的状态-条件-行动表示，通过完整函数链对移动网络流程进行建模，在4种对抗场景下系统性地依据9项基础安全属性进行验证，并自动生成测试用例。这种端到端的流程能够在无需依赖人工预定义安全需求或规则的情况下实现漏洞的自动化发现。将CellSecInspector应用于经过充分研究的5G与4G NAS及RRC规范，共发现43个漏洞，其中8个为先前未披露的。我们的研究结果表明，CellSecInspector是一种可扩展、自适应且高效的解决方案，可用于评估3GPP规范，从而保障现网及下一代蜂窝网络的安全。