As mobile networks transition to 5G infrastructure, ensuring robust security becomes more important due to the complex architecture and expanded attack surface. Traditional security testing approaches for 5G networks rely on black-box fuzzing techniques, which are limited by their inability to observe internal program state and coverage information. This paper presents MulCovFuzz, a novel coverage-guided greybox fuzzing tool for 5G network testing. Unlike existing tools that depend solely on system response, MulCovFuzz implements a multi-component coverage collection mechanism that dynamically monitors code coverage across different components of the 5G system architecture. Our approach introduces a novel testing paradigm that includes a scoring function combining coverage rewards with efficiency metrics to guide test case generation. We evaluate MulCovFuzz on open-source 5G implementation OpenAirInterface. Our experimental results demonstrate that MulCovFuzz significantly outperforms traditional fuzzing approaches, achieving a 5.85\% increase in branch coverage, 7.17\% increase in line coverage, and 16\% improvement in unique crash discovery during 24h fuzzing testing. MulCovFuzz uncovered three zero-day vulnerabilities, two of which were not identified by any other fuzzing technique. This work contributes to the advancement of security testing tools for next-generation mobile networks.

翻译：随着移动网络向5G基础设施过渡，其复杂的架构和扩大的攻击面使得确保稳健的安全性变得更为重要。针对5G网络的传统安全测试方法依赖于黑盒模糊测试技术，这些技术因无法观察内部程序状态和覆盖信息而存在局限。本文提出MulCovFuzz，一种用于5G网络测试的新型覆盖引导灰盒模糊测试工具。与仅依赖系统响应的现有工具不同，MulCovFuzz实现了多组件覆盖收集机制，能够动态监测5G系统架构中不同组件的代码覆盖率。我们的方法引入了一种新颖的测试范式，包含一个结合覆盖奖励与效率指标的评分函数，以指导测试用例生成。我们在开源5G实现OpenAirInterface上对MulCovFuzz进行了评估。实验结果表明，MulCovFuzz在24小时模糊测试中显著优于传统模糊测试方法，分支覆盖率提升5.85%，行覆盖率提升7.17%，独特崩溃发现率提高16%。MulCovFuzz发现了三个零日漏洞，其中两个未被任何其他模糊测试技术识别。这项工作为下一代移动网络的安全测试工具发展做出了贡献。