Titulo Estágio
Fuzzer Framework for Security Tests of 4G Base Stations
Local do Estágio
Full Remote
Enquadramento
Among the many wireless networks available today, one communication system has become essential:
cellular networks. Both machines and humans rely every day on LTE (4G) and sooner than later, on 5G. The question that arises is: how robust are cellular networks? Up until now, the attacks to these systems have been relatively low due to the complexity and the lack of proper tools. However, there are open-source implementations of 4G for both the network and the device side.
Given this scenario, this proposal aims to implement a software framework to be used in the context of
security tests of the cellular network using the fuzzing technique and considering 4G base stations as targets. Furthermore, for the user equipment emulation, an open-source implementation of 4G is indicated because it can
provide access to the implementation, allowing modifications in the protocol stack.
Objetivo
The main objective is to build a proof-of-concept (PoC) to find security breaches in base stations (4G)
using a test technique called Fuzzing. For building this PoC, this project will leverage two main components: a user equipment emulator and a fuzzing tool. Also, this project will use a software-defined radio board with the 4G (eNB) open-source (SRS RAN [1]) implementation to serve as a base station. In addition, a Keysight [2] proprietary solution, called Greyhound, should be used as a reference for the fuzzing implementation. This project will combine both tools to create a malicious UE in order to find messages that crash the base station and/or bypass the security protocol by searching for weak implementations at the eNB side.The objective can be listed as follows:
-Literature review and getting familiar with fuzzing techniques and 4G network protocols;
-Investigation and identification of the interception points in the base station emulator;
-Investigation and identification of mechanism for packet injection/duplication;
-Investigation and identification of mechanism to compose the target observability during the test execution;
-Architecture proposal;
-Implementation, validation, and solution documentation.
Plano de Trabalhos - Semestre 1
- Get familiar with the work, project, LTE software stack, and latest research around the theme (4 weeks)
Expected Results: A literature review in order to identify the latest fuzzing techniques, taking in consideration as initial point the master thesis developed with Keysight collaboration: "Rise of the Machines: On the Security of Cellular IoT Devices" (https://www.esat.kuleuven.be/cosic/publications/thesis-400.pdf)
- Setup preparation (1 week)
Expected Results: Build up the hardware (2 USRP B210) and software (srsRAN) setup
- Identification of interception points in 4G stack protocol (3 weeks)
Expected Results: Identify the interception points in UE software stack (one or more layers), that will interface with the fuzzer implementation
- Proposal of fuzzer mechanisms and strategies (3 weeks)
Expected Results: Based on the previous tasks, in this step, the student needs to provide the mechanisms that will be used to implement the fuzzer (mutation strategies, code coverage, injection/duplication mechanisms, etc.)
Plano de Trabalhos - Semestre 2
- Proposal of mechanisms to improve the target observability during the test execution (3 weeks)
Expected Results: The student need to define which mechanism will be used to detect a target crash (e.g., indirect measures via AT commands, protocol state machine transitions, code instrumentation, etc.)
- Architecture proposal for the fuzzer (2 weeks)
Expected Results: High-level architecture describing the Fuzzer Architecture
- Fuzzer implementation (6 weeks)
Expected Results: Software implementation, software configuration, proof of concept, and any software implementation needed.
- Tests execution and result collection (3 weeks)
Expected Results: Fuzzer tests and improvements, if any.
- Documentation writing (3 weeks)
Expected Results: Master Thesis documentation, research, achieved results, etc.
Condições
The intern will participate in a multidisciplinary research team composed of software developers and telecommunication engineers at Keysight (Belgium). Also, the SDR hardware will be provided for this work as well as a workstation.
Observações
References
[1] SRS RAN Open-Source 4G/5G Software Radio Suite: https://docs.srsran.com/en/latest/index.html
[2] Keysight website: https://www.keysight.com/us/en/home.html
Orientador
German Corrales Madueno
german.madueno@keysight.com 📩