Bookworm Game: Automatic Discovery of LTE Vulnerabilities Through Documentation Analysis
Published in Security & Privacy, 2021
Recommended citation: Chen Y, Yao Y, Wang X F, et al. Bookworm Game: Automatic Discovery of LTE Vulnerabilities Through Documentation Analysis[C]. Security & Privacy, 2021. https://www.computer.org/csdl/pds/api/csdl/proceedings/download-article/1t0x9Hqia1G/pdf
Recommended citation: Chen Y, Yao Y, Wang X F, et al. Bookworm Game: Automatic Discovery of LTE Vulnerabilities Through Documentation Analysis[C]. Security & Privacy, 2021.
Abstract
In the past decade, the security of cellular networks has been increasingly under scrutiny, leading to the discovery of numerous vulnerabilities that expose the network and its users to a wide range of security risks, from denial of service to information leak. However, most of these findings have been made through ad-hoc manual analysis, which is inadequate for fundamentally enhancing the security assurance of a system as complex as the cellular network. An important observation is that the massive amount of technical documentation of cellular network can provide key insights into the protection it puts in place and help identify potential security flaws. Particularly, we found that such documentation often contains hazard indicators (HIs)–the statement that describes a risky operation (eg, abort an ongoing procedure) when a certain event happens at a state, which can guide a test on the system to find out whether the operation can indeed be triggered by an unauthorized party to cause harm to the cellular core or legitimate users’ equipment. Based upon this observation, we present in this paper a new framework that makes the first step toward intelligent and systematic security analysis of cellular networks. Our approach, called Atomic, utilizes natural-language processing and machine learning techniques to scan a large amount of LTE documentation for HIs. The HIs discovered are further parsed and analyzed to recover state and event information for generating test cases. These test cases are further utilized to automatically construct tests in an LTE simulation environment, which runs the tests to detect the vulnerabilities in the LTE that allow the risky operations to happen without proper protection. In our research, we implemented Atomic and ran it on the LTE NAS specification, including 549 pages with 13,598 sentences and 283,850 words. In less than 5 hours, our prototype reported 42 vulnerabilities from 192 HIs discovered, including 10 never reported before, under two threat models. All these vulnerabilities have been confirmed through end-to-end attacks, which lead to unauthorized disruption of the LTE service a legitimate user’s equipment receives. We reported our findings to authorized parties and received their confirmation that these vulnerabilities indeed exist in major commercial carriers and $2,000 USD reward from Google.