Fuzz Testing Architecture Used for Vulnerability Detection in Wireless Systems

Mayhew, Stephen Richard

23 June 2022

The wireless world of today is essential to the everyday life of millions of people. Wireless technology is evolving at a rapid pace that's speed outmatches what the previous testing can handle. This necessitates the need for smarter and faster testing methods. One of the recent fast and efficient testing methods is fuzz testing. Fuzz testing is the generation and injection of unexpected input called "fuzzed" input for a system by slightly changing a base input hundreds or even thousands of times and introducing each change into a system to observe its effects. In this thesis, we developed and implemented a fuzz testing architecture to test 5G wireless system vulnerabilities. The proposed design uses multiple open-source software to create a virtual wireless environment for testing the fuzzed inputs' effects on the wireless attach procedure. Having an accessible and adaptable fuzzing architecture to use with wireless networks will help against malicious parties. Due to 5G simulation technology still being developed and the cost of ready-made 5G testing equipment, the architecture was implemented in an LTE environment using the srsRAN LTE simulation software, the Boofuzz fuzzing software, and Wireshark packet capture software. The results show consistent effects of the fuzz testing on the outputs of the LTE eNB. We also include a discussion of our future suggestions to improve the proposed fuzzing architecture. / Master of Science / The persistence of the cellular network is essential to the everyday life of millions of people. Cell phones and cell towers play an important role in business, communication, and recreation across the globe. The speed of advancements made in phones and cell towers technology is outpacing the speed of security testing, increasing the possibility of system vulnerabilities and unexplored back-doors. To cover the security testing gap, different automated testing models are being researched and developed, one of which is fuzz testing. Fuzz testing is the generation and injection of unexpected input called "fuzzed" input for a system by slightly changing a base input hundreds or even thousands of times and introducing each change into a system to observe its effects. The fuzzing architecture proposed in this thesis is used to test for security flaws in wireless cellular networks. We implemented our fuzz testing model in a simulated 4G cellular network, where the results show the effectiveness of the model on tracing network vulnerabilities. The results of the experiment show consistent effects of the fuzz testing on a wireless system. A discussion of how the proposed model can be further improved for future work is added to the end of this thesis.

Fuzzing

LTE

5G

UE

eNB

gNB

Investigation and development of a verification protocol test tool for LTE

Georgis, Jolian

January 2011

At Ericsson IoDT test department testing tools are used to control the traffics between the EU and the eNB to check the typical problems issues. By storing these problems in a log file will help mobile vendors to eliminate the mentioned problems by developing solutions for more significant products. The IoDT needed to develop the testing results even further for more specific results. The purpose of this thesis is to developing the LogTool to make it easier for the IoDT testing group to read the log files, whereas the implemented results from the log files simplifies for the testing group. To make this happens; the LogTool was developed by creating a new Analyzer that analyses the log file and presents the results in a way which makes it easier to be read. The Analyzer was created using Eclipce program as RCP plug-in, in Java programming language. The new Analyzer managed to print the results in a simpler way for the CQI and MCS test. Basically, the new Analyzer was created and implemented in standardized way that make it possible to be developed even further in the future without losing its’ functionality. This procedure was achieved regarding the needed requirements of Ericsson and Linköping University. This document will guide the reader through the steps that used to accomplish the project with illustrating figures, methods and code examples in order to give a closer vision of the work.

LTE

MME

SGW

eNB

IoDT

LogTool

JAPY.

TECHNOLOGY

TEKNIKVETENSKAP

Vliv provedení zateplení bytového domu v Brně Slatině. / The influence of the thermal insulation of residential building in Brno Slatina.

Černín, Lukáš

January 2013

The aim of this thesis is to assess the influence of superstructure implementation and thermal insulation of residential building for expenses associated with operating the property. Calculation used detached brick apartment building in Brno Slatina on the street Tilhonova 50a/50b, which has two separated entrances. The heat sources, principles of thermal insulation of residential buildings, energy prices and the possibility of her savings have been described theoretically. Various materials have been designed with different insulation thicknesses of thermal insulation material. To existing and newly designed apartment building has been processed label of the building envelope and certificate of energy performance of the building and then the values were compared. The thesis includes a calculation of the costs to perform construction modifications and determine payback period of the investment.

Fuzz testing on eNodeB over the air interface : Using fuzz testing as a means of testing security

Pestrea, Anna

January 2021

In modern society, security has become an increasingly important subject, as technologyhas become an integrated part of everyday life. The security of a system can be tested withthe help of fuzzing, where incoming messages to the system are altered. In this thesis, afuzzer was developed targeting an E-UTRAN Node B (eNB) in the Long-Term Evolution(LTE) landscape. The eNB is current prototype and is from the company Ericsson. Thefuzzer is particularly designed for testing the Medium Access Control (MAC) layer of theeNB. The fuzzer uses a genetic method where all of the fuzzer’s flags (the R, F2, E, LCID, Fand L flags) are triggered during the fuzzing period. Depending on the output of the firstgeneration of fuzzed values, new values are generated either by choosing a value close tothe original value, or by choosing a value that belong to the same subgroup as the originalvalue. Four test cases are made, where first test case is the base line of the program and theother three test cases fuzzes the eNB, using different parts of the fuzzer. The results show that depending on which parts of the fuzzer are used, the connectionbecomes different. For test two and three, the connection became increasingly unstable andmore data was present in the connection. Test case four did not however deviate so muchfrom the baseline, if compared to test two and three.

Fuzzer

fuzz-testing

eNB

LTE

air interface

MAC layer

MAC protocol

Information Systems

Analýza řídicí roviny mobilních sítí 4. generace / Control plane analysis in 4th generation mobile networks

Hajn, Pavel

January 2014

The thesis is focused on the description of LTE system in terms of signaling on interfaces of LTE and EPC subsystems, such as UE initial network connection. The next section describes the types of diagnostic methods for mobile networks using OSS, drive testing and flow analysis. The thesis also aims at description of key performance indicators (RSRP, RSSI, etc.) and the proposal for measuring of the LTE network physical layer and the data transmission speed.

Detection of Denial of Service Attacks on the Open Radio Access Network Intelligent Controller through the E2 Interface

Radhakrishnan, Vikas Krishnan

03 July 2023

Open Radio Access Networks (Open RANs) enable flexible cellular network deployments by adopting open-source software and white-box hardware to build reference architectures customizable to innovative target use cases. The Open Radio Access Network (O-RAN) Alliance defines specifications introducing new Radio Access Network (RAN) Intelligent Controller (RIC) functions that leverage open interfaces between disaggregated RAN elements to provide precise RAN control and monitoring capabilities using applications called xApps and rApps. Multiple xApps targeting novel use cases have been developed by the O-RAN Software Community (OSC) and incubated on the Near-Real-Time RIC (Near-RT RIC) platform. However, the Near-RT RIC has, so far, been demonstrated to support only a single xApp capable of controlling the RAN elements. This work studies the scalability of the OSC Near-RT RIC to support simultaneous control signaling by multiple xApps targeting the RAN element. We particularly analyze its internal message routing mechanism and experimentally expose the design limitations of the OSC Near-RT RIC in supporting simultaneous xApp control. To this end, we extend an existing open-source RAN slicing xApp and prototype a slice-aware User Equipment (UE) admission control xApp implementing the RAN Control E2 Service Model (E2SM) to demonstrate a multi-xApp control signaling use case and assess the control routing capability of the Near-RT RIC through an end-to-end O-RAN experiment using the OSC Near-RT RIC platform and an open-source Software Defined Radio (SDR) stack. We also propose and implement a tag-based message routing strategy for disambiguating multiple xApps to enable simultaneous xApp control. Our experimental results prove that our routing strategy ensures 100% delivery of control messages between multiple xApps and E2 Nodes while guaranteeing control scalability and xApp non-repudiation. Using the improved Near-RT RIC platform, we assess the security posture and resiliency of the OSC Near-RT RIC in the event of volumetric application layer Denial of Service (DoS) attacks exploiting the E2 interface and the E2 Application Protocol (E2AP). We design a DoS attack agent capable of orchestrating a signaling storm attack and a high-intensity resource exhaustion DoS attack on the Near-RT RIC platform components. Additionally, we develop a latency monitoring xApp solution to detect application layer signaling storm attacks. The experimental results indicate that signaling storm attacks targeting the E2 Terminator on the Near-RT RIC cause control loop violations over the E2 interface affecting service delivery and optimization for benign E2 Nodes. We also observe that a high-intensity E2 Setup DoS attack results in unbridled memory resource consumption leading to service interruption and application crash. Our results also show that the E2 interface at the Near-RT RIC is vulnerable to volumetric application layer DoS attacks, and robust monitoring, load-balancing, and DoS mitigation strategies must be incorporated to guarantee resiliency and high reliability of the Near-RT RIC. / Master of Science / Telecommunication networks need sophisticated controllers to support novel use cases and applications. Cellular base stations can be managed and optimized for better user experience through an intelligent radio controller called the Near-Real-Time Radio Access Network (RAN) Intelligent Controller (RIC) (Near-RT RIC), defined by the Open Radio Access Network (O-RAN) Alliance. This controller supports simultaneous connections to multiple base stations through the E2 interface and allows simple radio applications called xApps to control the behavior of those base stations. In this research work, we study the performance and behavior of the Near-RT RIC when a malicious or compromised base station tries to overwhelm the controller through a Denial of Service (DoS) attack. We develop a solution to determine the application layer communication delay between the controller and the base station to detect potential attacks trying to compromise the functionality and availability of the controller. To implement this solution, we also upgrade the controller to support multiple radio applications to interact and control one or more base stations simultaneously. Through the developed solution, we prove that the O-RAN Software Community (OSC) Near-RT RIC is highly vulnerable to DoS attacks from malicious base stations targeting the controller over the E2 interface.

srsRAN

Denial of Service

Open Source

Radio Access Network

Open RAN

RAN Control

Kubernetes

SCTP

USRP

SDR

UE

4G

LTE

5G

eNB

gNB

EPC

Analýza řídicí roviny mobilních sítí 4. generace / Control plane analysis in 4th generation mobile networks

Hajn, Pavel

January 2014

The thesis is focused on the description of LTE system in terms of signaling on interfaces of LTE and EPC subsystems, such as UE initial network connection. The next section describes the types of diagnostic methods for mobile networks using OSS, drive testing and flow analysis. The thesis also aims at description of key performance indicators (independent service QoS parameters and the KPI for the radio part of the network). Part of the network measurement includes a description of the driver settings and views for analysis. It is also described the implementation of measuring and evaluating the results.

Vliv provedení zateplení objektu penzionu na výdaje spojené s provozem této nemovitosti. / Influence of insulation of a guest house on expenses related to the operation of the property

Mach, Stanislav

January 2015

The thesis solves the construction of the pension and deals with the assessment of the impact of the thermal insulation on expenses related to the operation of the property. The pension is situated on the street Valtická in Mikulov. The building has one floor and is founded on strip foundations. Roofing of the house is solved with irregular gable roof. In the first part of the thesis is a theoretical introduction mentions the possibility of building insulation and insulation methods. In the practical part of the thesis is an assessment of the heat transfer coefficient of the pension and costs associated with heating. There is also a proposal for modifications of the envelope construction with assessment of the heat factor and there are also proposed modifications to reduce the costs of operating the property.

4G LTE : eMBMS with MBSFN Service Simulation using OPNET

Walid, Abdelrahman

January 2014

Long Term Evolution (LTE) known in the market as 4G LTE, it is an evolution of the GSM/UMTS standard. The overall aim of LTE was to provide a new radio access technology focusing on packet-switched data only. LTE has provided a new peak download rates, low data transfer latencies, and improved the support for mobility. 3Th Generation Partnership Project (3GPP) specialized that LTE released 10 and beyond known as LTE-advanced it is the second evolution of LTE. It has some services such as Coordinated Multipoint Transmission and Reception (CoMP), evolved Multimedia Broadcast and Multicast Service (eMBMS) with Multicast-Broadcast Single-Frequency Network (MBSFN). The development still continuous on LTE-advanced, it is intended to meet the requirement of advanced application that will become common in the wireless marketplace in future. The goals of this project is to simulate one of LTE-A services on LTE standard such as CoMP or/and eMBMS with MBSFN using OPENT LTE, and measure some statistic such as spectral efficiency and also some other statistics, describe centralization vs. decentralization in LTE, and synchronization in the base station in LTE. OPNET LTE support eMBMS with MBSFN, and don’t support CoMP, the simulation has been done by using eMBMS with MBSFN. Finally the objectives of the project has achieved, the result show that when eMBMS with MBSFN is implemented the throughput increased in the downlink to about 5.52 Mbps and in the uplink to about 5.18 Mbps, and also the system spectral efficiency increased in eNB1 from about 10.25 (bits/s/Hz/cell) to about 13.75 (bits/s/Hz/cell) and in eNB2 from about 10.25 (bits/s/Hz/cell) to about 17.25 (bits/s/Hz/cell). The project also answers if it is possible to have centralization in LTE, describe synchronization in the base station in LTE, and if OPNET is useful for big research.

3G

3GPP

4G

CoMP

CSI

CSI-IM

CSI-RS

eMBMS

eNB

EPC

EPS

E-UTRAN

GSM

HSPA

IGMP

IGRP

ITU-T

LTE

LTE-A

MAC

MBSC

MBSFN

MCE

MCS

MFN

MME

OFDM

OFDMA

OPNET

OSPF

PDN-GW

PDSCH

PMCH

PUCCH

PUSCH

QoS

SAE

SC-FDMA

S-GW

TDD

TD-SCMDA

UE

UTMS

WCDMA.

Computer Engineering

Datorteknik