PPT模板下载：www.1ppt.com/moban/ 行业PPT模板：www.1ppt.com/hangye/

节日PPT模板：www.1ppt.com/jieri/ PPT素材下载：

www.1ppt.com/sucai/

PPT背景图片：www.1ppt.com/beijing/ PPT图表下载：

www.1ppt.com/tubiao/ 优秀PPT下载：www.1ppt.com/xiazai/ PPT教程：

www.1ppt.com/powerpoint/

Word教程： www.1ppt.com/word/ Excel教程：

www.1ppt.com/excel/

资料下载：www.1ppt.com/ziliao/ PPT课件下载：www.1ppt.com/kejian/

范文下载：www.1ppt.com/fanwen/ 试卷下载：

www.1ppt.com/shiti/

CellScope: Automatically

Specifying and Verifying Cellular

Network Protocols

#Wuhan University, *Northwestern University

ACM SIGCOMM 2019 Student Research Competition

Yinbo Yu#*

You Li*, Kaiyu Hou*, Yan Chen*, Hai Zhou* and Jianfeng Yang#

2

C e l l u l a r ne t wo r k

No

ServiceNo

ServiceNo

Service No

Service

Location tracking

No service

IMSI

[1] A. Dabrowski etc. IMSI-Catch Me If You Can: IMSI-Catcher-Catchers. ACSAC’14

[2] Guan-Hua Tu etc. Control-Plane Protocol Interactions in Cellular Networks. SIGCOMM’14

[3] Chi-Yu Li etc. Insecurity of Voice Solution VoLTE in LTE Mobile Networks. CCS’15

[4] Altaf Shaik etc. Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems. NDSS’16

[5] Syed Rafiul Hussain etc. LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE. NDSS’18

[6] Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion. NDSS’19

[7] David Rupprecht etc. Breaking LTE on Layer Two. IEEE S&P’19

Fake base station

Free data access

3

Protoco l Stack

NAS

RRC

PDCP

RLC

MAC

PHY

NAS

S1AP

SCTP

IP

MAC

Ethernet

RRC

PDCP

RLC

MAC

PHY

S1AP

SCTP

IP

MAC

Ethernet

UE eNB CN-MME

SIP/SDP

SMS

SIP

SMS

IMS

Application

Network

Data link

Physical

TS36.331

TS36.323

TS36.322

TS36.321

TS36.21X

TS24.301

TS 23.228, TS 24.229, TS 24.930

TS24.011, TS 23.040

TS36.413

RFC 4960

4

Ex i s t ing work

Formal Verification(SIGCOMM’14, NDSS’18,, NDSS’19): specify

protocols as formal models and verify with correctness properties

[1] Guan-Hua Tu etc. Control-Plane Protocol Interactions in Cellular Networks. SIGCOMM’14

[2] LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE. NDSS’18

[3] Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion. NDSS’19

• Systematic and solid

• Manual specification

Challenges:

• Hundreds or thousands of pages of human language

• More standards specifying interaction behaviors among protocols

• Optional configurations

• Time consuming

• Error-prone

5

Our des ign

Open-source implementations of Cellular network:

Is it possible to automatically specify and verify cellular

network protocols?

Software model checking

6

Bas ic Idea

LTE Source

codes

Formal

models

Software model

checking

Properties TRUEi.e., specification is

satisfied

FALSEi.e., vulnerability is

found

Specification Verification

7

Chal lenges

• Size Explosion: millions lines of code

• Independent software entity: multiple software entities

(UE, eNB, and CN)

• Multi-Agent Interaction: each of the entity is driven by

messages sent by each other.

8

Cel lScope

LTE

Source files

Parser Frontend

CFG

construction

Verification Backend

Validation

Model

AbstractionVerification

Precision

Refinement

LTE testbench

Counterexample

Vulnerability

report

Security

Properties

CFGsCFGsCFG

Spurious

Practical

Channel model

& Adversaries

Property-driven

Slicing

Semantic

Extraction

Entity

Composition

Event handler

Decomposition

CFG parser

Compilation

Model Parser

CFA

9

Cel lScope

NAS

RRC

PDCP

RLC

MAC

PHY

RRC

PDCP

RLC

MAC

PHY

S1AP

SCTP

IP

MAC

Ethernet

UE eNBBitstream Bitstream

Bitstring

Communication channel

CN

Ethernet

S1AP

SCTP

IP

MAC

NAS

Message Deliver

10

Cel lScope

Adversary modelAdversary model

NAS

RRC

NAS

S1AP

RRC S1AP

UE

eNB

CN

Insecure exchange Secure exchangeAbstracted event handler

Message channel

cache

Adversary model

cache

Attack injection

1. Mock up program behaviors in low layers

2. Formal message exchange models among software entities

3. Dolev-Yao style adversaries

Communication channel

Formal message channel model

11

Cel lScope

Event handler

Protocol a

Protocol b

Protocol c

Protocol n

Message Id 1

Message Id 2

Message Id 3

Message Id m

s

…..

…..

...

State space reduction

Status

Decomposition of event handler

Tree mode

12

Cel lScope

Protocol a1 Message Id1 …..

Protocol a2 Message Id2 …..

Protocol b1 Message Id1 …..

Protocol nn Message Id …..

...

State space reduction

Decomposition of event handler

Linear mode

A lot of infeasible paths are removed

13

Cel lScope State space reduction

Channel

& Adversaries

UE ENB

Before slicing

ENBUE

Channel

& Adversaries

After slicing

Property Adversary assumption

Slicing criteria

• Channel message

• Configurations

• Adversary variables

• …

Property-driven slicing

slicing

14

Cel lScope

I

Concrete

AbstractI

I

I

𝐴𝜋0

𝐴𝜋1

Refin

em

ent

Priority counter-example guided abstraction refinement (P-CEGAR)

Verification

Variable:

• Protocol-related

• Dummy adversary

• Program control related

CPAchecker: https://cpachecker.sosy-lab.org/

15

Pr imar y resu l ts

16

Thanks

Q & A

Yinbo Yu: yyb@whu.edu.cn