Upload
others
View
15
Download
0
Embed Size (px)
Citation preview
PPT模板下载:www.1ppt.com/moban/ 行业PPT模板:www.1ppt.com/hangye/
节日PPT模板:www.1ppt.com/jieri/ PPT素材下载:
www.1ppt.com/sucai/
PPT背景图片:www.1ppt.com/beijing/ PPT图表下载:
www.1ppt.com/tubiao/ 优秀PPT下载:www.1ppt.com/xiazai/ PPT教程:
www.1ppt.com/powerpoint/
Word教程: www.1ppt.com/word/ Excel教程:
www.1ppt.com/excel/
资料下载:www.1ppt.com/ziliao/ PPT课件下载:www.1ppt.com/kejian/
范文下载:www.1ppt.com/fanwen/ 试卷下载:
www.1ppt.com/shiti/
CellScope: Automatically
Specifying and Verifying Cellular
Network Protocols
#Wuhan University, *Northwestern University
ACM SIGCOMM 2019 Student Research Competition
Yinbo Yu#*
You Li*, Kaiyu Hou*, Yan Chen*, Hai Zhou* and Jianfeng Yang#
2
C e l l u l a r ne t wo r k
No
ServiceNo
ServiceNo
Service No
Service
Location tracking
No service
IMSI
[1] A. Dabrowski etc. IMSI-Catch Me If You Can: IMSI-Catcher-Catchers. ACSAC’14
[2] Guan-Hua Tu etc. Control-Plane Protocol Interactions in Cellular Networks. SIGCOMM’14
[3] Chi-Yu Li etc. Insecurity of Voice Solution VoLTE in LTE Mobile Networks. CCS’15
[4] Altaf Shaik etc. Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems. NDSS’16
[5] Syed Rafiul Hussain etc. LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE. NDSS’18
[6] Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion. NDSS’19
[7] David Rupprecht etc. Breaking LTE on Layer Two. IEEE S&P’19
Fake base station
Free data access
3
Protoco l Stack
NAS
RRC
PDCP
RLC
MAC
PHY
NAS
S1AP
SCTP
IP
MAC
Ethernet
RRC
PDCP
RLC
MAC
PHY
S1AP
SCTP
IP
MAC
Ethernet
UE eNB CN-MME
SIP/SDP
SMS
SIP
SMS
IMS
Application
Network
Data link
Physical
TS36.331
TS36.323
TS36.322
TS36.321
TS36.21X
TS24.301
TS 23.228, TS 24.229, TS 24.930
TS24.011, TS 23.040
TS36.413
RFC 4960
4
Ex i s t ing work
Formal Verification(SIGCOMM’14, NDSS’18,, NDSS’19): specify
protocols as formal models and verify with correctness properties
[1] Guan-Hua Tu etc. Control-Plane Protocol Interactions in Cellular Networks. SIGCOMM’14
[2] LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE. NDSS’18
[3] Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion. NDSS’19
• Systematic and solid
• Manual specification
Challenges:
• Hundreds or thousands of pages of human language
• More standards specifying interaction behaviors among protocols
• Optional configurations
• Time consuming
• Error-prone
5
Our des ign
Open-source implementations of Cellular network:
Is it possible to automatically specify and verify cellular
network protocols?
Software model checking
6
Bas ic Idea
LTE Source
codes
Formal
models
Software model
checking
Properties TRUEi.e., specification is
satisfied
FALSEi.e., vulnerability is
found
Specification Verification
7
Chal lenges
• Size Explosion: millions lines of code
• Independent software entity: multiple software entities
(UE, eNB, and CN)
• Multi-Agent Interaction: each of the entity is driven by
messages sent by each other.
8
Cel lScope
LTE
Source files
Parser Frontend
CFG
construction
Verification Backend
Validation
Model
AbstractionVerification
Precision
Refinement
LTE testbench
Counterexample
Vulnerability
report
Security
Properties
CFGsCFGsCFG
Spurious
Practical
Channel model
& Adversaries
Property-driven
Slicing
Semantic
Extraction
Entity
Composition
Event handler
Decomposition
CFG parser
Compilation
Model Parser
CFA
9
Cel lScope
NAS
RRC
PDCP
RLC
MAC
PHY
RRC
PDCP
RLC
MAC
PHY
S1AP
SCTP
IP
MAC
Ethernet
UE eNBBitstream Bitstream
Bitstring
Communication channel
CN
Ethernet
S1AP
SCTP
IP
MAC
NAS
Message Deliver
10
Cel lScope
Adversary modelAdversary model
NAS
RRC
NAS
S1AP
RRC S1AP
UE
eNB
CN
Insecure exchange Secure exchangeAbstracted event handler
Message channel
cache
Adversary model
cache
Attack injection
1. Mock up program behaviors in low layers
2. Formal message exchange models among software entities
3. Dolev-Yao style adversaries
Communication channel
Formal message channel model
11
Cel lScope
Event handler
Protocol a
Protocol b
Protocol c
Protocol n
Message Id 1
Message Id 2
Message Id 3
Message Id m
s
…..
…..
...
State space reduction
Status
Decomposition of event handler
Tree mode
12
Cel lScope
Protocol a1 Message Id1 …..
Protocol a2 Message Id2 …..
Protocol b1 Message Id1 …..
Protocol nn Message Id …..
...
State space reduction
Decomposition of event handler
Linear mode
A lot of infeasible paths are removed
13
Cel lScope State space reduction
Channel
& Adversaries
UE ENB
Before slicing
ENBUE
Channel
& Adversaries
After slicing
Property Adversary assumption
Slicing criteria
• Channel message
• Configurations
• Adversary variables
• …
Property-driven slicing
slicing
14
Cel lScope
I
Concrete
AbstractI
I
I
𝐴𝜋0
𝐴𝜋1
Refin
em
ent
Priority counter-example guided abstraction refinement (P-CEGAR)
Verification
Variable:
• Protocol-related
• Dummy adversary
• Program control related
CPAchecker: https://cpachecker.sosy-lab.org/
15
Pr imar y resu l ts