5G RRC Protocol and Stack Vulnerabilities Detection via Listen-and-Learn

The paper proposes a protocol-independent Listen-and-Learn (LAL) based fuzzing system, which provides a systematic solution for vulnerabilities and unintended emergent behavior detection with sufficient automation and scalability, for 5G and nextG protocols and large-scale open programmable stacks. We use the relay model as our base and capture and interpret packets without prior knowledge of protocols implementation. Radio Resource Control (RRC) is selected proof of concept of the proposed system. Our fuzzing architecture incorporates two abstractions of different dimension fuzzing-command-level and bit-level, and the proposed LAL fuzzing framework focuses on command-level fuzzing covering potential attacks by autonomously generating a comprehensive fuzzing case set. Our analysis of 39 RRC states successfully illustrates 129 vulnerabilities resulting in RRC connection establishment failure from 205 command-level fuzzing cases and reveals insights into exploitable vulnerabilities in each channel of RRC procedure. Furthermore, to assess risks and prevent potential vulnerability, we use the Long Short-Term Memory (LSTM) based model to perform a deep analysis of transaction states in sequenced commands. With the LSTM based model, we efficiently predict more than 95% connection failure at an average duration of 0.059 seconds after the fuzzing attack and provide sufficient time for proactive defense before RRC connection completion or failure, with an average of 3.49 seconds. The rapid vulnerability prediction capability also enables proactive defenses to potential attacks. The proposed fuzzing system offers sufficient automation, scalability, and usability to improve 5G security assurance, and could be used for existing and newly released protocols and stacks validation and real-time system vulnerability detection and prediction.