TY - GEN
T1 - 5GC-Fuzz
T2 - 2025 IEEE Conference on Computer Communications, INFOCOM 2025
AU - Sun, Yu
AU - Liu, Xinyu
AU - Sun, Qian
AU - Wang, Jiaming
AU - Tian, Lin
AU - Liu, Jianwei
N1 - Publisher Copyright:
© 2025 IEEE.
PY - 2025
Y1 - 2025
N2 - Given the large-scale deployment of 5G, rigorous testing of its core network (5GC) is essential to ensure security and robustness. Fuzzing is currently one of the most popular vulnerability discovery techniques. However, existing fuzzers suffer from low coverage of 3GPP-specified 5GC states, invalid long signaling sequence generation when exploring deep 5GC states, and coarse-grained feedback of closed-source 5G systems. This paper presents 5GC-Fuzz, a black-box fuzzing framework to detect deep stateful vulnerabilities in 5GC implementations. 5GC-Fuzz integrates three innovative techniques: (1) a systematic construction of a 5GC state machine derived from 3GPP specifications to guide the fuzzing process; (2) a 5G grammar-aware signaling sequence mutation method based on protocol stack interception to generate test cases while maximally guaranteeing the syntactic, semantic, and cryptographic correctness; and (3) a fine-grained state-transition-path feedback mechanism based on 5GC logs to optimize test states and sequences selection. The 5GC-Fuzz was evaluated on three popular 5GC implementations and achieves 152.6% more states and 206.7% more state transition paths than the state-of-the-art fuzzers. Moreover, 5GC-Fuzz exposed 22 security-critical vulnerabilities, with 6 CVEs assigned. In general, 5GC- Fuzz could explore deeper states and uncover more vulnerabilities in 5GC, significantly enhancing the security of mobile communication infrastructures.
AB - Given the large-scale deployment of 5G, rigorous testing of its core network (5GC) is essential to ensure security and robustness. Fuzzing is currently one of the most popular vulnerability discovery techniques. However, existing fuzzers suffer from low coverage of 3GPP-specified 5GC states, invalid long signaling sequence generation when exploring deep 5GC states, and coarse-grained feedback of closed-source 5G systems. This paper presents 5GC-Fuzz, a black-box fuzzing framework to detect deep stateful vulnerabilities in 5GC implementations. 5GC-Fuzz integrates three innovative techniques: (1) a systematic construction of a 5GC state machine derived from 3GPP specifications to guide the fuzzing process; (2) a 5G grammar-aware signaling sequence mutation method based on protocol stack interception to generate test cases while maximally guaranteeing the syntactic, semantic, and cryptographic correctness; and (3) a fine-grained state-transition-path feedback mechanism based on 5GC logs to optimize test states and sequences selection. The 5GC-Fuzz was evaluated on three popular 5GC implementations and achieves 152.6% more states and 206.7% more state transition paths than the state-of-the-art fuzzers. Moreover, 5GC-Fuzz exposed 22 security-critical vulnerabilities, with 6 CVEs assigned. In general, 5GC- Fuzz could explore deeper states and uncover more vulnerabilities in 5GC, significantly enhancing the security of mobile communication infrastructures.
KW - 5G Core Network
KW - fuzzing
KW - vulnerabilities
UR - https://www.scopus.com/pages/publications/105011100231
U2 - 10.1109/INFOCOM55648.2025.11044489
DO - 10.1109/INFOCOM55648.2025.11044489
M3 - 会议稿件
AN - SCOPUS:105011100231
T3 - Proceedings - IEEE INFOCOM
BT - INFOCOM 2025 - IEEE Conference on Computer Communications
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 19 May 2025 through 22 May 2025
ER -