Towards Securing the Next Generation of Cellular Standards

Abstract

The fifth generation (5G) of cellular standard is a significant shift from the legacy mobile network architecture, laying the groundwork for next generation networks (NGN). In previous generations of mobile networks, operators used network functions (NFs) encapsulated in proprietary hardware boxes to perform specific tasks within the cellular ecosystem. This approach limited operators' flexibility in building, maintaining, and extending their services as the vendor-specific NFs lacked interoperability. Therefore, the network operators were unable to mix and match components from different vendors, rendering them vendor-locked to a specific provider. Furthermore, these networks often lacked scalability, so extending the network capabilities often resulted in a high upfront cost of purchasing new equipment. However, the 5G standards adopted a more open and flexible approach where the NFs are virtualized and feature open interfaces. This paradigm shift enables operators to deploy their network components as Virtual Network Functions (VNFs) on Commercial-off-the-Shelf (COTS) hardware. The abstraction layer offered by the Network Function Virtualization Infrastructure (NFVI) technology inherently supports scalability, which eases the process of extending existing network capabilities. Moreover, the open interfaces enable interoperability, allowing the operators to tailor their network deployment to specific use cases, vendor preferences, and evolving technological requirements. However, the open and multi-vendor composition of 5G networks expands the attack surface of the mobile network ecosystem, necessitating a thorough examination of its security properties. To that end, the goal of this dissertation is to scrutinize the security model of 5G networks, identify issues, and evaluate solutions to address the concerns. Each chapter of this dissertation will highlight a specific security issue, discuss the implications, and offer frameworks to mitigate the identified security flaw. The overarching design goal of each solution is governed by two principles - textbf{(1)} the solution must be compatible with the existing 5G standards and textbf{(2)} the role of each framework in mitigating a specific security flaw must be evaluated by referencing the standards themselves. Chapter 2 explores the new attack vectors introduced into the mobile network ecosystem by Network Functions Virtualization (NFV) and evaluate the feasibility of the solutions presented in the standards. The Third Generation Partnership Project (3GPP) standardization body recommends isolating critical 5G core functionalities inside Hardware Mediated Execution Enclaves (HMEEs). However, the use of HMEEs can incur debilitating QoS degradation in control plane functions including the Authentication and Key Agreement (AKA) protocol. In this chapter, we design and implement network slices with HMEE-enforced isolation for sensitive AKA functions and characterize their performance. To evaluate the feasibility of HMEE, we use real commercial User Equipment (UE) to register with the 5G core network through the isolated AKA functions. Finally, we discuss the role of HMEEs in addressing the key issues introduced by NFV. In the next chapter, we take a deeper look at the access control model in 5G core network (5GC). The heterogeneous and multi-vendor composition of the NGN, as envisioned in 5G specifications, also complicates trust relationships. Consequently, the traditional perimeter-based security model has become inadequate for effectively ensuring trust in such a complex network environment. On the other hand, Zero Trust has emerged as a promising security model well-suited for protecting complex and large-scale networks. Unfortunately, the current access control mechanism in the 5G core network lacks key features, rendering it incompatible with Zero Trust principles. To address these limitations, we propose a framework that leverages standardized 5G data collection procedures to incorporate security posture information into the access control mechanism. Moreover, our approach enables continual access policy evaluation in accordance with Zero Trust principles. With the implementation of the proposed framework, we demonstrate how Zero Trust principles can be seamlessly integrated into the 5G service-based architecture, providing guidance for future generations of mobile networks. In the following chapter, we present Core Scout, a novel agentic framework to uncover implementation details of 5G core network. Core Scout uses agents and tools to construct API requests autonomously from OpenAPI specifications. It infers the business logic from the human-readable API descriptions in the 3GPP specifications and create an exploration plan to interact with the 5G core to reveal feature coverage of open-source implementations of the 5G core network, specifically, OpenAirInterface (OAI) and free5GC. The goal of Core Scout is to aid operators in understanding the maturity of these open-source 5GC implementations. In addition, Core Scout intelligently explores the API space exposed by the network functions in 5GC to identify potential protocol bugs that may lead to vulnerabilities. Core Scout also validates the requests it forms and the responses it receives from the 5GC network functions. Core Scout reveal significant gaps in implemented features in both projects and revealed issues and inconsistencies with the 3GPP OpenAPI that hamper the development process with automated tools available in the OpenAPI ecosystem. In summary, this dissertation highlights the security issues in the current 5G standards and investigates solutions to address these concerns.