Baseband processors (basebands) are the key enablers of cellular communications. The fact that everyone with a smartphone also carries a baseband makes the baseband an interesting target for the security research community.
Over the decades, fuzzing has been shown to be an effective way of discovering security vulnerabilities. Like many high-value software targets, such as operating systems, web browsers, and virtualization solutions, basebands are closed-source software comprising millions of lines of code. However, the complex (e.g., inter-dependencies among tasks) and stateful nature of baseband firmware implementations poses several challenges when applying existing dynamic analysis techniques to them.
In this work, we present Fossa a new stateful analyzer and fuzzer for baseband binaries. Fossa can iteratively identify state variables of individual tasks within a baseband real-time operating system. It then performs symbolic analysis on the stateful logic to examine how input messages are processed. Finally, Fossa uses the results from the symbolic analysis to guide its fuzzer, enabling it to perform stateful fuzzing aimed at discovering memory corruption vulnerabilities. We also develop a domain-specific language to define and express messages at the 4G and 5G NR Non-access stratum (NAS) layers. This allows our fuzzer to efficiently mutate the inputs in grammar-aware fashion. To demonstrate the effectiveness of Fossa, we evaluated it on both the 4G NAS and 5G NR NAS layers, achieving a 2x increase in code coverage compared to baseline fuzzers.
In our fuzzing experiments, we discovered 7 issues leading to 4 vulnerabilities exploitable by OTA messages.
