BaseSAFE: Baseband SAnitized Fuzzing Through Emulation (opens in new tab)

(arxiv.org)

41 pointsdomenukk5y ago6 comments

6 comments

Oh wow! I played around with getting a sim900 firmware running against qemu and open source tower implementations for finding exploits.

But this goes way farther than I had even planned! Connecting it to fuzzing infrastructure is super duper neat. I was just using it as a reproducible target to manually get it into weird states.

ifoundthetao5y ago

Would you be willing to talk about how you went about doing this? I do a good amount of fuzzing and would like to expand into fuzzing infra as well.

DyslexicAtheist5y ago

this is focused on LTE. for telecommunications the most useful approach I have found to date was to fuzz using ASN.1[1][2]. Everything in telecoms is ASN.1 and vendors usually write their own parser generators.

[1] this is focused on X.509/TLS but the approach is the same https://blog.doyensec.com/2020/05/14/asn1fuzz.html

domenukkOP5y ago

Yes, LTE makes heavy use of ASN.1, too - the parsers are an interesting target indeed (and some of the fuzzed ones referred to in the paper are such parsers). Although these days, ASN.1 usually get auto-generated so the attack vector is not as large anymore. More interesting can be the places where parsed structs then get processed afterward.

dapids5y ago

Another big part of that stack is CSN.1. A long long lost spec.

billme5y ago

For those unfamiliar with the two most important terms covered in this paper, they are fuzzing [1] & baseband processor [2]:

[1] https://en.wikipedia.org/wiki/Fuzzing

[2] https://en.wikipedia.org/wiki/Baseband_processor

j / k navigate · click thread line to collapse