Figure 5 - uploaded by Dominik Maier
Content may be subject to copyright.
Wireshark trace of one of the fuzzer-generated signaling messages triggering unique code flow in MTK
Source publication
Rogue base stations are an effective attack vector. Cellular basebands represent a critical part of the smartphone's security: they parse large amounts of data even before authentication. They can, therefore, grant an attacker a very stealthy way to gather information about calls placed and even to escalate to the main operating system, over-the-ai...
Contexts in source publication
Context 1
... as part of BaseSAFE and can be reused to test the same message on other baseband firmware in the future. This number can still go up with longer fuzzing times. As these signaling messages were effectively outgeneraled by the parser, all of the messages are relevant for parsing, even if some behavior may not be specification-compliant, cf. Fig. ...
Context 2
... After the minimization process, we are left with a minimal set of inputs that still cover all possible branches of the original baseband parser. In contrast to official test-cases, they may not be valid packages-but they will still trigger new conditions in the parser. See, for example, the dissected packet containing signaling message in Fig. 5. To arrive at this dissection, and verify our method, we wrap the minimized test cases in a valid PCAP. For this, BaseSAFE ships with a custom tool to wrap the test cases into a PCAP file. The tool writes PCAP headers and then wraps the bytes each minimized test case into a GSMTAP packet. The wrapped GSMTAP packets are decodable as a ...
Context 3
... in a valid PCAP. For this, BaseSAFE ships with a custom tool to wrap the test cases into a PCAP file. The tool writes PCAP headers and then wraps the bytes each minimized test case into a GSMTAP packet. The wrapped GSMTAP packets are decodable as a signaling message in Wireshark. One of the generated test case decoded in Wireshark is presented in Fig. ...
Context 4
... as part of BaseSAFE and can be reused to test the same message on other baseband firmware in the future. This number can still go up with longer fuzzing times. As these signaling messages were effectively outgeneraled by the parser, all of the messages are relevant for parsing, even if some behavior may not be specification-compliant, cf. Fig. ...
Context 5
... After the minimization process, we are left with a minimal set of inputs that still cover all possible branches of the original baseband parser. In contrast to official test-cases, they may not be valid packages-but they will still trigger new conditions in the parser. See, for example, the dissected packet containing signaling message in Fig. 5. To arrive at this dissection, and verify our method, we wrap the minimized test cases in a valid PCAP. For this, BaseSAFE ships with a custom tool to wrap the test cases into a PCAP file. The tool writes PCAP headers and then wraps the bytes each minimized test case into a GSMTAP packet. The wrapped GSMTAP packets are decodable as a ...
Context 6
... in a valid PCAP. For this, BaseSAFE ships with a custom tool to wrap the test cases into a PCAP file. The tool writes PCAP headers and then wraps the bytes each minimized test case into a GSMTAP packet. The wrapped GSMTAP packets are decodable as a signaling message in Wireshark. One of the generated test case decoded in Wireshark is presented in Fig. ...