Hacker News new | ask | show | jobs
BaseSAFE: Baseband SAnitized Fuzzing Through Emulation (arxiv.org)
41 points by domenukk 2217 days ago
3 comments
monocasa 2217 days ago
Oh wow! I played around with getting a sim900 firmware running against qemu and open source tower implementations for finding exploits.

But this goes way farther than I had even planned! Connecting it to fuzzing infrastructure is super duper neat. I was just using it as a reproducible target to manually get it into weird states.

link
ifoundthetao 2216 days ago
Would you be willing to talk about how you went about doing this? I do a good amount of fuzzing and would like to expand into fuzzing infra as well.
link
DyslexicAtheist 2217 days ago
this is focused on LTE. for telecommunications the most useful approach I have found to date was to fuzz using ASN.1[1][2]. Everything in telecoms is ASN.1 and vendors usually write their own parser generators.

[1] this is focused on X.509/TLS but the approach is the same https://blog.doyensec.com/2020/05/14/asn1fuzz.html

link
domenukk 2217 days ago
Yes, LTE makes heavy use of ASN.1, too - the parsers are an interesting target indeed (and some of the fuzzed ones referred to in the paper are such parsers). Although these days, ASN.1 usually get auto-generated so the attack vector is not as large anymore. More interesting can be the places where parsed structs then get processed afterward.
link
dapids 2217 days ago
Another big part of that stack is CSN.1. A long long lost spec.
link
billme 2217 days ago
For those unfamiliar with the two most important terms covered in this paper, they are fuzzing [1] & baseband processor [2]:

[1] https://en.wikipedia.org/wiki/Fuzzing

[2] https://en.wikipedia.org/wiki/Baseband_processor

link