[DyslexicAtheist]

this is focused on LTE. for telecommunications the most useful approach I have found to date was to fuzz using ASN.1[1][2]. Everything in telecoms is ASN.1 and vendors usually write their own parser generators.

[1] this is focused on X.509/TLS but the approach is the same https://blog.doyensec.com/2020/05/14/asn1fuzz.html

[domenukk]

Yes, LTE makes heavy use of ASN.1, too - the parsers are an interesting target indeed (and some of the fuzzed ones referred to in the paper are such parsers). Although these days, ASN.1 usually get auto-generated so the attack vector is not as large anymore. More interesting can be the places where parsed structs then get processed afterward.

[dapids]

Another big part of that stack is CSN.1. A long long lost spec.