当前位置:首页 > 报告详情

克服状态漏洞:通过模糊测试二层网络来发现基带漏洞.pdf

上传人: 竿*** 编号:981607 2025-11-29 39页 5.86MB

1、#BHUSA BlackHatEventsOvercoming State:Finding Baseband Overcoming State:Finding Baseband Vulnerabilities by Fuzzing Layer-2Vulnerabilities by Fuzzing Layer-2Speakers:Dyon Goos&Marius Muench#BHUSA BlackHatEventsThis talkLayer-3Layer-2Layer-1 Layer-3Layer-2Layer-1 2#BHUSA BlackHatEventsBasebands3#BHUS

2、A BlackHatEvents 11:25 2GBasebands-Modern phones are a collection of processors-Including:Application Processor(AP)&Cellular Processor(CP)-CP also referred to as“Baseband”-Implements most layers of cellular communication stack-Lucrative attack surface-Myriad of parsers,legacy code,obscure featuresAP

3、CP4#BHUSA BlackHatEventsThe code running on basebands-Core OS functionality:-Scheduler,timers,interrupts-Messaging-Cellular stack implementation:-Stack is split into“tasks”-Tasks communicate via message queuesCustom Real-Time Operating Systems(RTOS),providing:5#BHUSA BlackHatEventsBaseband Security

4、ResearchPlenty of attention in recent years,e.g.:6#BHUSA BlackHatEventsWhat about Layer-2?When we started,most research/findings focus on cellular L3(or higher)7 Lets have a look at layer-2 ourselves!Lets start with the lowest hanging fruits:-GSM Layer-2-Fuzzing#BHUSA BlackHatEventsGSM Protocol Stac

5、kLayer-3Layer-2Layer-1 LAPDmLayer-2 RR MM Phy CM CC SMS SSRR :Radio Resource MM :Mobility ManagementCM :Connection ManagementCCSMSSSPhy:PhysicalLAPDm:Link Access Protocol on the Dm Channel(LAPDm)CC :Call ControlSMS:Short Messaging ServiceSS :Supplementary Services8#BHUSA BlackHatEventsGSM Layer 2-Li

6、nk Access Protocol on the Dm Channel(LAPDm)LAPDm#1LAPDm#NL3 RR FrameRR TaskMM TaskCC TaskSS TaskSMS TaskPD!=0 x6PD=0 xBPD=0 x3PD=0 x9struct LAPDM_frame uint8_t addr;uint8_t ctrl;uint8_t len;uint8_t informationN;PACKED;-Frame Concatenation-PD:information0&0 xF9#BHUSA BlackHatEventsOur approach to fuz

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据报告的内容,全文主要内容概括如下: 1. **研究背景**:近年来,基带安全研究主要集中在L3(或更高层),而对L2层的研究较少。 2. **研究方法**:通过模糊测试GSM Layer-2,特别是LAPDm协议,寻找潜在漏洞。 3. **挑战**: - 初始化模糊任务和状态复杂。 - 支持的设备有限,难以测试最新设备。 4. **成果**:发现了多个漏洞,包括CVE-2023-50807和CVE-2024-28068。 5. **未来工作**:改进模糊测试自动化,支持更多设备和协议,以及深入研究基带安全。
模糊测试中的2G漏洞" 2G层模糊测试技巧" 2G层模糊测试揭秘"
客服
商务合作
小程序
服务号
折叠