Skip to main content

Property Guided Secure Configuration Space Search

  • Conference paper
  • First Online:
Information Security (ISC 2024)

Abstract

Complex reactive systems such as 5G cellular networks must have flexible configuration options to fit different deployment scenarios. However, not every possible configuration combination is risk-free. Some of them may lead to availability issues or even security vulnerabilities. Asking the system engineers to check each configuration via model checking for every deployment or re-configuration is impractical if not impossible.

In this paper, we propose the concept of secure configuration space and develop a symbolic model checking algorithm, INCISE, to compute a large configuration space for a given reactive system. Such a space will be characterized by a logical condition (e.g., a Boolean formula). A system engineer can check any candidate configuration against the condition with a single SAT query to know whether it is secure. The target properties could be general safety and liveness properties. The algorithm enjoys the same benefits including efficiency and expressiveness as modern symbolic model checkers. We demonstrate the algorithm’s performance on industrial benchmarks and leverage it to address security issues in cellular network protocols.

Y. Li and K. Hou—Contributed equally.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    We have released raw experimental results in GitHub: https://github.com/FormalCellular/SecureCofigurationSpace

References

  1. 3GPP: Formal Analysis of the 3G Authentication Protocol. Technical Report (TR) 33.902, 3rd Generation Partnership Project (3GPP) (2001), version 4.0.0

    Google Scholar 

  2. 3GPP: IP Multimedia Subsystem (IMS) emergency sessions. Technical Specification (TS) 23.167, 3rd Generation Partnership Project (3GPP) (2020), version 16.2.0

    Google Scholar 

  3. 3GPP: Non-Access-Stratum (NAS) protocol for 5G System (5GS); Stage 3. Technical Specification (TS) 24.501, 3rd Generation Partnership Project (3GPP) (2020), version 16.5.1

    Google Scholar 

  4. 3GPP: Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3. Technical Specification (TS) 24.301, 3rd Generation Partnership Project (3GPP) (2020), version 16.5.1

    Google Scholar 

  5. 3GPP: Service aspects; Service principles. Technical Specification (TS) 22.101, 3rd Generation Partnership Project (3GPP) (2020), version 17.2.0

    Google Scholar 

  6. Al Ishtiaq, A., et al.: Hermes: unlocking security analysis of cellular network protocols by synthesizing finite state machines from natural language specifications. In: 33rd USENIX Security Symposium (USENIX Security 24) (2024)

    Google Scholar 

  7. Bailleux, O., Marquis, P.: Some computational aspects of distance-sat. J. Autom. Reason. 37(4), 231–260 (2006)

    Article  MathSciNet  Google Scholar 

  8. Basin, D., Dreier, J., Hirschi, L., Radomirovic, S., Sasse, R., Stettler, V.: A formal analysis of 5G authentication. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1383–1396. ACM (2018)

    Google Scholar 

  9. Biere, A., Artho, C., Schuppan, V.: Liveness checking as safety checking. Electron. Notes Theor. Comput. Sci. 66(2), 160–177 (2002)

    Article  Google Scholar 

  10. Biere, A., Cimatti, A., Clarke, E., Zhu, Y.: Symbolic model checking without BDDs. In: Cleaveland, W.R. (eds.) Tools and Algorithms for the Construction and Analysis of Systems. TACAS 1999. LNCS, vol. 1579, pp. 193–207. Springer, Berlin, Heidelberg (1999). https://doi.org/10.1007/3-540-49059-0_14

  11. Biere, A., Claessen, K.: Hardware model checking competition. In: Hardware Verification Workshop (2010)

    Google Scholar 

  12. Bradley, A.: Ic3-ref (2015). https://github.com/arbrad/IC3ref

  13. Bradley, A., Cox, A., Dooley, M., Hassan, Z., Somenzi, F., Zhang, Y.: Iimc (2018). https://github.com/mgudemann/iimc

  14. Bradley, A.R.: SAT-based model checking without unrolling. In: Jhala, R., Schmidt, D. (eds.) VMCAI 2011. LNCS, vol. 6538, pp. 70–87. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-18275-4_7

    Chapter  Google Scholar 

  15. Bradley, A.R., Manna, Z.: Checking safety by inductive generalization of counterexamples to induction. In: Formal Methods in Computer Aided Design (FMCAD’07), pp. 173–180. IEEE (2007)

    Google Scholar 

  16. Bradley, A.R., Somenzi, F., Hassan, Z., Zhang, Y.: An incremental approach to model checking progress properties. In: 2011 Formal Methods in Computer-Aided Design (FMCAD), pp. 144–153. IEEE (2011)

    Google Scholar 

  17. Brayton, R., Mishchenko, A.: ABC: an academic industrial-strength verification tool. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol. 6174, pp. 24–40. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14295-6_5

    Chapter  Google Scholar 

  18. Bryant, R.E.: Graph-based algorithms for Boolean function manipulation. Comput. IEEE Trans. 100(8), 677–691 (1986)

    Article  Google Scholar 

  19. Cimatti, A., Griggio, A., Mover, S., Tonetta, S.: IC3 modulo theories via implicit predicate abstraction. In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014. LNCS, vol. 8413, pp. 46–61. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54862-8_4

    Chapter  Google Scholar 

  20. Claessen, K., Sörensson, N.: A liveness checking algorithm that counts. In: 2012 Formal Methods in Computer-Aided Design (FMCAD), pp. 52–59. IEEE (2012)

    Google Scholar 

  21. Clarke, E.M., Henzinger, T.A., Veith, H.: Introduction to Model Checking. In: Handbook of Model Checking, pp. 1–26. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-10575-8_1

    Chapter  Google Scholar 

  22. Cousot, P., Cousot, R., Fähndrich, M., Logozzo, F.: Automatic inference of necessary preconditions. In: Giacobazzi, R., Berdine, J., Mastroeni, I. (eds.) VMCAI 2013. LNCS, vol. 7737, pp. 128–148. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-35873-9_10

    Chapter  Google Scholar 

  23. Cremers, C., Dehnel-Wild, M.: Component-based formal analysis of 5G-AKA: channel assumptions and session confusion. In: Symposium on Network and Distributed Systems Security (NDSS) (2019)

    Google Scholar 

  24. Een, N., Mishchenko, A., Brayton, R.: Efficient implementation of property directed reachability. In: 2011 Formal Methods in Computer-Aided Design (FMCAD), pp. 125–134. IEEE (2011)

    Google Scholar 

  25. Goel, A., Sakallah, K.: AVR: abstractly verifying reachability. In: TACAS 2020. LNCS, vol. 12078, pp. 413–422. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45190-5_23

    Chapter  Google Scholar 

  26. Guthmann, O., Strichman, O., Trostanetski, A.: Minimal unsatisfiable core extraction for SMT. In: 2016 Formal Methods in Computer-Aided Design (FMCAD), pp. 57–64. IEEE (2016)

    Google Scholar 

  27. Heule, M.J.H., Järvisalo, M., Biere, A.: Efficient CNF simplification based on binary implication graphs. In: Sakallah, K.A., Simon, L. (eds.) SAT 2011. LNCS, vol. 6695, pp. 201–215. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21581-0_17

    Chapter  Google Scholar 

  28. Hou, K., Li, Y., Yu, Y., Chen, Y., Zhou, H.: Discovering emergency call pitfalls for cellular networks with formal methods. In: Proceedings of the 19th Annual International Conference on Mobile Systems, Applications, and Services, pp. 296–309 (2021)

    Google Scholar 

  29. Hou, K., Li, Y., Yu, Y., Chen, Y., Zhou, H.: Discovering emergency call pitfalls for cellular networks with formal methods. In: Proceedings of the 19th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys), pp. 296–309 (2021)

    Google Scholar 

  30. Hussain, S.R., Chowdhury, O., Mehnaz, S., Bertino, E.: LTEInspector: a systematic approach for adversarial testing of 4G LTE. In: Symposium on Network and Distributed Systems Security (NDSS), pp. 18–21 (2018)

    Google Scholar 

  31. Li, Y., Hou, K., Zhou, H., Chen, Y.: Network protocol safe configuration search in one shot. In: Proceedings of the SIGCOMM’20 Poster and Demo Sessions, pp. 21–23 (2020)

    Google Scholar 

  32. Manthey, N.: Coprocessor 2.0 – a flexible CNF simplifier. In: Cimatti, A., Sebastiani, R. (eds.) SAT 2012. LNCS, vol. 7317, pp. 436–441. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31612-8_34

    Chapter  Google Scholar 

  33. McMillan, K.L.: Applying SAT methods in unbounded symbolic model checking. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 250–264. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45657-0_19

    Chapter  Google Scholar 

  34. McMillan, K.L.: Interpolation and SAT-based model checking. In: Hunt, W.A., Somenzi, F. (eds.) CAV 2003. LNCS, vol. 2725, pp. 1–13. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45069-6_1

    Chapter  Google Scholar 

  35. Mitzenmacher, M., Upfal, E.: Probability and Computing: Randomization and Probabilistic Techniques in Algorithms and Data Analysis. Cambridge University Press, Cambridge (2017)

    Google Scholar 

  36. Pacheco, M.L., von Hippel, M., Weintraub, B., Goldwasser, D., Nita-Rotaru, C.: Automated attack synthesis by extracting finite state machines from protocol specification documents. In: 2022 IEEE Symposium on Security and Privacy (SP), pp. 51–68. IEEE (2022)

    Google Scholar 

  37. Sankaranarayanan, S., Sipma, H.B., Manna, Z.: Scalable analysis of linear systems using mathematical programming. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 25–41. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30579-8_2

    Chapter  Google Scholar 

  38. Schuppan, V., Biere, A.: Efficient reduction of finite state model checking to reachability analysis. Int. J. Softw. Tools Technol. Transf. 5(2), 185–204 (2004)

    Article  Google Scholar 

  39. Sheeran, M., Singh, S., Stålmarck, G.: Checking safety properties using induction and a SAT-solver. In: Hunt, W.A., Johnson, S.D. (eds.) FMCAD 2000. LNCS, vol. 1954, pp. 127–144. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-40922-X_8

    Chapter  Google Scholar 

  40. Sheng, S., Hsiao, M.: Efficient preimage computation using a novel success-driven ATPG. In: 2003 Design, Automation and Test in Europe Conference and Exhibition, pp. 822–827. IEEE (2003)

    Google Scholar 

  41. Tseitin, G.S.: On the complexity of derivation in propositional calculus. In: Siekmann, J.H., Wrightson, G. (eds.) Automation of Reasoning. Symbolic Computation, LNCS, pp. 466–483. Springer, Berlin, Heidelberg (1983). https://doi.org/10.1007/978-3-642-81955-1_28

  42. Tu, G.H., Li, Y., Peng, C., Li, C.Y., Wang, H., Lu, S.: Control-plane protocol interactions in cellular networks. In: ACM SIGCOMM, pp. 223–234. ACM (2014)

    Google Scholar 

  43. Vizel, Y., Gurfinkel, A.: Interpolating property directed reachability. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 260–276. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08867-9_17

    Chapter  Google Scholar 

Download references

Acknowledgements

This work was partially supported by the National Science Foundation (NSF) under grants 2113704, 2148177, and 2229454. Any opinions, recommendations, or findings are those of the authors and do not reflect the views of Alibaba Cloud.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to You Li .

Editor information

Editors and Affiliations

Appendices

Table of Notation

A Symbol Table

Notation

Description

\(\overline{x}\)

state variables

\(\overline{x}'\)

next state variables

s

a state; an assignment to \(\overline{x}\)

\(s'\)

the next state version of s

literal

a variable or its negation

cube

a conjunction of literals

clause, c

a disjunction of literals

E

a formula

E-state

a state s satisfies E: \(s\models E\)

E-set

the set of all E-states

\(\mathbb {M}\)

a finite state transition system \(\mathbb {M} : (\overline{i},\overline{x},I, Tr )\)

\(\overline{i}\)

primary input variables

I

initial condition

\( Tr \)

transition relation

trace

a sequence of states, s.t. \(s_0 \models I\) and any \(s_i, s'_{i+1} \models Tr \).

P

a property

\(F_i\)

a frame in IC3 algorithm; a conjunction of clauses

\(F_i\)-clauses  

all clauses in \(F_i\)

IV

inductive invariant

\(s^*\) / \(c^*\)

a state violating the consecution condition / \(c^*= \lnot s^*\)

\(c_{min}\)

a minimal inductive subclause of a clause c

q

the liveness event; a formula which should be eventually always satisfied

\(\overline{x}_{conf}\) / \(\overline{x}_s\)

the state variables that encode configurations \(\overline{x}=\overline{x}_{conf}+\overline{x}_{s}\)

\(s_{conf}\)

an assignment to \(\overline{x}_{conf}\)

Rights and permissions

Reprints and permissions

Copyright information

© 2025 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Li, Y., Hou, K., He, Y., Chen, Y., Zhou, H. (2025). Property Guided Secure Configuration Space Search. In: Mouha, N., Nikiforakis, N. (eds) Information Security. ISC 2024. Lecture Notes in Computer Science, vol 15258. Springer, Cham. https://doi.org/10.1007/978-3-031-75764-8_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-75764-8_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-75763-1

  • Online ISBN: 978-3-031-75764-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics