Abstract
Complex reactive systems such as 5G cellular networks must have flexible configuration options to fit different deployment scenarios. However, not every possible configuration combination is risk-free. Some of them may lead to availability issues or even security vulnerabilities. Asking the system engineers to check each configuration via model checking for every deployment or re-configuration is impractical if not impossible.
In this paper, we propose the concept of secure configuration space and develop a symbolic model checking algorithm, INCISE, to compute a large configuration space for a given reactive system. Such a space will be characterized by a logical condition (e.g., a Boolean formula). A system engineer can check any candidate configuration against the condition with a single SAT query to know whether it is secure. The target properties could be general safety and liveness properties. The algorithm enjoys the same benefits including efficiency and expressiveness as modern symbolic model checkers. We demonstrate the algorithm’s performance on industrial benchmarks and leverage it to address security issues in cellular network protocols.
Y. Li and K. Hou—Contributed equally.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
We have released raw experimental results in GitHub: https://github.com/FormalCellular/SecureCofigurationSpace
References
3GPP: Formal Analysis of the 3G Authentication Protocol. Technical Report (TR) 33.902, 3rd Generation Partnership Project (3GPP) (2001), version 4.0.0
3GPP: IP Multimedia Subsystem (IMS) emergency sessions. Technical Specification (TS) 23.167, 3rd Generation Partnership Project (3GPP) (2020), version 16.2.0
3GPP: Non-Access-Stratum (NAS) protocol for 5G System (5GS); Stage 3. Technical Specification (TS) 24.501, 3rd Generation Partnership Project (3GPP) (2020), version 16.5.1
3GPP: Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3. Technical Specification (TS) 24.301, 3rd Generation Partnership Project (3GPP) (2020), version 16.5.1
3GPP: Service aspects; Service principles. Technical Specification (TS) 22.101, 3rd Generation Partnership Project (3GPP) (2020), version 17.2.0
Al Ishtiaq, A., et al.: Hermes: unlocking security analysis of cellular network protocols by synthesizing finite state machines from natural language specifications. In: 33rd USENIX Security Symposium (USENIX Security 24) (2024)
Bailleux, O., Marquis, P.: Some computational aspects of distance-sat. J. Autom. Reason. 37(4), 231–260 (2006)
Basin, D., Dreier, J., Hirschi, L., Radomirovic, S., Sasse, R., Stettler, V.: A formal analysis of 5G authentication. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1383–1396. ACM (2018)
Biere, A., Artho, C., Schuppan, V.: Liveness checking as safety checking. Electron. Notes Theor. Comput. Sci. 66(2), 160–177 (2002)
Biere, A., Cimatti, A., Clarke, E., Zhu, Y.: Symbolic model checking without BDDs. In: Cleaveland, W.R. (eds.) Tools and Algorithms for the Construction and Analysis of Systems. TACAS 1999. LNCS, vol. 1579, pp. 193–207. Springer, Berlin, Heidelberg (1999). https://doi.org/10.1007/3-540-49059-0_14
Biere, A., Claessen, K.: Hardware model checking competition. In: Hardware Verification Workshop (2010)
Bradley, A.: Ic3-ref (2015). https://github.com/arbrad/IC3ref
Bradley, A., Cox, A., Dooley, M., Hassan, Z., Somenzi, F., Zhang, Y.: Iimc (2018). https://github.com/mgudemann/iimc
Bradley, A.R.: SAT-based model checking without unrolling. In: Jhala, R., Schmidt, D. (eds.) VMCAI 2011. LNCS, vol. 6538, pp. 70–87. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-18275-4_7
Bradley, A.R., Manna, Z.: Checking safety by inductive generalization of counterexamples to induction. In: Formal Methods in Computer Aided Design (FMCAD’07), pp. 173–180. IEEE (2007)
Bradley, A.R., Somenzi, F., Hassan, Z., Zhang, Y.: An incremental approach to model checking progress properties. In: 2011 Formal Methods in Computer-Aided Design (FMCAD), pp. 144–153. IEEE (2011)
Brayton, R., Mishchenko, A.: ABC: an academic industrial-strength verification tool. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol. 6174, pp. 24–40. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14295-6_5
Bryant, R.E.: Graph-based algorithms for Boolean function manipulation. Comput. IEEE Trans. 100(8), 677–691 (1986)
Cimatti, A., Griggio, A., Mover, S., Tonetta, S.: IC3 modulo theories via implicit predicate abstraction. In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014. LNCS, vol. 8413, pp. 46–61. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54862-8_4
Claessen, K., Sörensson, N.: A liveness checking algorithm that counts. In: 2012 Formal Methods in Computer-Aided Design (FMCAD), pp. 52–59. IEEE (2012)
Clarke, E.M., Henzinger, T.A., Veith, H.: Introduction to Model Checking. In: Handbook of Model Checking, pp. 1–26. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-10575-8_1
Cousot, P., Cousot, R., Fähndrich, M., Logozzo, F.: Automatic inference of necessary preconditions. In: Giacobazzi, R., Berdine, J., Mastroeni, I. (eds.) VMCAI 2013. LNCS, vol. 7737, pp. 128–148. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-35873-9_10
Cremers, C., Dehnel-Wild, M.: Component-based formal analysis of 5G-AKA: channel assumptions and session confusion. In: Symposium on Network and Distributed Systems Security (NDSS) (2019)
Een, N., Mishchenko, A., Brayton, R.: Efficient implementation of property directed reachability. In: 2011 Formal Methods in Computer-Aided Design (FMCAD), pp. 125–134. IEEE (2011)
Goel, A., Sakallah, K.: AVR: abstractly verifying reachability. In: TACAS 2020. LNCS, vol. 12078, pp. 413–422. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45190-5_23
Guthmann, O., Strichman, O., Trostanetski, A.: Minimal unsatisfiable core extraction for SMT. In: 2016 Formal Methods in Computer-Aided Design (FMCAD), pp. 57–64. IEEE (2016)
Heule, M.J.H., Järvisalo, M., Biere, A.: Efficient CNF simplification based on binary implication graphs. In: Sakallah, K.A., Simon, L. (eds.) SAT 2011. LNCS, vol. 6695, pp. 201–215. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21581-0_17
Hou, K., Li, Y., Yu, Y., Chen, Y., Zhou, H.: Discovering emergency call pitfalls for cellular networks with formal methods. In: Proceedings of the 19th Annual International Conference on Mobile Systems, Applications, and Services, pp. 296–309 (2021)
Hou, K., Li, Y., Yu, Y., Chen, Y., Zhou, H.: Discovering emergency call pitfalls for cellular networks with formal methods. In: Proceedings of the 19th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys), pp. 296–309 (2021)
Hussain, S.R., Chowdhury, O., Mehnaz, S., Bertino, E.: LTEInspector: a systematic approach for adversarial testing of 4G LTE. In: Symposium on Network and Distributed Systems Security (NDSS), pp. 18–21 (2018)
Li, Y., Hou, K., Zhou, H., Chen, Y.: Network protocol safe configuration search in one shot. In: Proceedings of the SIGCOMM’20 Poster and Demo Sessions, pp. 21–23 (2020)
Manthey, N.: Coprocessor 2.0 – a flexible CNF simplifier. In: Cimatti, A., Sebastiani, R. (eds.) SAT 2012. LNCS, vol. 7317, pp. 436–441. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31612-8_34
McMillan, K.L.: Applying SAT methods in unbounded symbolic model checking. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 250–264. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45657-0_19
McMillan, K.L.: Interpolation and SAT-based model checking. In: Hunt, W.A., Somenzi, F. (eds.) CAV 2003. LNCS, vol. 2725, pp. 1–13. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45069-6_1
Mitzenmacher, M., Upfal, E.: Probability and Computing: Randomization and Probabilistic Techniques in Algorithms and Data Analysis. Cambridge University Press, Cambridge (2017)
Pacheco, M.L., von Hippel, M., Weintraub, B., Goldwasser, D., Nita-Rotaru, C.: Automated attack synthesis by extracting finite state machines from protocol specification documents. In: 2022 IEEE Symposium on Security and Privacy (SP), pp. 51–68. IEEE (2022)
Sankaranarayanan, S., Sipma, H.B., Manna, Z.: Scalable analysis of linear systems using mathematical programming. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 25–41. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30579-8_2
Schuppan, V., Biere, A.: Efficient reduction of finite state model checking to reachability analysis. Int. J. Softw. Tools Technol. Transf. 5(2), 185–204 (2004)
Sheeran, M., Singh, S., Stålmarck, G.: Checking safety properties using induction and a SAT-solver. In: Hunt, W.A., Johnson, S.D. (eds.) FMCAD 2000. LNCS, vol. 1954, pp. 127–144. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-40922-X_8
Sheng, S., Hsiao, M.: Efficient preimage computation using a novel success-driven ATPG. In: 2003 Design, Automation and Test in Europe Conference and Exhibition, pp. 822–827. IEEE (2003)
Tseitin, G.S.: On the complexity of derivation in propositional calculus. In: Siekmann, J.H., Wrightson, G. (eds.) Automation of Reasoning. Symbolic Computation, LNCS, pp. 466–483. Springer, Berlin, Heidelberg (1983). https://doi.org/10.1007/978-3-642-81955-1_28
Tu, G.H., Li, Y., Peng, C., Li, C.Y., Wang, H., Lu, S.: Control-plane protocol interactions in cellular networks. In: ACM SIGCOMM, pp. 223–234. ACM (2014)
Vizel, Y., Gurfinkel, A.: Interpolating property directed reachability. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 260–276. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08867-9_17
Acknowledgements
This work was partially supported by the National Science Foundation (NSF) under grants 2113704, 2148177, and 2229454. Any opinions, recommendations, or findings are those of the authors and do not reflect the views of Alibaba Cloud.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Table of Notation
A Symbol Table
Notation | Description |
---|---|
\(\overline{x}\) | state variables |
\(\overline{x}'\) | next state variables |
s | a state; an assignment to \(\overline{x}\) |
\(s'\) | the next state version of s |
literal | a variable or its negation |
cube | a conjunction of literals |
clause, c | a disjunction of literals |
E | a formula |
E-state | a state s satisfies E: \(s\models E\) |
E-set | the set of all E-states |
\(\mathbb {M}\) | a finite state transition system \(\mathbb {M} : (\overline{i},\overline{x},I, Tr )\) |
\(\overline{i}\) | primary input variables |
I | initial condition |
\( Tr \) | transition relation |
trace | a sequence of states, s.t. \(s_0 \models I\) and any \(s_i, s'_{i+1} \models Tr \). |
P | a property |
\(F_i\) | a frame in IC3 algorithm; a conjunction of clauses |
\(F_i\)-clauses | all clauses in \(F_i\) |
IV | inductive invariant |
\(s^*\) / \(c^*\) | a state violating the consecution condition / \(c^*= \lnot s^*\) |
\(c_{min}\) | a minimal inductive subclause of a clause c |
q | the liveness event; a formula which should be eventually always satisfied |
\(\overline{x}_{conf}\) / \(\overline{x}_s\) | the state variables that encode configurations \(\overline{x}=\overline{x}_{conf}+\overline{x}_{s}\) |
\(s_{conf}\) | an assignment to \(\overline{x}_{conf}\) |
Rights and permissions
Copyright information
© 2025 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Li, Y., Hou, K., He, Y., Chen, Y., Zhou, H. (2025). Property Guided Secure Configuration Space Search. In: Mouha, N., Nikiforakis, N. (eds) Information Security. ISC 2024. Lecture Notes in Computer Science, vol 15258. Springer, Cham. https://doi.org/10.1007/978-3-031-75764-8_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-75764-8_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-75763-1
Online ISBN: 978-3-031-75764-8
eBook Packages: Computer ScienceComputer Science (R0)