Saved in:
Bibliographic Details
Main Authors: Xie, Ke, Zhao, Xingyi, Chen, Min-Yue, Chen, Yu-An, Hu, Yiwen, Saifuzzaman, Munshi, Li, Wen, Yuan, Shuhan, Tu, Guan-Hua, Xie, Tian
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2512.24682
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866911558451331072
author Xie, Ke
Zhao, Xingyi
Chen, Min-Yue
Chen, Yu-An
Hu, Yiwen
Saifuzzaman, Munshi
Li, Wen
Yuan, Shuhan
Tu, Guan-Hua
Xie, Tian
author_facet Xie, Ke
Zhao, Xingyi
Chen, Min-Yue
Chen, Yu-An
Hu, Yiwen
Saifuzzaman, Munshi
Li, Wen
Yuan, Shuhan
Tu, Guan-Hua
Xie, Tian
contents The complexity, interdependence, and rapid evolution of 3GPP specifications present fundamental challenges for ensuring the security of modern cellular networks. Manual reviews and existing automated approaches, which often depend on rule-based parsing or small sets of manually crafted security requirements, fail to capture deep semantic dependencies, cross-sentence/clause relationships, and evolving specification behaviors. In this work, we present CellSecInspector, an automated framework for security analysis of 3GPP specifications. CellSecInspector extracts structured state-condition-action (SCA) representations, models mobile network procedures with comprehensive function chains, systematically validates them against 9 foundational security properties under 4 adversarial scenarios, and automatically generates test cases. This end-to-end approach enables the automated discovery of vulnerabilities without relying on manually predefined security requirements or rules. Applying CellSecInspector to the well-studied 5G and 4G NAS and RRC specifications and selected sections of TS 23.501 and TS 24.229, it discovers 43 vulnerabilities, 7 of which are previously unreported. Our findings show that CellSecInspector is a scalable, adaptive, and effective solution to assess 3GPP specifications for safeguarding operational and next-generation cellular networks.
format Preprint
id arxiv_https___arxiv_org_abs_2512_24682
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle CellSecInspector: Safeguarding Cellular Networks via Automated Security Analysis on Specifications
Xie, Ke
Zhao, Xingyi
Chen, Min-Yue
Chen, Yu-An
Hu, Yiwen
Saifuzzaman, Munshi
Li, Wen
Yuan, Shuhan
Tu, Guan-Hua
Xie, Tian
Cryptography and Security
The complexity, interdependence, and rapid evolution of 3GPP specifications present fundamental challenges for ensuring the security of modern cellular networks. Manual reviews and existing automated approaches, which often depend on rule-based parsing or small sets of manually crafted security requirements, fail to capture deep semantic dependencies, cross-sentence/clause relationships, and evolving specification behaviors. In this work, we present CellSecInspector, an automated framework for security analysis of 3GPP specifications. CellSecInspector extracts structured state-condition-action (SCA) representations, models mobile network procedures with comprehensive function chains, systematically validates them against 9 foundational security properties under 4 adversarial scenarios, and automatically generates test cases. This end-to-end approach enables the automated discovery of vulnerabilities without relying on manually predefined security requirements or rules. Applying CellSecInspector to the well-studied 5G and 4G NAS and RRC specifications and selected sections of TS 23.501 and TS 24.229, it discovers 43 vulnerabilities, 7 of which are previously unreported. Our findings show that CellSecInspector is a scalable, adaptive, and effective solution to assess 3GPP specifications for safeguarding operational and next-generation cellular networks.
title CellSecInspector: Safeguarding Cellular Networks via Automated Security Analysis on Specifications
topic Cryptography and Security
url https://arxiv.org/abs/2512.24682