Comparative analysis of baseband software implementation and cellular specification for layer 3 protocols

Abstract

hence, we can statically extract the data structures and compare them with the specification. Leveraging this approach, we analyze two essential parts of baseband software: message decoding and handling routines. Through a manual yet one-time analysis of the baseband software, we first pinpoint the routines from the software. Then, for the decoder routine, we extract the embedded message structures, used for parsing incoming messages, and compare them with the specification. In the case of the handling routine, we extract the message dispatch table and state variables, which are used for selecting proper handler functions for incoming messages, and compare them with the specification. Consequently, we discovered 15 erroneous cases from the baseband software, including three critical 0-days. We believe that our findings demonstrate the significance of software analysis for baseband security.

Cellular basebands play a critical role in mobile communication. However, because of the complexity and obscurity of the baseband software, it is significantly challenging to assess their security. Therefore, most previous approaches dynamically analyzed the security of smartphones while assuming the baseband software as a black box. As a result, such approaches may suffer from a lack of implementation details and cannot efficiently generate test cases, resulting in a potential miss of bugs. In this dissertation, we present a novel baseband analysis approach that compares baseband software implementation and cellular specifications. Our key intuition is that the baseband software may embed parts of cellular specifications in a form of machine-friendly data structures to process cellular protocols