1、#BHUSA BlackHatEventsOvercoming State:Finding Baseband Overcoming State:Finding Baseband Vulnerabilities by Fuzzing Layer-2Vulnerabilities by Fuzzing Layer-2Speakers:Dyon Goos&Marius Muench#BHUSA BlackHatEventsThis talkLayer-3Layer-2Layer-1 Layer-3Layer-2Layer-1 2#BHUSA BlackHatEventsBasebands3#BHUS
2、A BlackHatEvents 11:25 2GBasebands-Modern phones are a collection of processors-Including:Application Processor(AP)&Cellular Processor(CP)-CP also referred to as“Baseband”-Implements most layers of cellular communication stack-Lucrative attack surface-Myriad of parsers,legacy code,obscure featuresAP
3、CP4#BHUSA BlackHatEventsThe code running on basebands-Core OS functionality:-Scheduler,timers,interrupts-Messaging-Cellular stack implementation:-Stack is split into“tasks”-Tasks communicate via message queuesCustom Real-Time Operating Systems(RTOS),providing:5#BHUSA BlackHatEventsBaseband Security
4、ResearchPlenty of attention in recent years,e.g.:6#BHUSA BlackHatEventsWhat about Layer-2?When we started,most research/findings focus on cellular L3(or higher)7 Lets have a look at layer-2 ourselves!Lets start with the lowest hanging fruits:-GSM Layer-2-Fuzzing#BHUSA BlackHatEventsGSM Protocol Stac
5、kLayer-3Layer-2Layer-1 LAPDmLayer-2 RR MM Phy CM CC SMS SSRR :Radio Resource MM :Mobility ManagementCM :Connection ManagementCCSMSSSPhy:PhysicalLAPDm:Link Access Protocol on the Dm Channel(LAPDm)CC :Call ControlSMS:Short Messaging ServiceSS :Supplementary Services8#BHUSA BlackHatEventsGSM Layer 2-Li
6、nk Access Protocol on the Dm Channel(LAPDm)LAPDm#1LAPDm#NL3 RR FrameRR TaskMM TaskCC TaskSS TaskSMS TaskPD!=0 x6PD=0 xBPD=0 x3PD=0 x9struct LAPDM_frame uint8_t addr;uint8_t ctrl;uint8_t len;uint8_t informationN;PACKED;-Frame Concatenation-PD:information0&0 xF9#BHUSA BlackHatEventsOur approach to fuz