BaseMirror: Automatic Reverse Engineering of Baseband Commands from Android's Radio Interface Layer
- URL: http://arxiv.org/abs/2409.00475v1
- Date: Sat, 31 Aug 2024 15:14:56 GMT
- Title: BaseMirror: Automatic Reverse Engineering of Baseband Commands from Android's Radio Interface Layer
- Authors: Wenqiang Li, Haohuang Wen, Zhiqiang Lin,
- Abstract summary: This paper introduces a novel approach to unveil security issues in basebands from a unique perspective.
We have designed and developed BaseMirror, a static binary analysis tool to automatically reverse engineer baseband commands from vendor-specific RIL binaries.
Our methodology has been applied to 28 vendor RIL libraries, encompassing a wide range of Samsung Exynos smartphone models on the market.
- Score: 34.9710368289623
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: In modern mobile devices, baseband is an integral component running on top of cellular processors to handle crucial radio communications. However, recent research reveals significant vulnerabilities in these basebands, posing serious security risks like remote code execution. Yet, effectively scrutinizing basebands remains a daunting task, as they run closed-source and proprietary software on vendor-specific chipsets. Existing analysis methods are limited by their dependence on manual processes and heuristic approaches, reducing their scalability. This paper introduces a novel approach to unveil security issues in basebands from a unique perspective: to uncover vendor-specific baseband commands from the Radio Interface Layer (RIL), a hardware abstraction layer interfacing with basebands. To demonstrate this concept, we have designed and developed BaseMirror, a static binary analysis tool to automatically reverse engineer baseband commands from vendor-specific RIL binaries. It utilizes a bidirectional taint analysis algorithm to adeptly identify baseband commands from an enhanced control flow graph enriched with reconstructed virtual function calls. Our methodology has been applied to 28 vendor RIL libraries, encompassing a wide range of Samsung Exynos smartphone models on the market. Remarkably, BaseMirror has uncovered 873 unique baseband commands undisclosed to the public. Based on these results, we develop an automated attack discovery framework to successfully derive and validate 8 zero-day vulnerabilities that trigger denial of cellular service and arbitrary file access on a Samsung Galaxy A53 device. These findings have been reported and confirmed by Samsung and a bug bounty was awarded to us.
Related papers
- Building a Robust Risk-Based Access Control System to Combat Ransomware's Capability to Encrypt: A Machine Learning Approach [0.510691253204425]
Ransomware core capability, unauthorized encryption, demands controls that identify and block malicious cryptographic activity without disrupting legitimate use.<n>We present a probabilistic, risk-based access control architecture that couples machine learning inference with mandatory access control to regulate encryption on Linux in real time.
arXiv Detail & Related papers (2026-01-23T14:48:35Z) - ALERT: Zero-shot LLM Jailbreak Detection via Internal Discrepancy Amplification [47.135407245022115]
Existing detection methods mainly detect jailbreak status relying on jailbreak templates present in the training data.<n>We propose a layer-wise, module-wise, and token-wise amplification framework that progressively magnifies internal feature discrepancies between benign and jailbreak prompts.<n>Building upon these insights, we introduce ALERT, an efficient and effective zero-shot jailbreak detector.
arXiv Detail & Related papers (2026-01-07T05:30:53Z) - Cross-Service Token: Finding Attacks in 5G Core Networks [58.86003502940164]
We present FivGeeFuzz, a grammar-based fuzzing framework designed to uncover security flaws in 5G core SBIs.<n>Using FivGeeFuzz, we discovered 8 previously unknown vulnerabilities in free5GC, leading to runtime crashes, improper error handling, and unauthorized access to resources.
arXiv Detail & Related papers (2025-09-10T20:40:33Z) - Decompiling Smart Contracts with a Large Language Model [51.49197239479266]
Despite Etherscan's 78,047,845 smart contracts deployed on (as of May 26, 2025), a mere 767,520 ( 1%) are open source.<n>This opacity necessitates the automated semantic analysis of on-chain smart contract bytecode.<n>We introduce a pioneering decompilation pipeline that transforms bytecode into human-readable and semantically faithful Solidity code.
arXiv Detail & Related papers (2025-06-24T13:42:59Z) - Striking Back At Cobalt: Using Network Traffic Metadata To Detect Cobalt Strike Masquerading Command and Control Channels [0.22499166814992436]
Off-the-shelf software for Command and Control is often used by attackers and legitimate pentesters.<n>Cobalt Strike is one of the most famous solutions in this category, used by known advanced attacker groups such as "Mustang Panda" or "Nobelium"
arXiv Detail & Related papers (2025-06-10T15:47:22Z) - SOPBench: Evaluating Language Agents at Following Standard Operating Procedures and Constraints [59.645885492637845]
SOPBench is an evaluation pipeline that transforms each service-specific SOP code program into a directed graph of executable functions.<n>Our approach transforms each service-specific SOP code program into a directed graph of executable functions and requires agents to call these functions based on natural language SOP descriptions.<n>We evaluate 18 leading models, and results show the task is challenging even for top-tier models.
arXiv Detail & Related papers (2025-03-11T17:53:02Z) - RF Challenge: The Data-Driven Radio Frequency Signal Separation Challenge [66.33067693672696]
This paper addresses the critical problem of interference rejection in radio-frequency (RF) signals using a novel, data-driven approach.
First, we present an insightful signal model that serves as a foundation for developing and analyzing interference rejection algorithms.
Second, we introduce the RF Challenge, a publicly available dataset featuring diverse RF signals along with code templates.
Third, we propose novel AI-based rejection algorithms, specifically architectures like UNet and WaveNet, and evaluate their performance across eight different signal mixture types.
arXiv Detail & Related papers (2024-09-13T13:53:41Z) - Swarm-Net: Firmware Attestation in IoT Swarms using Graph Neural Networks and Volatile Memory [10.970843729732703]
The Internet of Things (IoT) is a network of billions of interconnected, primarily low-end embedded devices.
Despite large-scale deployment, studies have highlighted critical security concerns in IoT networks.
Malicious activity on one node in a swarm can propagate to larger network sections.
We present Swarm-Net, a novel swarm attestation technique that exploits the inherent, interconnected, graph-like structure of IoT networks.
arXiv Detail & Related papers (2024-08-11T03:19:29Z) - Bridging the Gap Between End-to-End and Two-Step Text Spotting [88.14552991115207]
Bridging Text Spotting is a novel approach that resolves the error accumulation and suboptimal performance issues in two-step methods.
We demonstrate the effectiveness of the proposed method through extensive experiments.
arXiv Detail & Related papers (2024-04-06T13:14:04Z) - JailbreakBench: An Open Robustness Benchmark for Jailbreaking Large Language Models [123.66104233291065]
Jailbreak attacks cause large language models (LLMs) to generate harmful, unethical, or otherwise objectionable content.
evaluating these attacks presents a number of challenges, which the current collection of benchmarks and evaluation techniques do not adequately address.
JailbreakBench is an open-sourced benchmark with the following components.
arXiv Detail & Related papers (2024-03-28T02:44:02Z) - Fact Checking Beyond Training Set [64.88575826304024]
We show that the retriever-reader suffers from performance deterioration when it is trained on labeled data from one domain and used in another domain.
We propose an adversarial algorithm to make the retriever component robust against distribution shift.
We then construct eight fact checking scenarios from these datasets, and compare our model to a set of strong baseline models.
arXiv Detail & Related papers (2024-03-27T15:15:14Z) - JustSTART: How to Find an RSA Authentication Bypass on Xilinx UltraScale(+) with Fuzzing [12.338137154105034]
We investigate fuzzing for 7-Series and UltraScale(+) FPGA configuration engines.
Our goal is to examine the effectiveness of fuzzing to analyze and document the inner workings of FPGA configuration engines.
arXiv Detail & Related papers (2024-02-15T10:03:35Z) - Seeing is Believing: A Federated Learning Based Prototype to Detect Wireless Injection Attacks [1.8142288667655782]
Reactive injection attacks are a class of security threats in wireless networks.
We implement secret-key based physical-layer signalling methods at the clients.
We show that robust ML models can be designed at the base-stations.
arXiv Detail & Related papers (2023-11-11T13:21:24Z) - On the Security Blind Spots of Software Composition Analysis [46.1389163921338]
We present a novel approach to detect vulnerable clones in the Maven repository.
We retrieve over 53k potential vulnerable clones from Maven Central.
We detect 727 confirmed vulnerable clones and synthesize a testable proof-of-vulnerability project for each of those.
arXiv Detail & Related papers (2023-06-08T20:14:46Z) - Task-Oriented Communications for NextG: End-to-End Deep Learning and AI
Security Aspects [78.84264189471936]
NextG communication systems are beginning to explore shifting this design paradigm to reliably executing a given task such as in task-oriented communications.
Wireless signal classification is considered as the task for the NextG Radio Access Network (RAN), where edge devices collect wireless signals for spectrum awareness and communicate with the NextG base station (gNodeB) that needs to identify the signal label.
Task-oriented communications is considered by jointly training the transmitter, receiver and classifier functionalities as an encoder-decoder pair for the edge device and the gNodeB.
arXiv Detail & Related papers (2022-12-19T17:54:36Z) - Towards an AI-Driven Universal Anti-Jamming Solution with Convolutional
Interference Cancellation Network [4.450750414447688]
Wireless links are increasingly used to deliver critical services, while intentional interference (jamming) remains a very serious threat to such services.
We propose an approach that relies on advances in Machine Learning, and the promises of neural accelerators and software defined radios.
We develop a two-antenna prototype system and evaluate our jamming cancellation approach in various environment settings and modulation schemes.
arXiv Detail & Related papers (2022-03-18T03:30:57Z) - The Dark (and Bright) Side of IoT: Attacks and Countermeasures for
Identifying Smart Home Devices and Services [4.568911586155096]
We build up a model describing the traffic patterns characterizing three popular IoT smart home devices.
We prove that it is possible to detect and identify with overwhelming probability their presence and the services running by the aforementioned devices.
arXiv Detail & Related papers (2020-09-16T13:28:59Z) - End-to-End Object Detection with Transformers [88.06357745922716]
We present a new method that views object detection as a direct set prediction problem.
Our approach streamlines the detection pipeline, effectively removing the need for many hand-designed components.
The main ingredients of the new framework, called DEtection TRansformer or DETR, are a set-based global loss.
arXiv Detail & Related papers (2020-05-26T17:06:38Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.