5G Security Test Suite

Security Test Suites for 5G

4G-LTE

Core

IMS

SIGTRAN

M3UA

SS7

SCTP

CAMEL

ISUP

5G Security Test Suite

Security Test Suites for 5G

Overview

The Valid8 Security Test Suites are suitable for auditing security of 5G network nodes including UE, gNodeB, AMF, SMF, UPF, according to standards including NESAS SCAS, 3GPP.

What It Can Do For You

The solution is capable of simulating network elements either running standard or invalid / unexpected call-flows in order to wrap-around a device under test (DUT). It can simulate & test the following:

UE
gNodeB
AMF
SMF
UPF
SEPP
NRF

‍

By testing each node you can be confident your DUT can perform well under unusual or adverse conditions.

Why It’s Different

Scalable software-based architecture can run on a range of hardware from COTS and high-end customer provided hardware to Virtual Machines and the Cloud (e.g. Amazon AWS) for maximum versatility and performance
Web-based UI is easy to learn
HTTP API enable integration with automation test systems and other equipment
Stateful modeling provides accurate emulation of network elements

Features

Pre-made test scenarios and procedures
PASS / FAIL analysis, including plain English diagnostic reason
Valid / Invalid testing
Customizable source-code
User-configurable proprietary messages, IEs, headers
Animated test results action-replay
Easy to configure
Automatic execution of test batches
UDP, TCP, SCTP transport layer IPv4/IPv6 support
Suitable for Development and QA test lab environments, verifying protocol compliance, negative and robustness testing, Regression testing and Reproducing customer issues in the field

Subsystems

Valid8 Security Test Suites are comprised of multiple subsystems that can be activated as needed to test the DUT. Traffic can be captured through the use of a remote capture tool such as Wireshark.

KPIs

Test Verdict - Pass, Fail or Inconclusive
Detailed message field validation

Configurable Parameters

IP address and port
Network layer- IPv4 / IPv6
Transport layer- UDP / TCP / SCTP / TLS
Phone numbers
Authentication - username and password
Unexpected message handling - Stop / Continue

Automation API

User commands can be fully automated using an HTTP API. This includes all control functions as well as collection of results and metrics. It can be integrated into any CI system including Jenkins, CircleCI, Gitlab and others. Our Autom8 Python framework is included to ease integration.

Scripting

The application can be edited directly in the browser using VTDL using Composer, a powerful development environment that includes error checking and a graphical view easing the creation and modification of scenarios. Codec Studio can be used to quickly build message templates from raw PDUs, as captured by tcpdump for example, to use in the scenarios.

PRODUCT OPTIONS

M5 Mobile UE Tester

Base Station Emulator for 3G NodeB, 4G eNodeB, 5G gNodeB RAN and mobile core to test UE devices including CPE router, phone, modem & IoT devices

Mobile Core Network Emulator

The software-based Mobile Core Network emulator mimics 5g Core (5GC) SA and NSA, LTE 4G EPC, and UMTS 3G Core stand-alone to test the RAN.

Use Cases

No items found.

Summary of Specifications

Specifications

NESAS SCAS 3GPP TS 33.511 - gNodeB

4.2.2.1.1 Integrity protection of RRC-signalling
4.2.2.1.2 Integrity protection of user data between the UE and the gNB
4.2.2.1.4 RRC integrity check failure
4.2.2.1.5 UP integrity check failure
4.2.2.1.6 Ciphering of RRC-signalling
4.2.2.1.7 Ciphering of user data between the UE and the gNB
4.2.2.1.8 Replay protection of user data between the UE and the gNB
4.2.2.1.9 Replay protection of RRC-signalling
4.2.2.1.10 Ciphering of user data based on the security policy sent by the SMF
4.2.2.1.11 Integrity of user data based on the security policy sent by the SMF
4.2.2.1.12 AS algorithms selection
4.2.2.1.13 Key refresh at the gNB
4.2.2.1.14 Bidding down prevention in Xn-handovers
4.2.2.1.15 AS protection algorithm selection in gNB change
4.2.2.1.16 Control plane data confidentiality protection over N2/Xn interface

NESAS SCAS 3GPP TS 33.512 - AMF

TC_NAS_REPLAY_A
TC_VALIDTATION_SNSSAI_IN_PDU_REQUEST
TC_NSSAA_REVOCATION
TC_AMF_REEST_CP_CIOT
TC_5G_GUTI_ALLOCATION _AMF
TC_NAS_ALG_AMF_CHANGE _AMF
TC_BIDDING_DOWN_XN_AMF
TC_NAS_INT_SELECTION_USE_AMF
TC_NAS_NULL_INT_AMF
TC_AMF_REDIRCTION_5GS_EPS
TC_RES*_VERIFICATION_FAILURE
TC_SYNC_FAIL_SEAF_AMF

NESAS SCAS 3GPP TS 33.513 - UPF

TC_UP_DATA_CONF_UPF
TC_UP_DATA_INT_UPF
TC_UP_DATA_REPLAY_UPF
TC_UP_DATA_CONF_UPF_N9
TC_CP_DATA_CONF _UPF_N4
TC_TEID_ID_UNIQUENESS_UPF
TC_IPUPS_PACKET_HANDLING
TC_IPUPS_MALFORMED_MESSAGES

NESAS SCAS 3GPP TS 33.514 - UDM

TC_DE-CONCEAL_SUPI_from_SUCI_UDM
TC_SYNC_FAILURE_HANDLING
TC_AUTH_STATUS_STORE_UDM

NESAS SCAS 3GPP TS 33.515 - SMF

TC_UP_POLICY_PRECEDENCE_SMF
TC_UP_SECURITY_POLICY _SMF
TC_CHARGING_ID_UNIQUENESS_SMF

NESAS SCAS 3GPP TS 33.516 - AUSF

None

NESAS SCAS 3GPP TS 33.517 - SEPP

TC_CONNECTION_SPECIFIC_SCOPE_CRYPT_MATERIAL
TC_PLMN_ID_MISMATCH
TC_CONFIDENTIAL_IES_REPLACEMENT_HANDLING_IN_ORIG_N32-F
TC_SEPP_POLICY_MISMATCH
TC_JWS_PROFILE_RESTRICTION
TC_NO_ENCRYPTED_IE_MISPLACEMENT

NESAS SCAS 3GPP TS 33.518 - NRF

TC_DISC_AUTHORIZATION_SLICE_NRF

NESAS SCAS 3GPP TS 33.519 - NEF

TC_CP_AUTH_AF_NEF
TC_CP_AUTHOR_AF_NEF

NESAS SCAS 3GPP TS 33.117 - General Security Assurance Requirements

4.2.2.2.2 Protection at the transport layer
4.2.2.2.3.1 Authorization token verification failure handling wthin one PLMN
4.2.2.2.3.2 Authorization token verification failure handling in different PLMNs
4.2.2.2.4.1 Correct handling of client credentials assertion validation failure
4.2.3.2.1 Protecting data and information – general
4.2.3.2.2 Protecting data and information – Confidential System Internal Data
4.2.3.2.3 Protecting data and information in storage
4.2.3.2.4 Protecting data and information in transfer
4.2.3.2.5 Logging access to personal data
4.2.3.3.1 System handling during overload situations
4.2.3.3.2 Boot from intended memory devices only
4.2.3.3.3 System handling during excessive overload situations
4.2.3.3.4 System robustness against unexpected input.
4.2.3.3.5 Network Product software package integrity
4.2.3.4.1 Authentication policy
4.2.3.4.2.1 Account protection by at least one authentication attribute.
4.2.3.4.3 Password policy
4.2.3.4.4 Specific Authentication use cases
4.2.3.4.5 Policy regarding consecutive failed login attempts
4.2.3.4.6 Authorization and access control
4.2.3.5.1 Protecting sessions – logout function
4.2.3.5.2 Protecting sessions – Inactivity timeout
4.2.3.6.1 Security event logging
4.2.3.6.2 Log transfer to centralized storage
4.2.3.6.3 Protection of security event log files
4.2.4.1.1.1 Handling of growing content
4.2.4.1.1.2 Handling of ICMP
4.2.4.1.1.3 Handling of IP options and extensions
4.2.4.1.2.1 Authenticated Privilege Escalation only
4.2.4.2.2 System account identification
4.2.5.1 HTTPS
4.2.5.2.1 Webserver logging
4.2.5.3 HTTP User sessions
4.2.5.4 HTTP input validation
4.2.6.2.1 Packet filtering
4.2.6.2.2 Interface robustness requirements
4.2.6.2.3 GTP-C Filtering
4.2.6.2.4 GTP-U Filtering
4.3.2.1 No unnecessary or insecure services / protocols
4.3.2.2 Restricted reachability of services
4.3.2.3 No unused software
4.3.2.4 No unused functions
4.3.2.5 No unsupported components
4.3.2.6 Remote login restrictions for privileged users
4.3.2.7 Filesystem Authorization privileges
4.3.3.1.1 IP-Source address spoofing mitigation
4.3.3.1.2 Minimized kernel network functions
4.3.3.1.3 No automatic launch of removable media
4.3.3.1.4 SYN Flood Prevention
4.3.3.1.5 Protection from buffer overflows
4.3.3.1.6 External file system mount restrictions
4.3.4.2 No system privileges for web server
4.3.4.3 No unused HTTP methods
4.3.4.4 No unused add-ons
4.3.4.5 No compiler, interpreter, or shell via CGI or other server-side scripting
4.3.4.6 No CGI or other scripting for uploads
4.3.4.7 No execution of system commands with SSI
4.3.4.8 Access rights for web server configuration
4.3.4.9 No default content
4.3.4.10 No directory listings
4.3.4.11 Web server information in HTTP headers
4.3.4.12 Web server information in error pages
4.3.4.13 Minimized file type mappings
4.3.4.14 Restricted file access
4.3.5.1 Traffic Separation
4.3.6.2 No code execution or inclusion of external resources by JSON parsers
4.3.6.3 Unique key values in IEs
4.3.6.4 The valid format and range of values for IEs
4.4.2 Port Scanning
4.4.3 Vulnerability scanning
4.4.4 Robustness and fuzz testing

V8 - UE

TC_003_Network_Initiated_Detach
TC_004_Battery_Test
TC_005_Fuzzing_S1AP_Bad_PLMN_Bad_Network_Name
TC_006_Force_IPv6
TC_007_Fail_Auth_and_Security
TC_008_SMS_Fuzzing
TC_010_Brute_Force_Authentication_Attack
TC_011_Reuse_Authentication_Credentials
TC_012_Access Without_Authentication
TC_014_Date_Time_Error_From_Network
TC_018_GTP_U_Security_Attack
TC_019_Rogue_Base_Station
TC_020_Security_Downgrade

V8 - AMF

TC_UE_Attach_Registration flood
TC_UE_Detach_Deregister_with_invalid_UE_ID

Product Details

Operating System

‍Protocol Engine (Linux-based)

User Interface

‍Browser-based, touch-optimized graphical user interface

Automation

‍HTTP API

Note:

Actual throughput levels over radio may vary based on the 3rd party device manufacturer and software versions. Valid8 product specifications are subject to change at any time without notice.