CellSecInspector: Safeguarding Cellular Networks via Automated Security Analysis on Specifications

View PDF HTML (experimental)

Abstract:The complexity, interdependence, and rapid evolution of 3GPP specifications present fundamental challenges for ensuring the security of modern cellular networks. Manual reviews and existing automated approaches, which often depend on rule-based parsing or small sets of manually crafted security requirements, fail to capture deep semantic dependencies, cross-sentence/clause relationships, and evolving specification behaviors. In this work, we present CellSecInspector, an automated framework for security analysis of 3GPP specifications. CellSecInspector extracts structured state-condition-action (SCA) representations, models mobile network procedures with comprehensive function chains, systematically validates them against 9 foundational security properties under 4 adversarial scenarios, and automatically generates test cases. This end-to-end approach enables the automated discovery of vulnerabilities without relying on manually predefined security requirements or rules. Applying CellSecInspector to the well-studied 5G and 4G NAS and RRC specifications and selected sections of TS 23.501 and TS 24.229, it discovers 43 vulnerabilities, 7 of which are previously unreported. Our findings show that CellSecInspector is a scalable, adaptive, and effective solution to assess 3GPP specifications for safeguarding operational and next-generation cellular networks.

Subjects:

Cryptography and Security (cs.CR)

Cite as: arXiv:2512.24682 [cs.CR]

(or arXiv:2512.24682v3 [cs.CR] for this version)

https://doi.org/10.48550/arXiv.2512.24682

arXiv-issued DOI via DataCite

Submission history

From: Ke Xie [view email] [v1] Wed, 31 Dec 2025 07:22:28 UTC (925 KB) [v2] Tue, 17 Mar 2026 20:18:46 UTC (2,046 KB) [v3] Tue, 31 Mar 2026 19:40:45 UTC (653 KB)