From Control to Chaos: A Comprehensive Formal Analysis of 5G's Access Control

We develop CoreScan, a comprehensive formal analysis framework for analyzing the access control mechanism of 5G core networks. In doing so, we build the first comprehensive formal model for the access control mechanism of 5G core network that considers the indirect communication mode and 5G roaming. Given a global property, CoreScan employs the compositional verification technique that leverages the assume-guarantee style reasoning approach to decompose the system model into multiple disjoint components and applies the split assertion principle to identify local assumptions and guarantees. The model's global security property holds if and only if all local guarantees derived from the global property are verified in their respective components. CoreScan features a configurable adversary model, enabling the evaluation of access control properties under diverse adversary capabilities. We tested 61 access control properties with CoreScan and uncovered five new classes of exploitable privilege escalation vulnerabilities in the 5G standards. Additionally, we found that most previously known overprivilege vulnerabilities in direct communication also extend to indirect communication and roaming settings.