Invariant-Guided Logical Testing of Open RAN Controllers

Open RAN (O-RAN) represents a fundamental shift in mobile network architecture, advancing interoperability and flexibility through open interfaces and software-driven components. While enabling programmability and innovation, this shift also makes the logical correctness of O-RAN components essential for the secure and reliable operation of the network. However, validating O-RAN's semantic correctness remains challenging due to system complexity, implementation diversity, and the absence of explicit correctness oracles. We present InvaRAN , a systematic testing framework for detecting logical flaws in O-RAN implementations using dynamically inferred program invariants as proxies for expected behavior. To reduce false positives and focus on semantically meaningful behaviors, InvaRAN classifies invariants into critical and non-critical categories based on their impact on program logic. Beyond traditional template-based invariant inference approaches that infer only limited semantic relations, InvaRAN captures inter-variable correlations across execution traces to discover more expressive semantic linkage. We evaluate InvaRAN on both platform components and xApps of two production-grade O-RAN controllers. InvaRAN uncovers nine previously unknown issues, including seven logical and two memory vulnerabilities, demonstrating the effectiveness of invariant-guided testing in exposing subtle, specification-silent bugs in O-RAN systems.