The transition to 5G telecommunications has driven the rapid adoption of Open Radio Access Networks (O-RAN), introducing the Near-Real-Time RAN Intelligent Controller (Near-RT RIC) to enable software-defined network optimization. At the core of this architecture is the E2 Termination (E2T) service, a highly privileged C++ gateway responsible for decoding com- plex ASN.1-encoded protocol payloads from all connected base stations. Because E2T acts as a single point of failure, its memory safety and state-machine robustness are paramount. However, evaluating this component using state-of-the-art, end-to-end testing frameworks im- poses a fundamental throughput bottleneck; relying on live Kubernetes orchestration and asyn- chronous network sockets limits coverage-guided fuzzers to shallow code paths and single-digit executions per second. To address these limitations, this thesis introduces a targeted, high-speed fuzzing method- ology based on surgical component isolation. We extract the core E2T protocol engine from its live environment and design a custom C++ testing harness that statically mocks heavy exter- nal dependencies, including Prometheus telemetry registries and RIC Message Router (RMR) buses. By integrating persistent-mode AFL++ directly with the ASN.1 decoder and applying AddressSanitizer (ASan) instrumentation, we transform network-bound protocol parsing into a direct in-memory mutation engine. This architecture achieves peak execution speeds exceed- ing 23,000 inputs per second, representing a 3, 285× speedup over live-network baseline ap- proaches. Our rigorous evaluation against the commercially adopted O-RAN Software Community (O-RAN-SC) implementation exposes eight critical vulnerabilities, five of which are previ- ously unreported zero-days. These findings include state-machine initialization flaws causing widespread null-pointer dereferences (including a novel bypass into the UnsuccessfulOutcome routing branch previously missed by live-network fuzzing frameworks), an unhandled C++ ex- ception, severe stack and heap buffer overflows, and a remotely triggerable heap-use-after-free race condition exposed via concurrent connection flooding.

The transition to 5G telecommunications has driven the rapid adoption of Open Radio Access Networks (O-RAN), introducing the Near-Real-Time RAN Intelligent Controller (Near-RT RIC) to enable software-defined network optimization. At the core of this architecture is the E2 Termination (E2T) service, a highly privileged C++ gateway responsible for decoding com- plex ASN.1-encoded protocol payloads from all connected base stations. Because E2T acts as a single point of failure, its memory safety and state-machine robustness are paramount. However, evaluating this component using state-of-the-art, end-to-end testing frameworks im- poses a fundamental throughput bottleneck; relying on live Kubernetes orchestration and asyn- chronous network sockets limits coverage-guided fuzzers to shallow code paths and single-digit executions per second. To address these limitations, this thesis introduces a targeted, high-speed fuzzing method- ology based on surgical component isolation. We extract the core E2T protocol engine from its live environment and design a custom C++ testing harness that statically mocks heavy exter- nal dependencies, including Prometheus telemetry registries and RIC Message Router (RMR) buses. By integrating persistent-mode AFL++ directly with the ASN.1 decoder and applying AddressSanitizer (ASan) instrumentation, we transform network-bound protocol parsing into a direct in-memory mutation engine. This architecture achieves peak execution speeds exceed- ing 23,000 inputs per second, representing a 3, 285× speedup over live-network baseline ap- proaches. Our rigorous evaluation against the commercially adopted O-RAN Software Community (O-RAN-SC) implementation exposes eight critical vulnerabilities, five of which are previ- ously unreported zero-days. These findings include state-machine initialization flaws causing widespread null-pointer dereferences (including a novel bypass into the UnsuccessfulOutcome routing branch previously missed by live-network fuzzing frameworks), an unhandled C++ ex- ception, severe stack and heap buffer overflows, and a remotely triggerable heap-use-after-free race condition exposed via concurrent connection flooding.

Stateful Stress and Stateless Speed: A Hybrid Fuzzing Architecture for O-RAN Microservices

SHAFAEI, ESHAGH
2025/2026

Abstract

The transition to 5G telecommunications has driven the rapid adoption of Open Radio Access Networks (O-RAN), introducing the Near-Real-Time RAN Intelligent Controller (Near-RT RIC) to enable software-defined network optimization. At the core of this architecture is the E2 Termination (E2T) service, a highly privileged C++ gateway responsible for decoding com- plex ASN.1-encoded protocol payloads from all connected base stations. Because E2T acts as a single point of failure, its memory safety and state-machine robustness are paramount. However, evaluating this component using state-of-the-art, end-to-end testing frameworks im- poses a fundamental throughput bottleneck; relying on live Kubernetes orchestration and asyn- chronous network sockets limits coverage-guided fuzzers to shallow code paths and single-digit executions per second. To address these limitations, this thesis introduces a targeted, high-speed fuzzing method- ology based on surgical component isolation. We extract the core E2T protocol engine from its live environment and design a custom C++ testing harness that statically mocks heavy exter- nal dependencies, including Prometheus telemetry registries and RIC Message Router (RMR) buses. By integrating persistent-mode AFL++ directly with the ASN.1 decoder and applying AddressSanitizer (ASan) instrumentation, we transform network-bound protocol parsing into a direct in-memory mutation engine. This architecture achieves peak execution speeds exceed- ing 23,000 inputs per second, representing a 3, 285× speedup over live-network baseline ap- proaches. Our rigorous evaluation against the commercially adopted O-RAN Software Community (O-RAN-SC) implementation exposes eight critical vulnerabilities, five of which are previ- ously unreported zero-days. These findings include state-machine initialization flaws causing widespread null-pointer dereferences (including a novel bypass into the UnsuccessfulOutcome routing branch previously missed by live-network fuzzing frameworks), an unhandled C++ ex- ception, severe stack and heap buffer overflows, and a remotely triggerable heap-use-after-free race condition exposed via concurrent connection flooding.
2025
Stateful Stress and Stateless Speed: A Hybrid Fuzzing Architecture for O-RAN Microservices
The transition to 5G telecommunications has driven the rapid adoption of Open Radio Access Networks (O-RAN), introducing the Near-Real-Time RAN Intelligent Controller (Near-RT RIC) to enable software-defined network optimization. At the core of this architecture is the E2 Termination (E2T) service, a highly privileged C++ gateway responsible for decoding com- plex ASN.1-encoded protocol payloads from all connected base stations. Because E2T acts as a single point of failure, its memory safety and state-machine robustness are paramount. However, evaluating this component using state-of-the-art, end-to-end testing frameworks im- poses a fundamental throughput bottleneck; relying on live Kubernetes orchestration and asyn- chronous network sockets limits coverage-guided fuzzers to shallow code paths and single-digit executions per second. To address these limitations, this thesis introduces a targeted, high-speed fuzzing method- ology based on surgical component isolation. We extract the core E2T protocol engine from its live environment and design a custom C++ testing harness that statically mocks heavy exter- nal dependencies, including Prometheus telemetry registries and RIC Message Router (RMR) buses. By integrating persistent-mode AFL++ directly with the ASN.1 decoder and applying AddressSanitizer (ASan) instrumentation, we transform network-bound protocol parsing into a direct in-memory mutation engine. This architecture achieves peak execution speeds exceed- ing 23,000 inputs per second, representing a 3, 285× speedup over live-network baseline ap- proaches. Our rigorous evaluation against the commercially adopted O-RAN Software Community (O-RAN-SC) implementation exposes eight critical vulnerabilities, five of which are previ- ously unreported zero-days. These findings include state-machine initialization flaws causing widespread null-pointer dereferences (including a novel bypass into the UnsuccessfulOutcome routing branch previously missed by live-network fuzzing frameworks), an unhandled C++ ex- ception, severe stack and heap buffer overflows, and a remotely triggerable heap-use-after-free race condition exposed via concurrent connection flooding.
O-RAN Security
Fuzzing
E2 Interface
Lauree magistrali
File in questo prodotto:
File Dimensione Formato  
Eshagh_Shafaei_MsC_Thesis___UniPD.pdf

accesso aperto

Dimensione 3.35 MB
Formato Adobe PDF
Visualizza/Apri
3.35 MB Adobe PDF Visualizza/Apri

The text of this website © Università degli studi di Padova. Full Text are published under a non-exclusive license. Metadata are under a CC0 License

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/20.500.12608/108173