Security Testing The O-RAN Near-Real Time RIC & A1 Interface
Authors: 
Kashyap Thimmaraju, Altaf Shaik, Sunniva Flück, Pere Joan Fullana Mora, Christian Werling, Jean-Pierre SeifertAuthors Info & Claims
Kashyap Thimmaraju, Altaf Shaik, Sunniva Flück, Pere Joan Fullana Mora, Christian Werling, Jean-Pierre SeifertAuthors Info & ClaimsPages 277 - 287
Abstract
Open-Radio Access Network (O-RAN) is the next evolutionary step in mobile network architecture and operations and the Near-Real Time RAN Intelligent Controller (Near-RT RIC) plays a central role in the O-RAN architecture as it interfaces between the orchestration layer and next generation eNodeBs. In this paper we highlight the architectural weakness of a centralized controller in O-RAN by first drawing parallels with the Software-Defined Networking (SDN) controller. We then present a two part security evaluation of two open-source Near-RT RICs (μONOS and OSC), focused on the newly introduced A1 interface of the Near-RT RIC. In the first part of our evaluation, we evaluate the supply-chain risks of μONOS and OSC using off-the-shelf open-source dependency analysis and configuration file analysis tools. In the second part, we present our run-time security testing of the A1 API implemented by μONOS and OSC using our custom O-RAN A1 Interface Testing Tool (OAITT). Our supply-chain risk analysis shows that both the open-source Near-RT RICs we evaluated have multiple dependency risks and weak or insecure configurations. We identified 211 and 285 known dependency vulnerabilities in μONOS and OSC respectively of which 82 and 190 dependencies were rated as high CVSS respectively. The A1 interface contributed to a majority of the dependency risks in both Near-RT RICs. From a security misconfiguration perspective, we identified issues concerning access control, lack of encryption and poor secret management. Our run-time testing of OSC and μONOS revealed the following. First, both Near-RT RICs lack TLS for the A1 interface. Second, malicious Non-Real Time RAN Intelligent Controller (Non-RT RIC)s or rApps that reside in the Non-RT RIC could tamper with policies installed in the Near-RT RIC which can impact the availability of the O-RAN. Third, the A1 protocol could be exploited by Non-RT RICs for covert communication via the Near-RT RIC. Fourth, the A1 implementation by μONOS was vulnerable to degradation of service attacks (10-60s response time for GET requests) and a denial of service attack, the latter has been ethically reported and a fix is underway.
References
[1]
ORAN Alliance. 2022a. O-RAN.SFG.Non-RT-RIC-Security-TR-v01.00. ORAN Documentation (March 2022).
[2]
ORAN Alliance. 2022b. O-RAN.TIFG.E2E-Test.0-v04.00. ORAN Documentation (October 2022).
[3]
ORAN Alliance. 2023 a. O-RAN.WG11.Security-Near-RT-RIC-xApps-TR.0-R003-v03. ORAN Documentation (June 2023).
[4]
ORAN Alliance. 2023 b. O-RAN.WG11.Security-Requirements-Specification.O-R003-v06.00. ORAN Documentation (June 2023).
[5]
ORAN Alliance. 2023 c. O-RAN.WG11.Security-Test-Specifications.O-R003-v04.00. ORAN Documentation (June 2023).
[6]
ORAN Alliance. 2023 d. O-RAN.WG11.Threat-Model.O-R003-v06.00. ORAN Documentation (June 2023).
[7]
ORAN Alliance. 2023 e. O-RAN.WG1.O-RAN-Architecture-Description-v09.00. ORAN Documentation (June 2023).
[8]
ORAN Alliance. 2023 f. O-RAN.WG2.A1AP-R003-v04.00. ORAN Documentation (March 2023).
[9]
ORAN Alliance. 2023 g. O-RAN.WG2.A1GAP-R003-v03.01. ORAN Documentation (March 2023).
[10]
ORAN Alliance. 2023 h. O-RAN.WG2.A1TP-R003-v02.01. ORAN Documentation (March 2023).
[11]
ORAN Alliance. 2023 i. O-RAN.WG3.RICARCH-R003-v04.00. ORAN Documentation (March 2023).
[12]
Anchore. 2023. Grype: A Vulnerability Scanner for Container Images and Filesystems. https://github.com/anchore/grype. Accessed: September 27, 2023.
[13]
Airhop Communications. 2023. AirHop Launches the Industry's First Comprehensive Portfolio of Field-proven xApps and rApps to Accelerate 4G and 5G Open RAN Deployments. https://www.airhopcomm.com/news/airhop-launches-the-industrys-first-comprehensive-portfolio-of-field-proven-xapps-and-rapps-to-accelerate-4g-and-5g-open-ran-deployments/ Accessed: 21-08--2023.
[14]
Daniel Dik and Michael Stübert Berger. 2023. Open-RAN Fronthaul Transport Security Architecture and Implementation. IEEE Access (2023).
[15]
drwetter. 2024. testssl.sh. https://github.com/drwetter/testssl.sh. Accessed: 26-01--2024.
[16]
Stefan Köpsell et al. 2022. Open RAN Risk Analysis. https://www.bsi.bund.de/SharedDocs/ Downloads/EN/BSI/Publications/Studies/5G/5GRAN-Risk-Analysis.pdf?__blob=publicationFile& v=7
[17]
Joshua Groen, Brian Kim, and Kaushik Chowdhury. 2023. The Cost of Securing O-RAN. In ICC 2023-IEEE International Conference on Communications. IEEE, 5444--5449.
[18]
Ceki Gülcü. 2003. The complete log4j manual. QOS. ch.
[19]
Sebastian Haas, Mattis Hasler, Friedrich Pauls, Stefan Köpsell, Nils Asmussen, Michael Roitzsch, and Gerhard Fettweis. 2022. Trustworthy Computing for O-RAN: Security in a Latency-Sensitive Environment. In 2022 IEEE Globecom Workshops (GC Wkshps). IEEE, 826--831.
[20]
KICS. 2024. KICS. https://kics.io. Accessed: 26-01--2024.
[21]
Felix Klement, Stefan Katzenbeisser, Vincent Ulitzsch, Juliane Kr"amer, Slawomir Stanczak, Zoran Utkovski, Igor Bjelakovic, and Gerhard Wunder. 2022. Open or not open: Are conventional radio access networks more secure and trustworthy than Open-RAN? arXiv preprint arXiv:2204.12227 (2022).
[22]
Stefan Köpsell, Andrey Ruzhanskiy, Andreas Hecker, Dirk Stachorra, and Norman Franchi. 2022. Open RAN Risk Analysis. Federal Office for Information Security, BSI studies (2022).
[23]
Robert Krösche, Kashyap Thimmaraju, Liron Schiff, and Stefan Schmid. 2018. I DPID it my way! A covert timing channel in software-defined networks. In 2018 IFIP Networking Conference (IFIP Networking) and Workshops. IEEE, 217--225.
[24]
Kubernetes. 2023 a. Configure a Security Context for a Pod or Container. https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
[25]
Kubernetes. 2023 b. Secrets. https://kubernetes.io/docs/concepts/configuration/secret/
[26]
Leeon123. 2024. Stress-tester. https://github.com/Leeon123/Stress-tester. Accessed: 26-01--2024.
[27]
Madhusanka Liyanage, An Braeken, Shahriar Shahabuddin, and Pasika Ranaweera. 2023. Open RAN security: Challenges and opportunities. Journal of Network and Computer Applications, Vol. 214 (2023), 103621.
[28]
Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru Parulkar, Larry Peterson, Jennifer Rexford, Scott Shenker, and Jonathan Turner. 2008. OpenFlow: enabling innovation in campus networks. ACM SIGCOMM computer communication review, Vol. 38, 2 (2008), 69--74.
[29]
Dudu Mimran, Ron Bitton, Yehonatan Kfir, Eitan Klevansky, Oleg Brodt, Heiko Lehmann, Yuval Elovici, and Asaf Shabtai. 2022. Evaluating the security of open radio access networks. arXiv preprint arXiv:2201.06080 (2022).
[30]
onosproject. 2022. Github Rimedo Traffic Steering xApp. https://github.com/onosproject/rimedo-ts Accessed: 14-08--2023.
[31]
onosprojects. 2023. Installation with RAN-Simulator and RIMEDO Labs Traffic Steering xAPP (rimedo-ts xApp). https://github.com/onosproject/sdran-in-a-box/blob/master/docs/Installation_RANSim_RIMDEO_TS.md Accessed: 30-08--2023.
[32]
OpenSSF. 2024. OpenSSF Scorecard. https://github.com/ossf/scorecard. Accessed: 26-01--2024.
[33]
OSC. 2022. Release F. https://wiki.o-ran-sc.org/display/RICP/2022-05--24ReleaseF Accessed: 25-08--2023.
[34]
Michele Polese, Leonardo Bonati, Salvatore D'Oro, Stefano Basagni, and Tommaso Melodia. 2022. ColO-RAN: Developing Machine Learning-based xApps for Open RAN Closed-loop Control on Programmable Experimental Platforms. IEEE Transactions on Mobile Computing (July 2022), 1--14.
[35]
CT Shen, YY Xiao, YW Ma, JL Chen, Cheng-Mou Chiang, SJ Chen, and YC Pan. 2022. Security threat analysis and treatment strategy for ORAN. In 2022 24th International Conference on Advanced Communication Technology (ICACT). IEEE, 417--422.
[36]
Snyk. [n.,d.]. Guide to Software Composition Analysis (SCA).
[37]
Kashyap Thimmaraju, Liron Schiff, and Stefan Schmid. 2017. Outsmarting network security with SDN teleportation. In 2017 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 563--578.
[38]
Kashyap Thimmaraju, Bhargava Shastry, Tobias Fiebig, Felicitas Hetzelt, Jean-Pierre Seifert, Anja Feldmann, and Stefan Schmid. 2018. Taking control of sdn-based cloud systems via the data plane. In Proceedings of the Symposium on SDN Research. 1--15.
[39]
Walter Tiberti, Eleonora Di Fina, Andrea Marotta, and Dajana Cassioli. 2022. Impact of Man-in-the-Middle Attacks to the O-RAN Inter-Controllers Interface. In 2022 IEEE Future Networks World Forum (FNWF). 367--372. https://doi.org/10.1109/FNWF55208.2022.00071
[40]
Trivy. 2024. Trivy. https://github.com/aquasecurity/trivy. Accessed: 26-01--2024.
[41]
Wikipedia. 2023. Heartbleed. https://github.com/onosproject/sdran-in-a-box Accessed: 25-08--2023. io
Index Terms
- Security Testing The O-RAN Near-Real Time RIC & A1 Interface
Recommendations
Automated Security Test Generation with Formal Threat Models
Security attacks typically result from unintended behaviors or invalid inputs. Security testing is labor intensive because a real-world program usually has too many invalid inputs. It is highly desirable to automate or partially automate security-...
An Alternative Threat Model-based Approach for Security Testing
In modern interaction, web applications has gained more and more popularity, which leads to a significate growth of exposure to malicious users and vulnerability attacks. This causes organizations and companies to lose valuable information and suffer ...
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and NetworksWeb applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Comments
Information & Contributors
Information
Published In
May 2024
312 pages
ISBN:9798400705823
DOI:10.1145/3643833
- General Chairs:
- Yongdae Kim,
- Jong Kim,
- Program Chairs:
- Farinaz Koushanfar,
- Kasper Rasmussen
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 27 May 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- Einstein Foundation (Einstein Research Unit on Quantum Devices)
- German Federal Ministry of Education and Research
- German Federal Ministry for Digital and Transport
Conference
WiSec '24: 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks
May 27 - 29, 2024
Seoul, Republic of Korea
Acceptance Rates
Overall Acceptance Rate 98 of 338 submissions, 29%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 352Total Downloads
- Downloads (Last 12 months)352
- Downloads (Last 6 weeks)120
Reflects downloads up to 30 Aug 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in