-
Notifications
You must be signed in to change notification settings - Fork 8
Build 5G‐Spector from scratch in an OAI 5G network
This guide provides instructions to quickly deploy an OAI-based 5G network, optionally with the near real-time RIC (nRT-RIC) component and xApps in 5G-Spector.
We will use the following repositories, and they will be cross-referenced in later description.
OAI-5G (https://github.com/5GSEC/OAI-5G) is developed based on OAI's 2023.w23 version. It has multiple branches explained below:
- 2023.w23 is the original code branch forked from Eurecom OAI
- 2023.w23.secsm.sdran is the SecSM enhanced version of Eurecom OAI (2023.w23) that supports the MobiFlow Telemetry and MobiExpert xApp (i.e., the 5G-Spector framework).
- 2023.w23.kpm.sdran is the ONOS-RIC enhanced version that supports ONOS's basic KPM monitor xApp (https://github.com/onosproject/onos-kpimon)
- 2023.w23.secsm.flexric is an experimental branch that will extend OAI's support to SecSM on FlexRIC.
- lte.attack is the branch with a number of layer-3 exploits (see https://github.com/5GSEC/OAI-5G/blob/lte.attack/common/attacks/attack_cliopts.h and the 5G-Spector paper for the options)
- nr.attack is the branch with the layer-3 exploits implemented on 5G
With OAI-5G, you can deploy eNB / gNB / UE / nrUE. Please pick the corresponding branch based on your needs.
OAI-5G-Docker (https://github.com/5GSEC/OAI-5G-Docker). This repo contains the necessary configuration files to quickly deploy a 5G network, e.g., locally via RFSIM or USRP, or on Colosseum.
All running instructions are integrated into a single bash script run.sh (https://github.com/5GSEC/OAI-5G-Docker/blob/master/run.sh). There are four different folders with the corresponding pre-defined configurations at the root of OAI-5G-Docker (to save your time):
- lte-rfsim: RF simulated LTE network (no SDR, or USRP required)
- lte-usrp: RF-based LTE network (works on USRPs)
- nr-rfsim: RF simulated NR (5G) network
- nr-usrp: RF-based NR network
It can also be used to run different attack variants (check the script for details).
Before you use this script, please make sure you have the following paths in run.sh pointing to the correct folders
_oai_root=/root/OAI-5G
_oai_config_root=/root/OAI-5G-Docker
By default, the above directories will work on Colosseum. But if you use this script on another machine, please make sure they are correct. Note that some changes may be adapted according to your actual requirement and hardware (e.g., different USRPs).
The remaining files under the colosseum folder (run_rf.sh set_ip_in_conf.sh set_route_to_cn.py) are only for setting up Colosseum-specific network settings.
MobiFlow Auditor is an O-RAN compliant xApp aiming to support fine-grained and security-aware statistics monitoring over the RAN data plane, which is not solved by the default O-RAN standard and service models. It drives further security analyses on the nRT-RIC such as MobiExpert's signature analysis and other potential AI / ML applications.
The MobieXpert xApp functions as an L3 exploit detection engine that allows efficient programming of cellular attack signatures. MobieXpert’s design is based on the Production-Based Expert System Toolset (P-BEST) language, which has been widely used for decades in stateful intrusion detection. With MobieXpert, network operators can program stateful production-based IDS rules for detecting a wide range of cellular L3 attacks.
Refer to https://github.com/5GSEC/5G-Spector/wiki/5G%E2%80%90Spector-Artifact-in-a-Simulated-LTE-Network
To deploy a 5G network w/ RF simulation, you need to first prepare a Linux machine or VM (Ubuntu recommended). Note that OAI may have some restrictions and may not work on the latest Ubuntu versions (double-check the OAI requirements before you go).
Recommended environment:
| Env | Value |
|---|---|
| OS | Ubuntu 20.04 LTS |
| RAM | 8 GB |
| Storage | 100 GB |
Refer to: https://docs.docker.com/engine/install/ubuntu/
You can add your user to the docker group to avoid running docker with sudo:
sudo groupadd docker
sudo gpasswd -a $USER docker
Log back in to let this take effect.
Refer to: https://docs.docker.com/compose/install/standalone/
You might need to add execution permission to it:
sudo chmod +x /usr/local/bin/docker-compose
Clone the OAI-5G and OAI-5G-Docker repos.
git clone https://github.com/5GSEC/OAI-5G.git
git clone https://github.com/5GSEC/OAI-5G-Docker.git
Check out the correct branch
cd OAI-5G
git checkout 2023.w23.secsm.sdran
Enter the directory:
cd OAI-5G/cmake_targets
Run the compilation command:
./build_oai -I --gNB --nrUE --build-ric-agent -w SIMU --ninja --noavx512
Explanation of the arguments:
-
-Iindicates you will install all dependencies (only when you compile for the first time) -
--gNBindicates you will compile gNodeB -
--nrUEindicates you will compile nrUE -
--build-ric-agentindicates you will integrate the support of the ONOS-RIC (only when you choose the compatible branch) -
-w SIMUindicates you compile the RF simulation library -
--ninjato accelerate the compilation
The compilation takes a while. After a successful compilation, you will find nr-softmodem and nr-uesoftmodem under <PATH_TO_OAI-5G>/cmake_targets/ran_build/build/.
Enter OAI-5G-Docker/<config_folder>, e.g., nr-rfsim if you deploy a RF SIM 5G network. Then run:
./run_5gc.sh
Please adapt the core network configurations under OAI-5G-Docker/<config_folder> to your needs.
Wait to verify OAI 5GC deployment (all containers up and in healthy status):
$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
88ca47d70254 oaisoftwarealliance/trf-gen-cn5g:focal "/bin/bash -c ' ipta…" 7 minutes ago Up 6 minutes (healthy) oai-ext-dn
56c1f343af58 oaisoftwarealliance/oai-spgwu-tiny:v1.5.0 "python3 /openair-sp…" 7 minutes ago Up 6 minutes (healthy) 2152/udp, 8805/udp oai-spgwu
5606bcf24c1e oaisoftwarealliance/oai-smf:v1.5.0 "python3 /openair-sm…" 7 minutes ago Up 6 minutes (healthy) 80/tcp, 8080/tcp, 8805/udp oai-smf
4ee38fd67d47 oaisoftwarealliance/oai-amf:v1.5.0 "python3 /openair-am…" 7 minutes ago Up 7 minutes (healthy) 80/tcp, 9090/tcp, 38412/sctp oai-amf
e7c166989cb4 mysql:8.0 "docker-entrypoint.s…" 7 minutes ago Up 7 minutes (healthy) 3306/tcp, 33060/tcp mysql
08ed0bea0da3 oaisoftwarealliance/oai-nrf:v1.5.0 "python3 /openair-nr…" 7 minutes ago Up 7 minutes (healthy) 80/tcp, 9090/tcp oai-nrf
To undeploy the 5GC, run:
./kill.sh
You can create a copy of the run.sh script to your working folder with:
cp OAI-5G-Docker/run.sh ~/
Adapt the following lines to the correct system paths to OAI-5G and OAI-5G-Docker you just crawled.
_oai_root=<PATH_TO_OAI-5G>
_oai_config_root=<PATH_TO_OAI-5G-Docker>
Run
sudo ~/run.sh gnb rfsim
To verify GNB is running, you will see repeated log entries:
[NR_MAC] Frame.Slot 128.0
There will be error message like:
[RIC_AGENT] ranid 0 connecting to RIC at 192.168.84.144:36421 with IP 192.168.200.21 (my addr: 192.168.200.21)
It can be safely ignored at this momment since we haven't deployed the nRT-RIC yet.
Open a new terminal and run:
sudo ~/run.sh nrue* rfsim
* indicates the index of UE (chosen from 0-9)
Verify the UE is running and connected to the gNB with logs like:
[NAS] [UE] Received REGISTRATION ACCEPT message
...
[NR_PHY] ============================================
[NR_PHY] Harq round stats for Downlink: 16/0/0
[NR_PHY] ============================================
[NR_PHY] RSRP = -92 dBm
[NR_PHY] RSRP = -92 dBm
[NR_PHY] RSRP = -41 dBm
Logs and pcaps of each run will be saved at: /logs/. The configs of the UEs are available at OAI-5G-Docker/rfsim/nr-ues
To verify the UE's data traffic, use the created tunnel oaitun_ue1:
$ ping -I oaitun_ue1 -c 10 www.lemonde.fr
PING lemonde.map.fastly.net (146.75.82.217) from 12.1.1.5 oaitun_ue1: 56(84) bytes of data.
64 bytes from 146.75.82.217 (146.75.82.217): icmp_seq=1 ttl=49 time=19.6 ms
64 bytes from 146.75.82.217 (146.75.82.217): icmp_seq=2 ttl=49 time=20.8 ms
64 bytes from 146.75.82.217 (146.75.82.217): icmp_seq=3 ttl=49 time=22.8 ms
64 bytes from 146.75.82.217 (146.75.82.217): icmp_seq=4 ttl=49 time=22.8 ms
64 bytes from 146.75.82.217 (146.75.82.217): icmp_seq=5 ttl=49 time=20.2 ms
Pull the SD-RAN RIAB repo:
git clone https://github.com/onosproject/sdran-in-a-box
cd sdran-in-a-box
make OPT=ric
It takes a while to deploy. To verify, make sure all the pods and their containers are in Running status.
$ kubectl get pods -n riab
NAME READY STATUS RESTARTS AGE
onos-a1t-68c59fb46-bfpks 2/2 Running 0 2m25s
onos-cli-c7d5b54b4-vjkxm 1/1 Running 0 2m25s
onos-config-5786dbc85c-pxf2s 3/3 Running 0 2m25s
onos-e2t-5798f554b7-znjf7 2/2 Running 0 2m25s
onos-kpimon-555c9fdb5c-jx2bb 2/2 Running 0 2m25s
onos-rsm-7b6d84b5fc-cnkpc 2/2 Running 0 2m25s
onos-topo-6b59c97579-d54pm 2/2 Running 0 2m25s
onos-uenib-6f65dc66b4-jz6zm 2/2 Running 0 2m25s
sd-ran-consensus-0 1/1 Running 0 2m25s
sd-ran-consensus-1 1/1 Running 0 2m25s
sd-ran-consensus-2 1/1 Running 0 2m25s
To undeploy, simply make reset-ric, or make reset-test to clean the whole environment.
Exit the running gNB and nrUE. Update the gnb.conf config file in OAI-5G-Docker/nr-rfsim:
# Begin RIC-specific settings
RIC : {
remote_ipv4_addr = "<E2T_ADDRESS>"; # TODO Replace it with the actual RIC e2t Address
remote_port = 36421;
enabled = "yes";
};
Replace the remote_ipv4_addr value with the address of the onos-e2t pod, which can be obtained with:
kubectl get po -n riab -o wide | grep onos-e2t | awk '{print $6}'
You also need to replace local_s_address with your host IP address (this will keep alive the SCTP connections for E2):
local_s_address = <YOUR_HOST_IP_ADDR>
For example, you can use ifconfig to obtain the desired IP address (192.168.121.113 from below):
$ifconfig
...
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.121.113 netmask 255.255.255.0 broadcast 192.168.121.255
inet6 fe80::5054:ff:fe28:7f23 prefixlen 64 scopeid 0x20<link>
...
After the update, the previous error message in the gNB log should be gone. Instead, you will see the following logs indicating a successful connection to the RIC:
[RIC_AGENT] ranid 0 connecting to RIC at 192.168.84.148:36421 with IP 192.168.200.21 (my addr: 192.168.200.21)
[RIC_AGENT] new sctp assoc resp 4, sctp_state 2 for nb 0
[RIC_AGENT] new sctp assoc resp 4 for nb 0
[RIC_AGENT] Send SCTP data, ranid:0, assoc_id:4, len:616
[RIC_AGENT] decoded successful outcome E2SetupResponse (1)
...
Create a local docker registry to host the built xApp containers:
docker run -d -p 5000:5000 --restart=always --name registry registry:2
git clone https://github.com/5GSEC/MobiFlow-Auditor.git
Build the xApp docker container:
cd MobiFlow-Auditor
./build.sh
Deploy the xApp to the riab RIC namespace:
./install_xapp.sh
Successful xApp deployment will show the following repeated log entries:
$ kubectl logs $(kubectl get pods -o name -n riab | grep "mobiflow-auditor") -n riab -c mobiflow-auditor
INFO 2024-03-03 06:18:14 onos_ric_secsm.py:67] MobiFlow update async coroutine started
INFO 2024-03-03 06:18:18 web_log.py:206] 192.168.121.113 [03/Mar/2024:06:18:18 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2024-03-03 06:18:18 web_log.py:206] 192.168.121.113 [03/Mar/2024:06:18:18 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2024-03-03 06:18:28 web_log.py:206] 192.168.121.113 [03/Mar/2024:06:18:28 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"...
To undeploy the xApp:
./uninstall_xapp.sh
For details, visit https://github.com/5GSEC/MobiFlow-Auditor
Please make sure the MobiFlow Auditor xApp is deployed and running beforehand.
git clone https://github.com/5GSEC/MobieXpert
Build the xApp docker container:
cd MobieXpert
./build.sh
Please make sure the MobiFlow-Auditor xApp is up and running. Deploy the xApp to the riab RIC namespace:
./install_xapp.sh
Successful xApp deployment will show the following logs:
$ kubectl logs $(kubectl get pods -o name -n riab | grep "mobi-expert") -n riab -c mobi-expert-xapp
INFO 2024-03-03 06:20:21 mobiflow_reader.py:18] [App] MobiFlow RPC server config mobiflow-auditor.riab.svc.cluster.local:50051 interval 500
INFO 2024-03-03 06:20:21 mobiflow_reader.py:22] [App] Starting MobiFlow reading thread
INFO 2024-03-03 06:20:21 mobiflow_reader.py:26] [App] Starting Maintenance thread
INFO 2024-03-03 06:20:21 pbest.py:40] PBest process started!
PBEST runtime library built Fri 26 Jan 2024 07:14:29 PM UTC
To undeploy the xApp:
./uninstall_xapp.sh
For details, visit https://github.com/5GSEC/MobieXpert
Please refer to https://github.com/5GSEC/MobieXpert to learn about how to program L3 IDS signatures with P-BEST.
Now you've learned all the necessary steps for setting up an OAI 5G network and 5G-Spector. The typical procedure to set up and test 5G-Spector would be:
- (1) Install necessary software dependencies
- (2) Deploy the ONOS RIC with Kubernetes
- (3) Build and Deploy the MobiFlow Auditor xApp
- (4) Program, build, and deploy the MobieXpert xApp
- (5) Configure and run OAI gNB
- (6) Configure and run OAI nrUE or exploits
- (7) Examine xApp logs
Below are example logs captured from the xApps of 5G-Spector with an OAI 5G test network (simulation):
MobiFlow Auditor xApp log example (Click me to expand)
$ kubectl logs $(kubectl get pods -o name -n riab | grep "mobiflow-auditor") -n riab -c mobiflow-auditor -f
INFO 2024-03-03 06:31:36 onos_ric_secsm.py:67] MobiFlow update async coroutine started
INFO 2024-03-03 06:31:40 web_log.py:206] 192.168.121.113 [03/Mar/2024:06:31:40 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2024-03-03 06:31:40 web_log.py:206] 192.168.121.113 [03/Mar/2024:06:31:40 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2024-03-03 06:31:50 web_log.py:206] 192.168.121.113 [03/Mar/2024:06:31:50 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2024-03-03 06:31:50 web_log.py:206] 192.168.121.113 [03/Mar/2024:06:31:50 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2024-03-03 06:31:50 web_log.py:206] 192.168.121.113 [03/Mar/2024:06:31:50 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2024-03-03 06:31:50 web_log.py:206] 192.168.121.113 [03/Mar/2024:06:31:50 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2024-03-03 06:31:50 web_log.py:206] 192.168.121.113 [03/Mar/2024:06:31:50 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2024-03-03 06:32:00 web_log.py:206] 192.168.121.113 [03/Mar/2024:06:32:00 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2024-03-03 06:32:00 web_log.py:206] 192.168.121.113 [03/Mar/2024:06:32:00 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2024-03-03 06:32:00 web_log.py:206] 192.168.121.113 [03/Mar/2024:06:32:00 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2024-03-03 06:32:00 web_log.py:206] 192.168.121.113 [03/Mar/2024:06:32:00 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2024-03-03 06:32:05 onos_ric_secsm.py:110] Adding new BS: e2:1/e00_e0000
INFO 2024-03-03 06:32:05 mobiflow_writer.py:181] [MobiFlow] Writing BS Mobiflow to DB:
INSERT INTO bs_mobiflow
(msg_type, msg_id, timestamp, mobiflow_ver, generator_name, bs_id, mcc, mnc, tac, cell_id, report_period, connected_ue_cnt, idle_ue_cnt, max_ue_cnt, initial_timer, inactive_timer)
VALUES
('BS', 0, 1709447525448.1055, 'v2.0', 'SECSM', 0, 0, 0, 0, 'e0000', 1000, 0, 0, 0, 1709447525356.8672, 0);
INFO 2024-03-03 06:32:10 web_log.py:206] 192.168.121.113 [03/Mar/2024:06:32:10 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2024-03-03 06:32:10 web_log.py:206] 192.168.121.113 [03/Mar/2024:06:32:10 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2024-03-03 06:32:10 web_log.py:206] 192.168.121.113 [03/Mar/2024:06:32:10 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2024-03-03 06:32:10 web_log.py:206] 192.168.121.113 [03/Mar/2024:06:32:10 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2024-03-03 06:32:18 mobiflow_writer.py:174] [MobiFlow] Writing UE Mobiflow to DB:
INSERT INTO ue_mobiflow
(msg_type, msg_id, timestamp, mobiflow_ver, generator_name, bs_id, rnti, tmsi, imsi, imei, cipher_alg, integrity_alg, establish_cause, msg, rrc_state, nas_state, sec_state, emm_cause, rrc_initial_timer, rrc_inactive_timer, nas_initial_timer, nas_inactive_timer)
VALUES
('UE', 0, 1709447538360.3286, 'v2.0', 'SECSM', 0, 13410, 0, 0, 0, 2, 2, 3, 'RRCSetupRequest', 0, 0, 0, 0, 0, 0, 0, 0),
('UE', 1, 1709447538360.3997, 'v2.0', 'SECSM', 0, 13410, 0, 0, 0, 2, 2, 3, 'RRCSetup', 2, 0, 0, 0, 1709447538314.7659, 0, 0, 0),
('UE', 2, 1709447538372.9922, 'v2.0', 'SECSM', 0, 13410, 0, 0, 0, 2, 2, 3, 'RRCSetupComplete', 2, 0, 0, 0, 1709447538314.7659, 0, 0, 0),
('UE', 3, 1709447538373.3699, 'v2.0', 'SECSM', 0, 13410, 0, 0, 0, 2, 2, 3, 'Registrationrequest', 2, 1, 0, 0, 1709447538314.7659, 0, 1709447538314.7659, 0),
('UE', 4, 1709447538374.262, 'v2.0', 'SECSM', 0, 13410, 0, 0, 0, 2, 2, 3, 'Authenticationrequest', 2, 1, 0, 0, 1709447538314.7659, 0, 1709447538314.7659, 0),
('UE', 5, 1709447538374.3074, 'v2.0', 'SECSM', 0, 13410, 0, 0, 0, 2, 2, 3, 'Authenticationresponse', 2, 1, 0, 0, 1709447538314.7659, 0, 1709447538314.7659, 0),
('UE', 6, 1709447538374.35, 'v2.0', 'SECSM', 0, 13410, 0, 0, 0, 2, 2, 3, 'Securitymodecommand', 2, 1, 0, 0, 1709447538314.7659, 0, 1709447538314.7659, 0),
('UE', 7, 1709447538375.448, 'v2.0', 'SECSM', 0, 13410, 0, 0, 0, 2, 2, 3, 'Securitymodecomplete', 2, 1, 1, 0, 1709447538314.7659, 0, 1709447538314.7659, 0),
('UE', 8, 1709447538375.5051, 'v2.0', 'SECSM', 0, 13410, 0, 0, 0, 2, 2, 3, 'SecurityModeCommand', 2, 1, 1, 0, 1709447538314.7659, 0, 1709447538314.7659, 0),
('UE', 9, 1709447538379.2542, 'v2.0', 'SECSM', 0, 13410, 0, 0, 0, 2, 2, 3, 'SecurityModeComplete', 2, 1, 1, 0, 1709447538314.7659, 0, 1709447538314.7659, 0),
('UE', 10, 1709447538379.7786, 'v2.0', 'SECSM', 0, 13410, 0, 0, 0, 2, 2, 3, 'UECapabilityEnquiry', 2, 1, 1, 0, 1709447538314.7659, 0, 1709447538314.7659, 0),
('UE', 11, 1709447538379.8235, 'v2.0', 'SECSM', 0, 13410, 0, 0, 0, 2, 2, 3, 'UECapabilityInformation', 2, 1, 1, 0, 1709447538314.7659, 0, 1709447538314.7659, 0),
('UE', 12, 1709447538400.7927, 'v2.0', 'SECSM', 0, 13410, 0, 0, 0, 2, 2, 3, 'RRCReconfiguration', 2, 1, 1, 0, 1709447538314.7659, 0, 1709447538314.7659, 0),
('UE', 13, 1709447538402.4578, 'v2.0', 'SECSM', 0, 13410, 0, 0, 0, 2, 2, 3, 'Registrationaccept', 2, 1, 1, 0, 1709447538314.7659, 0, 1709447538314.7659, 0),
('UE', 14, 1709447538402.505, 'v2.0', 'SECSM', 0, 13410, 0, 0, 0, 2, 2, 3, 'RRCReconfigurationComplete', 2, 2, 1, 0, 1709447538314.7659, 0, 1709447538314.7659, 1709447538314.7659);
INFO 2024-03-03 06:32:18 mobiflow_writer.py:181] [MobiFlow] Writing BS Mobiflow to DB:
INSERT INTO bs_mobiflow
(msg_type, msg_id, timestamp, mobiflow_ver, generator_name, bs_id, mcc, mnc, tac, cell_id, report_period, connected_ue_cnt, idle_ue_cnt, max_ue_cnt, initial_timer, inactive_timer)
VALUES
('BS', 1, 1709447538360.5012, 'v2.0', 'SECSM', 0, 0, 0, 0, 'e0000', 1000, 1, 0, 0, 1709447525356.8672, 0),
('BS', 2, 1709447538374.242, 'v2.0', 'SECSM', 0, 0, 0, 0, 'e0000', 1000, 1, 0, 0, 1709447525356.8672, 0),
('BS', 3, 1709447538375.4885, 'v2.0', 'SECSM', 0, 0, 0, 0, 'e0000', 1000, 1, 0, 0, 1709447525356.8672, 0),
('BS', 4, 1709447538402.5808, 'v2.0', 'SECSM', 0, 0, 0, 0, 'e0000', 1000, 1, 0, 0, 1709447525356.8672, 0);
INFO 2024-03-03 06:32:18 mobiflow_writer.py:174] [MobiFlow] Writing UE Mobiflow to DB:
INSERT INTO ue_mobiflow
(msg_type, msg_id, timestamp, mobiflow_ver, generator_name, bs_id, rnti, tmsi, imsi, imei, cipher_alg, integrity_alg, establish_cause, msg, rrc_state, nas_state, sec_state, emm_cause, rrc_initial_timer, rrc_inactive_timer, nas_initial_timer, nas_inactive_timer)
VALUES
('UE', 15, 1709447538758.697, 'v2.0', 'SECSM', 0, 13410, 0, 0, 0, 2, 2, 3, 'Registrationcomplete', 2, 2, 1, 0, 1709447538314.7659, 0, 1709447538314.7659, 1709447538314.7659),
('UE', 16, 1709447538760.7153, 'v2.0', 'SECSM', 0, 13410, 0, 0, 0, 2, 2, 3, 'ULNAStransport', 2, 2, 1, 0, 1709447538314.7659, 0, 1709447538314.7659, 1709447538314.7659),
('UE', 17, 1709447538762.7861, 'v2.0', 'SECSM', 0, 13410, 0, 0, 0, 2, 2, 3, 'RRCReconfiguration', 2, 2, 1, 0, 1709447538314.7659, 0, 1709447538314.7659, 1709447538314.7659),
('UE', 18, 1709447538762.8381, 'v2.0', 'SECSM', 0, 13410, 0, 0, 0, 2, 2, 3, 'DLNAStransport', 2, 2, 1, 0, 1709447538314.7659, 0, 1709447538314.7659, 1709447538314.7659),
('UE', 19, 1709447538763.3008, 'v2.0', 'SECSM', 0, 13410, 0, 0, 0, 2, 2, 3, 'RRCReconfigurationComplete', 2, 2, 1, 0, 1709447538314.7659, 0, 1709447538314.7659, 1709447538314.7659);
INFO 2024-03-03 06:32:20 web_log.py:206] 192.168.121.113 [03/Mar/2024:06:32:20 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2024-03-03 06:32:20 web_log.py:206] 192.168.121.113 [03/Mar/2024:06:32:20 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2024-03-03 06:32:20 web_log.py:206] 192.168.121.113 [03/Mar/2024:06:32:20 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
MobieXpert xApp log example (Click me to expand)
$ kubectl logs $(kubectl get pods -o name -n riab | grep "mobi-expert") -n riab -c mobi-expert-xapp -f
INFO 2024-03-03 06:31:48 mobiflow_reader.py:18] [App] MobiFlow RPC server config mobiflow-auditor.riab.svc.cluster.local:50051 interval 500
INFO 2024-03-03 06:31:48 mobiflow_reader.py:22] [App] Starting MobiFlow reading thread
INFO 2024-03-03 06:31:48 mobiflow_reader.py:26] [App] Starting Maintenance thread
INFO 2024-03-03 06:31:48 pbest.py:40] PBest process started!
PBEST runtime library built Fri 26 Jan 2024 07:14:29 PM UTC
INFO 2024-03-03 06:32:05 mobiflow_reader.py:77] [MobiFlow] Writing BS MobiFlow: BS;0;1709447525448.11;v2.0;SECSM;0;0;0;0;e0000;1000;0;0;0;1709447525356.8672;0
[INFO 2024-03-03 06:32:05,759 pbest.py:75] [PBest] [DEBUG] INIT_eXpert: Initialized
[INFO 2024-03-03 06:32:05,759 pbest.py:75] [PBest] [DEBUG] add_bs_mobiflow: bs_mobiflow_count: 1
INFO 2024-03-03 06:32:13 mobiflow_reader.py:97] [MobiFlow] Writing Maintenance event: MAINTENANCE;1709447533582.9053
INFO 2024-03-03 06:32:18 mobiflow_reader.py:97] [MobiFlow] Writing Maintenance event: MAINTENANCE;1709447538590.8787
INFO 2024-03-03 06:32:18 mobiflow_reader.py:67] [MobiFlow] Writing UE MobiFlow: UE;0;1709447538360.33;v2.0;SECSM;0;13410;0;0;0;2;2;3;RRCSetupRequest;0;0;0;0;0;0;0;0
INFO 2024-03-03 06:32:19 mobiflow_reader.py:67] [MobiFlow] Writing UE MobiFlow: UE;1;1709447538360.4;v2.0;SECSM;0;13410;0;0;0;2;2;3;RRCSetup;2;0;0;0;1709447538314.7659;0;0;0
INFO 2024-03-03 06:32:19 mobiflow_reader.py:67] [MobiFlow] Writing UE MobiFlow: UE;2;1709447538372.99;v2.0;SECSM;0;13410;0;0;0;2;2;3;RRCSetupComplete;2;0;0;0;1709447538314.7659;0;0;0
INFO 2024-03-03 06:32:19 mobiflow_reader.py:67] [MobiFlow] Writing UE MobiFlow: UE;3;1709447538373.37;v2.0;SECSM;0;13410;0;0;0;2;2;3;Registrationrequest;2;1;0;0;1709447538314.7659;0;1709447538314.7659;0
INFO 2024-03-03 06:32:19 mobiflow_reader.py:67] [MobiFlow] Writing UE MobiFlow: UE;4;1709447538374.26;v2.0;SECSM;0;13410;0;0;0;2;2;3;Authenticationrequest;2;1;0;0;1709447538314.7659;0;1709447538314.7659;0
INFO 2024-03-03 06:32:19 mobiflow_reader.py:67] [MobiFlow] Writing UE MobiFlow: UE;5;1709447538374.31;v2.0;SECSM;0;13410;0;0;0;2;2;3;Authenticationresponse;2;1;0;0;1709447538314.7659;0;1709447538314.7659;0
INFO 2024-03-03 06:32:19 mobiflow_reader.py:67] [MobiFlow] Writing UE MobiFlow: UE;6;1709447538374.35;v2.0;SECSM;0;13410;0;0;0;2;2;3;Securitymodecommand;2;1;0;0;1709447538314.7659;0;1709447538314.7659;0
INFO 2024-03-03 06:32:19 mobiflow_reader.py:67] [MobiFlow] Writing UE MobiFlow: UE;7;1709447538375.45;v2.0;SECSM;0;13410;0;0;0;2;2;3;Securitymodecomplete;2;1;1;0;1709447538314.7659;0;1709447538314.7659;0
INFO 2024-03-03 06:32:19 mobiflow_reader.py:67] [MobiFlow] Writing UE MobiFlow: UE;8;1709447538375.51;v2.0;SECSM;0;13410;0;0;0;2;2;3;SecurityModeCommand;2;1;1;0;1709447538314.7659;0;1709447538314.7659;0
INFO 2024-03-03 06:32:19 mobiflow_reader.py:67] [MobiFlow] Writing UE MobiFlow: UE;9;1709447538379.25;v2.0;SECSM;0;13410;0;0;0;2;2;3;SecurityModeComplete;2;1;1;0;1709447538314.7659;0;1709447538314.7659;0
INFO 2024-03-03 06:32:19 mobiflow_reader.py:67] [MobiFlow] Writing UE MobiFlow: UE;10;1709447538379.78;v2.0;SECSM;0;13410;0;0;0;2;2;3;UECapabilityEnquiry;2;1;1;0;1709447538314.7659;0;1709447538314.7659;0
INFO 2024-03-03 06:32:19 mobiflow_reader.py:67] [MobiFlow] Writing UE MobiFlow: UE;11;1709447538379.82;v2.0;SECSM;0;13410;0;0;0;2;2;3;UECapabilityInformation;2;1;1;0;1709447538314.7659;0;1709447538314.7659;0
INFO 2024-03-03 06:32:19 mobiflow_reader.py:67] [MobiFlow] Writing UE MobiFlow: UE;12;1709447538400.79;v2.0;SECSM;0;13410;0;0;0;2;2;3;RRCReconfiguration;2;1;1;0;1709447538314.7659;0;1709447538314.7659;0
INFO 2024-03-03 06:32:19 mobiflow_reader.py:67] [MobiFlow] Writing UE MobiFlow: UE;13;1709447538402.46;v2.0;SECSM;0;13410;0;0;0;2;2;3;Registrationaccept;2;1;1;0;1709447538314.7659;0;1709447538314.7659;0
INFO 2024-03-03 06:32:19 mobiflow_reader.py:67] [MobiFlow] Writing UE MobiFlow: UE;14;1709447538402.5;v2.0;SECSM;0;13410;0;0;0;2;2;3;RRCReconfigurationComplete;2;2;1;0;1709447538314.7659;0;1709447538314.7659;1709447538314.7659
[INFO 2024-03-03 06:32:19,159 pbest.py:75] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 1
[INFO 2024-03-03 06:32:19,185 pbest.py:75] [PBest] [DEBUG] Add UE session: 13410
[INFO 2024-03-03 06:32:19,189 pbest.py:75] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 2
[INFO 2024-03-03 06:32:19,198 pbest.py:75] [PBest] [DEBUG] Update UE session: 13410
[INFO 2024-03-03 06:32:19,227 pbest.py:75] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 3
[INFO 2024-03-03 06:32:19,247 pbest.py:75] [PBest] [DEBUG] Update UE session: 13410
[INFO 2024-03-03 06:32:19,255 pbest.py:75] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 4
[INFO 2024-03-03 06:32:19,268 pbest.py:75] [PBest] [DEBUG] Update UE session: 13410
[INFO 2024-03-03 06:32:19,273 pbest.py:75] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 5
[INFO 2024-03-03 06:32:19,279 pbest.py:75] [PBest] [DEBUG] Update UE session: 13410
[INFO 2024-03-03 06:32:19,280 pbest.py:75] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 6
[INFO 2024-03-03 06:32:19,283 pbest.py:75] [PBest] [DEBUG] Update UE session: 13410
[INFO 2024-03-03 06:32:19,286 pbest.py:75] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 7
[INFO 2024-03-03 06:32:19,287 pbest.py:75] [PBest] [DEBUG] Update UE session: 13410
[INFO 2024-03-03 06:32:19,288 pbest.py:75] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 8
[INFO 2024-03-03 06:32:19,295 pbest.py:75] [PBest] [DEBUG] Update UE session: 13410
[INFO 2024-03-03 06:32:19,297 pbest.py:75] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 9
[INFO 2024-03-03 06:32:19,300 pbest.py:75] [PBest] [DEBUG] Update UE session: 13410
[INFO 2024-03-03 06:32:19,302 pbest.py:75] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 10
[INFO 2024-03-03 06:32:19,302 pbest.py:75] [PBest] [DEBUG] Update UE session: 13410
[INFO 2024-03-03 06:32:19,303 pbest.py:75] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 11
[INFO 2024-03-03 06:32:19,303 pbest.py:75] [PBest] [DEBUG] Update UE session: 13410
[INFO 2024-03-03 06:32:19,304 pbest.py:75] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 12
[INFO 2024-03-03 06:32:19,308 pbest.py:75] [PBest] [DEBUG] Update UE session: 13410
[INFO 2024-03-03 06:32:19,308 pbest.py:75] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 13
[INFO 2024-03-03 06:32:19,320 pbest.py:75] [PBest] [DEBUG] Update UE session: 13410
[INFO 2024-03-03 06:32:19,322 pbest.py:75] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 14
[INFO 2024-03-03 06:32:19,324 pbest.py:75] [PBest] [DEBUG] Update UE session: 13410
[INFO 2024-03-03 06:32:19,325 pbest.py:75] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 15
[INFO 2024-03-03 06:32:19,329 pbest.py:75] [PBest] [DEBUG] Update UE session: 13410
INFO 2024-03-03 06:32:20 mobiflow_reader.py:77] [MobiFlow] Writing BS MobiFlow: BS;1;1709447538360.5;v2.0;SECSM;0;0;0;0;e0000;1000;1;0;0;1709447525356.8672;0
INFO 2024-03-03 06:32:20 mobiflow_reader.py:77] [MobiFlow] Writing BS MobiFlow: BS;2;1709447538374.24;v2.0;SECSM;0;0;0;0;e0000;1000;1;0;0;1709447525356.8672;0
INFO 2024-03-03 06:32:20 mobiflow_reader.py:77] [MobiFlow] Writing BS MobiFlow: BS;3;1709447538375.49;v2.0;SECSM;0;0;0;0;e0000;1000;1;0;0;1709447525356.8672;0
INFO 2024-03-03 06:32:20 mobiflow_reader.py:77] [MobiFlow] Writing BS MobiFlow: BS;4;1709447538402.58;v2.0;SECSM;0;0;0;0;e0000;1000;1;0;0;1709447525356.8672;0
[INFO 2024-03-03 06:32:20,198 pbest.py:75] [PBest] [DEBUG] add_bs_mobiflow: bs_mobiflow_count: 2
[INFO 2024-03-03 06:32:20,199 pbest.py:75] [PBest] [DEBUG] add_bs_mobiflow: bs_mobiflow_count: 3
[INFO 2024-03-03 06:32:20,203 pbest.py:75] [PBest] [DEBUG] add_bs_mobiflow: bs_mobiflow_count: 4
INFO 2024-03-03 06:32:20 mobiflow_reader.py:67] [MobiFlow] Writing UE MobiFlow: UE;15;1709447538758.7;v2.0;SECSM;0;13410;0;0;0;2;2;3;Registrationcomplete;2;2;1;0;1709447538314.7659;0;1709447538314.7659;1709447538314.7659
INFO 2024-03-03 06:32:20 mobiflow_reader.py:67] [MobiFlow] Writing UE MobiFlow: UE;16;1709447538760.72;v2.0;SECSM;0;13410;0;0;0;2;2;3;ULNAStransport;2;2;1;0;1709447538314.7659;0;1709447538314.7659;1709447538314.7659
INFO 2024-03-03 06:32:20 mobiflow_reader.py:67] [MobiFlow] Writing UE MobiFlow: UE;17;1709447538762.79;v2.0;SECSM;0;13410;0;0;0;2;2;3;RRCReconfiguration;2;2;1;0;1709447538314.7659;0;1709447538314.7659;1709447538314.7659
INFO 2024-03-03 06:32:20 mobiflow_reader.py:67] [MobiFlow] Writing UE MobiFlow: UE;18;1709447538762.84;v2.0;SECSM;0;13410;0;0;0;2;2;3;DLNAStransport;2;2;1;0;1709447538314.7659;0;1709447538314.7659;1709447538314.7659
INFO 2024-03-03 06:32:20 mobiflow_reader.py:67] [MobiFlow] Writing UE MobiFlow: UE;19;1709447538763.3;v2.0;SECSM;0;13410;0;0;0;2;2;3;RRCReconfigurationComplete;2;2;1;0;1709447538314.7659;0;1709447538314.7659;1709447538314.7659
[INFO 2024-03-03 06:32:20,276 pbest.py:75] [PBest] [DEBUG] add_bs_mobiflow: bs_mobiflow_count: 5
[INFO 2024-03-03 06:32:20,296 pbest.py:75] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 16
[INFO 2024-03-03 06:32:20,298 pbest.py:75] [PBest] [DEBUG] Update UE session: 13410
[INFO 2024-03-03 06:32:20,300 pbest.py:75] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 17
[INFO 2024-03-03 06:32:20,319 pbest.py:75] [PBest] [DEBUG] Update UE session: 13410
[INFO 2024-03-03 06:32:20,326 pbest.py:75] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 18
[INFO 2024-03-03 06:32:20,338 pbest.py:75] [PBest] [DEBUG] Update UE session: 13410
[INFO 2024-03-03 06:32:20,344 pbest.py:75] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 19
[INFO 2024-03-03 06:32:20,350 pbest.py:75] [PBest] [DEBUG] Update UE session: 13410
[INFO 2024-03-03 06:32:20,354 pbest.py:75] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 20
[INFO 2024-03-03 06:32:20,357 pbest.py:75] [PBest] [DEBUG] Update UE session: 13410
INFO 2024-03-03 06:32:28 mobiflow_reader.py:97] [MobiFlow] Writing Maintenance event: MAINTENANCE;1709447548631.0706
INFO 2024-03-03 06:32:33 mobiflow_reader.py:97] [MobiFlow] Writing Maintenance event: MAINTENANCE;1709447553659.1648
INFO 2024-03-03 06:32:38 mobiflow_reader.py:97] [MobiFlow] Writing Maintenance event: MAINTENANCE;1709447558902.1116
[INFO 2024-03-03 06:32:38,916 pbest.py:75] [PBest] [DEBUG] remove bs mobiflow record: 0
...
Due to an RPC bug possibly in the ONOS python SDK, the MobieXpert xApp may crash after certain time (connection refused indicator from the container log) when it fails to connect to the Mobiflow Auditor xApp through RPC.
As the ONOS python SDK has stopped its maintainece cycle, this bug is thus hard to fix at the momment. The temporary solution is to restart the setup, i.e., the Mobiflow Auditor and MobieXpert xApps over again when the crash occurs.
Run the compilation command: ./build_oai -I --gNB --nrUE --build-ric-agent -w USRP --ninja --noavx512
Use -w USRP instead of -W SIMU
Similar to the RF SIM deployment, but use the nr-usrp config folder. Remove the rfsim argument when running the gNB and nrUE.
OAI-5G (https://github.com/5GSEC/OAI-5G) contains two branches for demonstrating a number of Layer-3 attacks (see https://github.com/5GSEC/OAI-5G/blob/lte.attack/common/attacks/attack_cliopts.h and the 5G-Spector paper for the options). They can run on both LTE networks and 5G networks.
To get started, clone the OAI-5G repo:
git clone https://github.com/5GSEC/OAI-5G attack-OAI
cd attack-OAI
For LTE networks:
git checkout lte.attack
cd cmake_targets
./build_oai --UE -w SIMU --ninja --noavx512
For 5G networks, run:
git checkout nr.attack
cd cmake_targets
./build_oai --nrUE -w SIMU --ninja --noavx512
You can then use the run.sh script to run the attacks, by specifying the attack parameters. Before that, you need to configure the _oai_attack_root to point to the exploit OAI folder you just now cloned. Next you can run the attacks with the script, for example:
./run.sh rfsim nr-attack --bts-attack 300 --bts-delay 100
Again, please refer to https://github.com/5GSEC/OAI-5G/blob/lte.attack/common/attacks/attack_cliopts.h to learn about the supported exploits.
TODO:
- Modularize the attack implementations with vendor-independent scripts and libraries. Refer to the 5Ghoul framework (https://github.com/asset-group/5ghoul-5g-nr-attacks)
- Better attack and parameter descriptions
- More attacks
Please contact Haohuang Wen ([email protected]) if you have any questions.