CellCrypt is a research tool for finding and analyzing cryptographic misuse in cellular cores. CellCrypt itself is written in python, and serves as a wrapper around CodeQL. Queries contained within CellCrypt are executed to extract relevant information from compiled databases, and said data is then processed by CellCrypt and output as results.
CellCrypt is a result of our work on our paper "Examining Randomness and Cryptographic Failures in Open-Source Cellular Cores", published at CODASPY '24. A link to the paper will be added once the publication is finalized. We are uploading CellCrypt here for archival and transparency, and to advocate and support open-sourcing research artifacts.
CellCrypt uses CodeQL as the analysis engine. The CodeQL libraries used at the time of research are included as a submodule pointing to the relevant commit. However, the CodeQL binary must be downloaded directly.
- Download the CodeQL CLI binary from Github at https://github.com/github/codeql-cli-binaries/releases
- Extract the downloaded file to codeql-home/ in the CellCrypt project
- Copy
codeql-home/to~/.local/ - Add the extracted files to $PATH
- Test in the CLI using
codeql -v
Alternatively, follow the instructions at https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli. If choosing this method and you wish to use the included libraries, copy ./codeql-home/codeql-repo/ at the appropriate step rather than downloading as instructed.
- Install Python3 through your package manager or from https://www.python.org/
- Make sure pip is installed:
python -m ensurepip - Run
pip install -r requirements.txtin the CellCrypt project directory
| Core | Version | Commit |
|---|---|---|
| Free5GC | 3.0.2 | f8a6e7c |
| SD-Core | 1.3.0 | amf,nrf,smf,ausf, nssf,pcf,udr,udm |
| Open5GS | 2.5.6 | 3531166 |
| OpenAirInterface CN5G | 1.4.0 | 2ff64a2 |
| OpenAirInterface EPC | 1.2.0 | 2dd9a93 |
| NextEPC | 1.0.1 | c51673c |
| srsRAN | 23.04.1 | fa56836 |
The table above lists the codebase versions and commits used in our experiments.
- For SD-Core, clone all tagged repos into a folder called
sd-core/. - For OpenAirInterface EPC, follow the instructions in the repo README to gather all required files. It needs some files from Magma MME.
- For all other cores, download the repos at specified commits. Make sure to initialize and update all submodules.
After these steps, you should have each core inside a top-level folder named after the core itself. Place each folder inside docker_containers and run the DockerFiles to build the CodeQL databases.
Note: Free5GC, SD-Core, Open5GS, and OAI-5G DockerFiles are currently under maintenance and missing from the repo. They will be added ASAP. In the meantime, run the scripts found in scripts/ to build those cores and extract the databases.
- Make sure all databases follow the directory structure specified in
run.py. The previous instructions should ensure this. - Execute
python run.py
For additional information, run python run.py -h
For any questions, feel free to create and issue or reach out to [email protected].