publications

2025

1. S&P ’25

   BaseBridge: Bridging the Gap Between Over-the-Air and Emulation Testing for Cellular Baseband Firmware

   Daniel Klischies, Dyon Goos, David Hirsch, and 3 more authors

   In 2025 IEEE Symposium on Security and Privacy (SP), May 2025

   Abs DOI Bib HTML PDF

   Current approaches for emulating cellular basebands inherently fall short in comparison to over-the-air testing due to their limited support for the complex peripherals involved in a modern baseband, such as DSPs, SIM cards and RF frontends. Improving such support is a daunting task, requiring deep reverse-engineering which is extremely time consuming - resulting in slow progress. Consequently, techniques such as fuzzing are only able to find relatively shallow bugs, since they are unable to reach the states required for the majority of the baseband to function. To fill this gap, we propose Basebridge, which enables far more comprehensive simulation of baseband behavior by restoring relevant state from memory dumps of real devices. Our prototype implementation supports baseband firmware from two major vendors (MediaTek and Samsung), and - in contrast to current state-of-the-art emulators - correctly responds to 97% of tested RRC and NAS messages while improving coverage by an average factor of 2.41 (Samsung) and 5.54 (MediaTek). Basebridge also passes several LTE conformance tests. Our empirical evaluation demonstrates that this enhanced fidelity enables faster discovery of a wider range of bugs thanks to the scalability of emulation; our fuzzing campaign shows that coverage improves by a factor of 2.3-5x overall, and by a factor of 9.0-22.5x for functionality targeted by our approach. Basebridge unveiled 5 new vulnerabilities, which we have disclosed to affected vendors.

   @inproceedings{11023426,
     author = {Klischies, Daniel and Goos, Dyon and Hirsch, David and Milburn, Alyssa and Muench, Marius and Moonsamy, Veelasha},
     booktitle = {2025 IEEE Symposium on Security and Privacy (SP)},
     title = {{BaseBridge}: Bridging the Gap Between Over-the-Air and Emulation Testing for Cellular Baseband Firmware},
     year = {2025},
     pages = {1101--1119},
     keywords = {Baseband; Wireless networks; Scalability; Emulation; Computer bugs; Prototypes; Fuzzing; Security; Microprogramming; Testing; LTE; rehosting; cellular security},
     doi = {10.1109/SP61157.2025.00142},
     issn = {2375-1207},
     month = may,
     publisher = {IEEE},
   }