Mainsail: The Security Company

View Original

Keysight & Mainsail 5G Cyber Demo

5G networks introduce new capabilities and enhancements over previous generations, such as higher speeds, lower latency, and the ability to connect a massive number of devices. One of the innovative features of 5G is network slicing, which allows operators to create multiple virtual networks with different characteristics over a single physical infrastructure, catering to various use cases. However, this and other features also introduce new threats and vulnerabilities. Here are some of the primary threats to 5G networks:

Cybersecurity Vulnerabilities: The complexity and the software-centric nature of 5G networks, combined with the use of network slicing, increase the attack surface for cyber threats. Attackers could exploit vulnerabilities in the software layers or in the implementation of network slices to launch attacks such as denial of service (DoS), data breaches, or to gain unauthorized access to network functions.

Supply Chain Risks: 5G networks rely on a global supply chain that includes hardware, software, and services from numerous vendors. This dependency introduces risks, such as the potential for inserting malicious hardware or software, including in the components used for network slicing. These vulnerabilities could compromise the integrity and security of the network and the data it carries.‍

Privacy Concerns: With 5G's ability to support a vast number of connected devices and enable new applications that collect detailed personal data, privacy concerns are amplified. Network slicing could further complicate privacy protection, as different slices may have varying levels of security and data protection standards, potentially leading to inconsistent privacy practices across the network.‍

Cross-Slice Interference and Isolation Failure: Network slicing aims to provide isolated virtual networks to meet specific requirements. However, a failure in maintaining strict isolation between slices could lead to cross-slice interference or attacks, where a vulnerability in one slice could be exploited to affect another, potentially leading to data leakage or service disruption.‍

Interference and Jamming: The reliance on higher frequency bands (such as mmWave) for 5G can introduce vulnerabilities to physical-layer attacks, including jamming and interference. These attacks could degrade the performance of the network or disrupt connectivity, affecting not just individual users but entire network slices dedicated to critical services.

Keysight Technologies is a prominent company in the field of electronic design and testing, particularly in the realm of wireless communication technologies like 5G. LoadCore and RUSim are tools developed by Keysight that aid in modeling and simulating various aspects of 5G networks. Here's an overview of the modeling capabilities of Keysight around 5G using LoadCore, RuSIM, and WaveJudge:

LoadCore: LoadCore is a scalable, cloud-native 5G testing solution designed to simulate realistic network conditions and subscriber behavior. It enables network equipment manufacturers (NEMs), mobile operators, and chipset vendors to test and validate their 5G infrastructure, devices, and applications under diverse scenarios.‍

  • Load emulation: LoadCore can emulate a large number of mobile subscribers, each with unique traffic profiles, mobility patterns, and quality of service (QoS) requirements. This allows users to assess how their 5G networks perform under various load conditions, helping to identify potential bottlenecks and optimize resource allocation.

  • Traffic modeling: LoadCore supports the modeling of different types of traffic, including voice, video, data, and IoT (Internet of Things) applications. Users can configure traffic parameters such as packet size, inter-arrival time, and protocol characteristics to accurately represent real-world usage scenarios.

  • Mobility simulation: LoadCore can simulate mobility patterns for mobile subscribers moving within the network. This includes handovers between base stations (handover testing), cell reselection procedures, and mobility management signaling, all of which are essential for evaluating the seamless connectivity and mobility management capabilities of 5G networks.‍

RuSIM: RuSIM is a radio frequency (RF) channel emulator designed specifically for testing and validating the performance of 5G wireless devices and systems. It provides an accurate representation of the wireless propagation environment, allowing users to assess how different factors such as signal interference, multipath fading, and antenna configurations affect the performance of 5G devices.‍

  • Fading simulation: RuSIM can simulate various types of fading effects, including Rayleigh fading, Rician fading, and frequency-selective fading, to mimic the real-world propagation characteristics of 5G wireless channels. This enables users to evaluate the robustness of their 5G designs against fading-induced impairments such as intersymbol interference (ISI) and signal attenuation.‍

  • Interference emulation: RuSIM allows users to introduce interference signals into the test environment to assess the impact of co-channel interference, adjacent channel interference, and other forms of interference on the performance of 5G devices. This is particularly important for evaluating the coexistence of multiple wireless systems operating in the same frequency band.

  • MIMO testing: RuSIM supports multiple-input multiple-output (MIMO) testing, allowing users to evaluate the spatial diversity and multiplexing gain of 5G antenna systems. It can simulate realistic MIMO channel conditions, including channel correlation, spatial fading correlation, and antenna coupling effects, to assess the performance of MIMO beamforming and precoding techniques.


WaveJudge: is a tool designed for testing and analyzing wireless communication systems, focusing mainly on the complexities of modern 5G networks. WaveJudge offers in-depth insights into the inner workings of wireless networks, from the radio access network (RAN) to the core network, enabling engineers to troubleshoot, optimize, and validate network performance and compliance with industry standards.

  • Real-Time Analysis: WaveJudge allows for real-time monitoring and analysis of wireless communications, giving engineers the ability to observe the behavior of the network as it happens. This is crucial for identifying and resolving issues quickly and efficiently.‍

  • Protocol Testing: It supports detailed testing of various communication protocols used in wireless networks. By simulating network conditions and scenarios, WaveJudge helps ensure that devices and network components correctly implement these protocols and can operate effectively in a live network environment.‍

  • Network Performance Optimization: The tool can analyze network performance, identifying bottlenecks or inefficiencies. This information is vital for network operators looking to optimize their networks for maximum speed, capacity, and reliability.

Mainsail has been collaborating with Keysight to look at ways to secure and monitor 5G networks. Many 5G components do not have inherent security controls built in and often rely on traditional security tools that are often times reactive to threats and compromises. Metalvisor presents a new approach to security and takes a proactive role in securing systems and prevents exploits from succeeding in the first place. ‍

Metalvisor is a platform that uses hardware-based isolation to give workloads like 5G the determinism and quality of service QoS needed for running low-latency and real-time components of the 5G core network functions. 

5G Radio Access Networks (RANs) bring forth the gNodeB (gNB), which is the advanced successor to the LTE network's eNodeB. With its Release 15, the 3GPP has unveiled a flexible architecture for the 5G RAN, segmenting the gNB into three components: the Centralized Unit (CU), the Distributed Unit (DU), and the Radio Unit (RU).

Metalvisor was used in this demo to run an open-source 5G software called srsRAN. srsRAN runs the Distributed Unit (DU) and Centralized Unit (CU) components of the 5G network. 

In our combined demo, we used RuSIM to simulate baseband for 1 or more UE’s and RU’s simulating RF channel and beam forming operations at baseband. We then used WaveJudge to analyze the 5G RF protocols in the network. LoadCore was used to simulate realistic network conditions and subscriber behavior and show the connectivity of simulated UE and RU devices as well as our DU and CU nodes.

To simulate how a 5G component can use Metalvisor to protect itself from an imminent cyber attack without the intervention of a security analyst or response team. ‍

Normally, if an attacker is able to launch a debugger on your system, the door is open to many malicious attacks;‍

  • Memory Inspection: The attacker could inspect the memory contents of running processes. This can reveal sensitive information such as passwords, encryption keys, or other confidential data stored in memory.

  • Code Manipulation: With debugger access, an attacker could modify the execution flow of programs, inject malicious code, or alter the behavior of applications. This could be used to bypass security mechanisms, elevate privileges, or execute unauthorized commands.

  • Process Control: An attacker could pause, resume, or alter the state of running processes. This control could be used to create a denial of service (DoS) condition, interfere with critical system or application processes, or leverage process control for further exploitation.

  • Privilege Escalation: If the debugger is launched with higher privileges, an attacker could use it to escalate their own privileges on the system. This might involve exploiting vulnerabilities in running processes or manipulating system configurations.‍

  • Bypassing Security Measures: Debuggers can be used to analyze and find ways to bypass security mechanisms such as antivirus detection, security-hardened binaries (like those protected by Address Space Layout Randomization [ASLR] or Data Execution Prevention [DEP]), or other protective measures implemented on the system.

  • Stealth Operations: An attacker could use a debugger to modify applications or processes in a way that hides their malicious activities from system monitoring tools, effectively operating under the radar.

  • Exfiltration of Data: By analyzing and manipulating processes, an attacker could identify ways to extract or exfiltrate data from the system without being detected.

To prevent this malicious attack, we can define a workload policy for the srsRAN and ensure that if we see this type of attack, we want to halt and restart the machine. If we look at the CIA triad, confidentiality, integrity, and availability, out of these, we would choose to lose availability over the C or the I. Losing confidentiality could lead to losing valuable information, such as secrets, keys, and data. Loss of integrity could lead to an attacker implanting some kind of persistence like rootkit and bootkits. 

Architects can have their own options as to what they would define for their workload, as some cases would value availability over confidentiality & integrity, and policies can be defined to alert on the debugger's presence and take no action. Additionally, many 5G networks are now running Kubernetes, which can handle node failure and reschedule workloads to other healthy or available nodes.