Pith. sign in

REVIEW 2 major objections 2 minor 40 references

Timing-induced interaction failures are prevalent in LTE and 5G core networks and can be found by a lightweight tester without standards analysis.

Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →

T0 review · grok-4.3

2026-06-28 20:17 UTC pith:SI3DECTM

load-bearing objection Kairos shows timing between control-plane messages can crash LTE/5G cores and gives a lightweight way to hunt for them, turning up 20 new cases on real networks. the 2 major comments →

arxiv 2605.30985 v1 pith:SI3DECTM submitted 2026-05-29 cs.NI

Kairos: Lightweight Testing Framework for Timing-Induced Interaction Failures in LTE and 5G Core Networks

classification cs.NI
keywords timing-induced interaction failuresLTE core networks5G core networkstesting frameworkcontrol-plane interactionsnetwork vulnerabilitiestiming bugsnetwork function crashes
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved

The pith

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper defines timing-induced interaction failures as crashes triggered by specific timings between control-plane messages in cellular cores. It first builds a taxonomy of interaction patterns and their failure modes. It then presents Kairos, a framework that exercises those patterns by varying message timings to surface crashes. When applied to two open-source and two commercial LTE and 5G cores, Kairos identifies 20 previously unknown vulnerabilities and reproduces 34 known issues. The authors conclude that such failures are common enough to require explicit treatment in future network specifications.

Core claim

By establishing a taxonomy of control-plane interaction patterns and implementing the Kairos testing framework, the authors demonstrate that timing-induced interaction failures—crashes caused by particular message timings—occur across both open-source and commercial LTE and 5G core networks, surfacing 54 total issues without reference to cellular standard documents.

What carries the argument

Kairos, a lightweight testing framework that uses a taxonomy of control-plane interaction patterns to inject controlled timing delays between messages and detect resulting network-function crashes.

Load-bearing premise

That a taxonomy of control-plane interaction patterns is sufficient to expose timing-induced failures without analyzing cellular standard documents.

What would settle it

Applying the same timing tests to additional commercial 5G cores and observing no crashes or vulnerabilities would falsify the claim of prevalence.

Watch this falsifier — get emailed when new claim-graph text bears on it.

If this is right

  • Future cellular specifications should define timing constraints for control-plane interactions.
  • Core-network implementers can use pattern-based timing tests to catch crashes before deployment.
  • Both open-source and commercial products contain reproducible timing issues that existing input-focused tools miss.
  • Network operators gain a practical method to audit live deployments for these failures.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same pattern taxonomy could be applied to other stateful distributed protocols outside cellular networks.
  • Integrating Kairos-style checks into continuous integration would reduce the chance of timing bugs reaching production.
  • Current verification methods that ignore timing may systematically understate the attack surface of control-plane software.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit.

Referee Report

2 major / 2 minor

Summary. The paper introduces Kairos, a lightweight testing framework for timing-induced interaction failures in LTE and 5G core networks. It first establishes a taxonomy of control-plane interaction patterns and analyzes their failure modes, then implements the framework to expose such failures without analyzing cellular standard documents. Evaluation on two open-source and two commercial LTE/5G core networks is reported to uncover 20 new vulnerabilities and reproduce 34 existing issues, leading to the conclusion that timing-induced failures are prevalent and should be considered in future specifications.

Significance. If the empirical results hold under scrutiny, the work identifies an underexplored class of vulnerabilities arising from timing in control-plane interactions and supplies a practical, lightweight testing tool. The empirical, falsifiable nature of the claims (via reproduction on the described testbeds) is a strength, as is the focus on a framework that avoids direct standard-document analysis.

major comments (2)
  1. [Evaluation] Evaluation (results reporting): The abstract and evaluation claim 20 new vulnerabilities and 34 reproduced issues across four networks, yet supply no details on test methodology, failure confirmation procedures, or controls for false positives. This is load-bearing for the central empirical claims and prevents assessment of whether the data support the reported counts.
  2. [Framework Design] Taxonomy and framework design: The paper positions the taxonomy of interaction patterns and the lightweight framework as sufficient without analyzing cellular standard documents, but provides no concrete validation that the taxonomy captures all relevant patterns or that the timing-injection approach systematically covers the claimed failure modes.
minor comments (2)
  1. [Evaluation] Clarify the exact versions and configurations of the two open-source and two commercial networks used in the evaluation to aid reproducibility.
  2. [Abstract] The abstract states the framework is 'lightweight' but does not quantify resource usage or compare against alternative testing approaches.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments. The evaluation details are described in the manuscript but we agree they can be presented more explicitly to support the empirical claims. We address each major comment below.

read point-by-point responses
  1. Referee: [Evaluation] Evaluation (results reporting): The abstract and evaluation claim 20 new vulnerabilities and 34 reproduced issues across four networks, yet supply no details on test methodology, failure confirmation procedures, or controls for false positives. This is load-bearing for the central empirical claims and prevents assessment of whether the data support the reported counts.

    Authors: We acknowledge that the presentation of evaluation methodology can be strengthened for clarity. The manuscript outlines the testbed configurations in Section 5, the timing injection procedure in Section 4.3, and failure detection via core network logs and observable crashes. To directly address the concern, we will add a dedicated subsection in the evaluation (Section 5) titled 'Failure Confirmation and Controls for False Positives'. This will detail the multi-run reproduction protocol, cross-validation across network instances, baseline tests without timing perturbations, and manual log inspection steps used to confirm each of the 54 issues. These additions will make the reported counts more readily verifiable without altering the underlying results. revision: yes

  2. Referee: [Framework Design] Taxonomy and framework design: The paper positions the taxonomy of interaction patterns and the lightweight framework as sufficient without analyzing cellular standard documents, but provides no concrete validation that the taxonomy captures all relevant patterns or that the timing-injection approach systematically covers the claimed failure modes.

    Authors: The taxonomy was constructed from empirical observation of control-plane message sequences across our testbeds combined with patterns reported in prior cellular protocol studies; this approach is intentional to keep the framework lightweight and independent of direct standard-document analysis. Coverage is evidenced by the successful reproduction of 34 known issues and discovery of 20 new vulnerabilities across four distinct networks. To provide more explicit validation, we will expand Section 3 with a paragraph on taxonomy construction, including concrete mappings of each pattern to observed timing-induced failure modes, and a summary table showing which patterns triggered the reported issues in our experiments. revision: partial

Circularity Check

0 steps flagged

Empirical framework with no derivation chain

full rationale

The paper is an empirical study that defines a taxonomy of control-plane interaction patterns, implements a lightweight testing tool (Kairos), and reports observed crashes and vulnerabilities from direct evaluation on four networks. No equations, fitted parameters, predictions, or mathematical derivations appear in the abstract or described methodology. The central claims rest on falsifiable experimental counts rather than any reduction to inputs by construction or self-citation chains. This is the expected non-finding for a purely empirical testing paper.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

The paper is an empirical systems and security contribution with no mathematical derivations, free parameters, or invented entities visible in the abstract.

pith-pipeline@v0.9.1-grok · 5732 in / 1108 out tokens · 27361 ms · 2026-06-28T20:17:26.641987+00:00 · methodology

0 comments
read the original abstract

As cellular core networks evolve toward distributed and cloud-native architectures, control-plane interactions become more intricate and bring new challenges. Among these challenges, we find that introducing specific timing between two control-plane interactions can cause network function crash, which we define as timing-induced interaction failures. Prior research primarily addresses identifying malformed inputs and specification violations, while timing-induced interaction failures remain largely unexplored. In this paper, we conduct a systematic study of timing-induced interaction failures in LTE and 5G core networks. First, we establish a taxonomy of control-plane interaction patterns and analyze the failure modes of each pattern. Then, we design and implement Kairos, a lightweight testing framework to expose timing-induced interaction failures without analyzing cellular standard documents. Evaluating Kairos on two open source and two commercial LTE and 5G core networks, we uncover 20 new vulnerabilities and reproduce 34 existing issues. Our results show that timing-induced interaction failures are prevalent in LTE and 5G core networks and should be explicitly considered in future specifications.

Figures

Figures reproduced from arXiv: 2605.30985 by Hao Zheng, Jiadai Wang, Jiajia Liu, Jiapeng Li, Jun Kong, Junman Qin, Qiang Fu, Wei Guo, Yuanhao Li.

Figure 1
Figure 1. Figure 1: An abnormal registration handling case specified [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Illustration of interaction patterns involving t [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Design of Kairos [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: An example timing scenario configuration. [PITH_FULL_IMAGE:figures/full_fig_p008_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: An interleaving interaction failure caused by two [PITH_FULL_IMAGE:figures/full_fig_p010_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: A nested interaction failure caused by the attach [PITH_FULL_IMAGE:figures/full_fig_p011_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: An incomplete interaction failure caused by retur [PITH_FULL_IMAGE:figures/full_fig_p012_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Operational view of Kairos configuration and de [PITH_FULL_IMAGE:figures/full_fig_p012_8.png] view at source ↗

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

40 extracted references

  1. [1]

    General Packet Radio Service (GPRS) Enhance- ments for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) Access

    3GPP. General Packet Radio Service (GPRS) Enhance- ments for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) Access. Technical Specification (TS) 23.401, 2022. V ersion18.0.0

  2. [2]

    System Architecture for the 5G System

    3GPP. System Architecture for the 5G System. Techni- cal Specification (TS) 23.501, 2025. V ersion 18.12.0

  3. [3]

    Security Architecture and Procedures for 5G System

    3GPP. Security Architecture and Procedures for 5G System. Technical Specification (TS) 33.501, 2025. V ersion 18.10.0

  4. [4]

    Procedures for the 5G System (5GS)

    3GPP. Procedures for the 5G System (5GS). Technical Specification (TS) 23.502, 2025. V ersion 18.12.0

  5. [5]

    Non-Access-Stratum (NAS) Protocol for 5G System (5GS); Stage 3

    3GPP. Non-Access-Stratum (NAS) Protocol for 5G System (5GS); Stage 3. Technical Specification (TS) 24.501, 2025. V ersion 18.13.1

  6. [6]

    5G Security Assurance Specification (SCAS); Access and Mobility management Function (AMF)

    3GPP. 5G Security Assurance Specification (SCAS); Access and Mobility management Function (AMF). Technical Specification (TS) 33.512, 2023. V ersion 18.0.0

  7. [7]

    Open Source 5G Core Network

    Open5GS. Open Source 5G Core Network. https:// open5gs.org

  8. [8]

    Open Source 5G Core Network

    Free5GC. Open Source 5G Core Network. https:// www.free5gc.org

  9. [9]

    Open Source RAN and Core Net- work Software

    SRSRAN Project. Open Source RAN and Core Net- work Software. https://www.srsran.com

  10. [10]

    Open Source 5G UE and RAN Simulator

    UERANSIM. Open Source 5G UE and RAN Simulator. https://github.com/aligungr/UERANSIM

  11. [11]

    To- ward a cloud-native telecom infrastructure: Analysis and evaluations of kubernetes networking

    Shu Sekigawa, Chikara Sasaki, and Atsushi Tagami. To- ward a cloud-native telecom infrastructure: Analysis and evaluations of kubernetes networking. In 2022 IEEE Globecom W orkshops (GC Wkshps) , pages 838–

  12. [12]

    Exploring ml methods for dynamic scaling of be- yond 5g cloud-native rans

    Akrit Mudvari, Nikos Makris, and Leandros Tassiu- las. Exploring ml methods for dynamic scaling of be- yond 5g cloud-native rans. In ICC 2022-IEEE Inter- national Conference on Communications , pages 2284–

  13. [13]

    Cloud-native orchestration framework for network slice federation across administrative do- mains in 5g/6g mobile networks

    Michail Dalgitsis, Nicola Cadenelli, Maria A Ser- rano, Nikolaos Bartzoudis, Luis Alonso, and Angelos Antonopoulos. Cloud-native orchestration framework for network slice federation across administrative do- mains in 5g/6g mobile networks. IEEE Transactions on V ehicular T echnology, 73(7):9306–9319, 2024

  14. [14]

    5gc-fuzz: Finding deep stateful vulner- abilities in 5g core network with black-box fuzzing

    Y u Sun, Xinyu Liu, Qian Sun, Jiaming Wang, Lin Tian, and Jianwei Liu. 5gc-fuzz: Finding deep stateful vulner- abilities in 5g core network with black-box fuzzing. In IEEE INFOCOM 2025-IEEE Conference on Computer Communications, pages 1–10. IEEE, 2025

  15. [15]

    Corecrisis:threat-guided and context-aware iter- ative learning and fuzzing of 5g core networks

    Yilu Dong, Tianchang Y ang, Abdullah Al Ishtiaq, Syed Md Mukit Rashid, Ali Ranjbar, Kai Tu, Tian- wei Wu, Md Sultan Mahmud, and Syed Rafiul Hus- sain. Corecrisis:threat-guided and context-aware iter- ative learning and fuzzing of 5g core networks. In 34th USENIX Security Symposium (USENIX Security 25), pages 5287–5306, 2025

  16. [16]

    Citesting: Systematic testing of context integrity violations in lte core net- works

    Mincheol Son, Kwangmin Kim, Beomseok Oh, Che- olJun Park, and Y ongdae Kim. Citesting: Systematic testing of context integrity violations in lte core net- works. In Proceedings of the 2025 ACM SIGSAC Con- ference on Computer and Communications Security , pages 276–290, 2025

  17. [17]

    Hermes: Unlocking security analysis of cellular network protocols by synthesizing finite state machines from natural language specifications

    Abdullah Al Ishtiaq, Sarkar Snigdha Sarathi Das, Syed Md Mukit Rashid, Ali Ranjbar, Kai Tu, Tianwei Wu, Zhezheng Song, Weixuan Wang, Mujtahid Akon, Rui Zhang, et al. Hermes: Unlocking security analysis of cellular network protocols by synthesizing finite state machines from natural language specifications. In 33rd USENIX Security Symposium (USENIX Security ...

  18. [18]

    Cellularlint: A systematic approach to iden- tify inconsistent behavior in cellular network specifica- tions

    Mirza Masfiqur Rahman, Imtiaz Karim, and Elisa Bertino. Cellularlint: A systematic approach to iden- tify inconsistent behavior in cellular network specifica- tions. In 33rd USENIX Security Symposium (USENIX Security 24), pages 5215–5232, 2024

  19. [19]

    Unleashing the power of llm to infer state machine from the protocol im- plementation

    Haiyang Wei, Ligeng Chen, Zhengjie Du, Y uhan Wu, Haohui Huang, Y ue Liu, Guang Cheng, Fengyuan Xu, Linzhang Wang, and Bing Mao. Unleashing the power of llm to infer state machine from the protocol im- plementation. In 2025 IEEE/ACM 33rd International Symposium on Quality of Service (IWQoS) , pages 1–10. IEEE, 2025

  20. [20]

    Dissecting privacy-exposing identi- fiers in 5g/4g networks

    Munshi Saifuzzaman, Ke Xie, Tian Xie, Xiao Zhang, and Xinyu Lei. Dissecting privacy-exposing identi- fiers in 5g/4g networks. In 2025 IEEE Conference on Dependable and Secure Computing (DSC) , pages 1–9. IEEE, 2025

  21. [21]

    Instructions unclear: undefined behaviour in cellular network specifications

    Daniel Klischies, Moritz Schloegel, Tobias Scharnowski, Mikhail Bogodukhov, David Rup- precht, and V eelasha Moonsamy. Instructions unclear: undefined behaviour in cellular network specifications. In 32nd USENIX Security Symposium (USENIX Security 23), pages 3475–3492, 2023. 15

  22. [22]

    Noncom- pliance as deviant behavior: An automated black-box noncompliance checker for 4g lte cellular devices

    Syed Rafiul Hussain, Imtiaz Karim, Abdullah Al Ish- tiaq, Omar Chowdhury, and Elisa Bertino. Noncom- pliance as deviant behavior: An automated black-box noncompliance checker for 4g lte cellular devices. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security , pages 1082– 1099, 2021

  23. [23]

    Touching the untouchables: Dynamic security analysis of the lte control plane

    Hongil Kim, Jiho Lee, Eunkyu Lee, and Y ongdae Kim. Touching the untouchables: Dynamic security analysis of the lte control plane. In 2019 IEEE Symposium on Se- curity and Privacy (SP), pages 1153–1168. IEEE, 2019

  24. [24]

    Sherlock on specs: Building lte conformance tests through automated reasoning

    Yi Chen, Di Tang, Y epeng Y ao, Mingming Zha, Xi- aoFeng Wang, Xiaozhong Liu, Haixu Tang, and Baoxu Liu. Sherlock on specs: Building lte conformance tests through automated reasoning. In 32nd USENIX Se- curity Symposium (USENIX Security 23) , pages 3529– 3545, 2023

  25. [25]

    Intelligent fuzzing algorithm for 5g nas protocol based on predefined rules

    Fengjiao He, Wenchuan Y ang, Baojiang Cui, and Jia Cui. Intelligent fuzzing algorithm for 5g nas protocol based on predefined rules. In 2022 International Con- ference on Computer Communications and Networks (ICCCN), pages 1–7. IEEE, 2022

  26. [26]

    Nlp-based cross-layer 5g vulnerabilities detection via fuzzing generated run- time profiling

    Zhuzhu Wang and Ying Wang. Nlp-based cross-layer 5g vulnerabilities detection via fuzzing generated run- time profiling. In 2023 IEEE 12th International Confer- ence on Cloud Networking (CloudNet) , pages 194–202. IEEE, 2023

  27. [27]

    Metastable failures in distributed systems

    Nathan Bronson, Abutalib Aghayev, Aleksey Charapko, and Timothy Zhu. Metastable failures in distributed systems. In Proceedings of the W orkshop on Hot T opics in Operating Systems, pages 221–227, 2021

  28. [28]

    Metastable failures in the wild

    Lexiang Huang, Matthew Magnusson, Abishek Ban- galore Muralikrishna, Salman Estyak, Rebecca Isaacs, Abutalib Aghayev, Timothy Zhu, and Aleksey Chara- pko. Metastable failures in the wild. In 16th USENIX Symposium on Operating Systems Design and Imple- mentation (OSDI 22) , pages 73–90, 2022

  29. [29]

    Analyzing metastable failures

    Rebecca Isaacs, Peter Alvaro, Rupak Majumdar, Kiran Kumar, Muniswamy Reddy, Mahmoud Salamati, and Sadegh Soudjani. Analyzing metastable failures. In Proceedings of the 2025 W orkshop on Hot T opics in Op- erating Systems, pages 172–178, 2025

  30. [30]

    Amfuzz: Black-box fuzzing of 5g core net- works

    Francesco Mancini, Sara Da Canal, and Giuseppe Bianchi. Amfuzz: Black-box fuzzing of 5g core net- works. In 2024 19th Wireless On-Demand Network Systems and Services Conference (WONS) , pages 17–

  31. [31]

    Lteinspector: A systematic ap- proach for adversarial testing of 4g lte

    Syed Hussain, Omar Chowdhury, Shagufta Mehnaz, and Elisa Bertino. Lteinspector: A systematic ap- proach for adversarial testing of 4g lte. In Network and Distributed Systems Security (NDSS) Symposium 2018 , 2018

  32. [32]

    A for- mal analysis of 5g authentication

    David Basin, Jannik Dreier, Lucca Hirschi, Saša Radomirovic, Ralf Sasse, and Vincent Stettler. A for- mal analysis of 5g authentication. In Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, pages 1383–1396, 2018

  33. [33]

    5greasoner: A property-directed security and privacy analysis frame- work for 5g cellular network protocol

    Syed Rafiul Hussain, Mitziu Echeverria, Imtiaz Karim, Omar Chowdhury, and Elisa Bertino. 5greasoner: A property-directed security and privacy analysis frame- work for 5g cellular network protocol. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security , pages 669–684, 2019

  34. [34]

    Component- based formal analysis of 5g-aka: Channel assumptions and session confusion

    Cas Cremers and Martin Dehnel-Wild. Component- based formal analysis of 5g-aka: Channel assumptions and session confusion. In Network and Distributed System Security Symposium (NDSS) . Internet Society, 2019

  35. [35]

    Privacy-preserving and standard-compatible aka pro- tocol for 5g

    Y uchen Wang, Zhenfeng Zhang, and Y ongquan Xie. Privacy-preserving and standard-compatible aka pro- tocol for 5g. In 30th USENIX security symposium (USENIX security 21) , pages 3595–3612, 2021

  36. [36]

    A com- prehensive formal analysis of 5g handover

    Aleksi Peltonen, Ralf Sasse, and David Basin. A com- prehensive formal analysis of 5g handover. In Pro- ceedings of the 14th ACM conference on security and privacy in wireless and mobile networks , pages 1–12, 2021

  37. [37]

    A formal analysis of 5g eap-tls protocol

    Min Shi, Jing Chen, Zhuangzhuang Ma, Kun He, Meng Jia, and Ruiying Du. A formal analysis of 5g eap-tls protocol. IEEE Transactions on Networking, 2025

  38. [38]

    Formal analysis of access con- trol mechanism of 5g core network

    Mujtahid Akon, Tianchang Y ang, Yilu Dong, and Syed Rafiul Hussain. Formal analysis of access con- trol mechanism of 5g core network. In Proceedings of the 2023 ACM SIGSAC conference on computer and communications security, pages 666–680, 2023

  39. [39]

    From control to chaos: A comprehensive for- mal analysis of 5g’s access control

    Mujtahid Akon, Md Toufikuzzaman, and Syed Rafiul Hussain. From control to chaos: A comprehensive for- mal analysis of 5g’s access control. In 2025 IEEE Symposium on Security and Privacy (SP) , pages 1081–

  40. [40]

    For- malization of a security access control model for the 5g system

    Luis Suárez, David Espes, Frédéric Cuppens, Philippe Bertin, Cao-Thanh Phan, and Philippe Le Parc. For- malization of a security access control model for the 5g system. In 2020 11th International Conference on Net- work of the Future (NoF) , pages 150–158. IEEE, 2020. 16