REVIEW 2 major objections 2 minor 40 references
Timing-induced interaction failures are prevalent in LTE and 5G core networks and can be found by a lightweight tester without standards analysis.
Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →
T0 review · grok-4.3
2026-06-28 20:17 UTC pith:SI3DECTM
load-bearing objection Kairos shows timing between control-plane messages can crash LTE/5G cores and gives a lightweight way to hunt for them, turning up 20 new cases on real networks. the 2 major comments →
Kairos: Lightweight Testing Framework for Timing-Induced Interaction Failures in LTE and 5G Core Networks
The pith
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
By establishing a taxonomy of control-plane interaction patterns and implementing the Kairos testing framework, the authors demonstrate that timing-induced interaction failures—crashes caused by particular message timings—occur across both open-source and commercial LTE and 5G core networks, surfacing 54 total issues without reference to cellular standard documents.
What carries the argument
Kairos, a lightweight testing framework that uses a taxonomy of control-plane interaction patterns to inject controlled timing delays between messages and detect resulting network-function crashes.
Load-bearing premise
That a taxonomy of control-plane interaction patterns is sufficient to expose timing-induced failures without analyzing cellular standard documents.
What would settle it
Applying the same timing tests to additional commercial 5G cores and observing no crashes or vulnerabilities would falsify the claim of prevalence.
If this is right
- Future cellular specifications should define timing constraints for control-plane interactions.
- Core-network implementers can use pattern-based timing tests to catch crashes before deployment.
- Both open-source and commercial products contain reproducible timing issues that existing input-focused tools miss.
- Network operators gain a practical method to audit live deployments for these failures.
Where Pith is reading between the lines
- The same pattern taxonomy could be applied to other stateful distributed protocols outside cellular networks.
- Integrating Kairos-style checks into continuous integration would reduce the chance of timing bugs reaching production.
- Current verification methods that ignore timing may systematically understate the attack surface of control-plane software.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper introduces Kairos, a lightweight testing framework for timing-induced interaction failures in LTE and 5G core networks. It first establishes a taxonomy of control-plane interaction patterns and analyzes their failure modes, then implements the framework to expose such failures without analyzing cellular standard documents. Evaluation on two open-source and two commercial LTE/5G core networks is reported to uncover 20 new vulnerabilities and reproduce 34 existing issues, leading to the conclusion that timing-induced failures are prevalent and should be considered in future specifications.
Significance. If the empirical results hold under scrutiny, the work identifies an underexplored class of vulnerabilities arising from timing in control-plane interactions and supplies a practical, lightweight testing tool. The empirical, falsifiable nature of the claims (via reproduction on the described testbeds) is a strength, as is the focus on a framework that avoids direct standard-document analysis.
major comments (2)
- [Evaluation] Evaluation (results reporting): The abstract and evaluation claim 20 new vulnerabilities and 34 reproduced issues across four networks, yet supply no details on test methodology, failure confirmation procedures, or controls for false positives. This is load-bearing for the central empirical claims and prevents assessment of whether the data support the reported counts.
- [Framework Design] Taxonomy and framework design: The paper positions the taxonomy of interaction patterns and the lightweight framework as sufficient without analyzing cellular standard documents, but provides no concrete validation that the taxonomy captures all relevant patterns or that the timing-injection approach systematically covers the claimed failure modes.
minor comments (2)
- [Evaluation] Clarify the exact versions and configurations of the two open-source and two commercial networks used in the evaluation to aid reproducibility.
- [Abstract] The abstract states the framework is 'lightweight' but does not quantify resource usage or compare against alternative testing approaches.
Simulated Author's Rebuttal
We thank the referee for the constructive comments. The evaluation details are described in the manuscript but we agree they can be presented more explicitly to support the empirical claims. We address each major comment below.
read point-by-point responses
-
Referee: [Evaluation] Evaluation (results reporting): The abstract and evaluation claim 20 new vulnerabilities and 34 reproduced issues across four networks, yet supply no details on test methodology, failure confirmation procedures, or controls for false positives. This is load-bearing for the central empirical claims and prevents assessment of whether the data support the reported counts.
Authors: We acknowledge that the presentation of evaluation methodology can be strengthened for clarity. The manuscript outlines the testbed configurations in Section 5, the timing injection procedure in Section 4.3, and failure detection via core network logs and observable crashes. To directly address the concern, we will add a dedicated subsection in the evaluation (Section 5) titled 'Failure Confirmation and Controls for False Positives'. This will detail the multi-run reproduction protocol, cross-validation across network instances, baseline tests without timing perturbations, and manual log inspection steps used to confirm each of the 54 issues. These additions will make the reported counts more readily verifiable without altering the underlying results. revision: yes
-
Referee: [Framework Design] Taxonomy and framework design: The paper positions the taxonomy of interaction patterns and the lightweight framework as sufficient without analyzing cellular standard documents, but provides no concrete validation that the taxonomy captures all relevant patterns or that the timing-injection approach systematically covers the claimed failure modes.
Authors: The taxonomy was constructed from empirical observation of control-plane message sequences across our testbeds combined with patterns reported in prior cellular protocol studies; this approach is intentional to keep the framework lightweight and independent of direct standard-document analysis. Coverage is evidenced by the successful reproduction of 34 known issues and discovery of 20 new vulnerabilities across four distinct networks. To provide more explicit validation, we will expand Section 3 with a paragraph on taxonomy construction, including concrete mappings of each pattern to observed timing-induced failure modes, and a summary table showing which patterns triggered the reported issues in our experiments. revision: partial
Circularity Check
Empirical framework with no derivation chain
full rationale
The paper is an empirical study that defines a taxonomy of control-plane interaction patterns, implements a lightweight testing tool (Kairos), and reports observed crashes and vulnerabilities from direct evaluation on four networks. No equations, fitted parameters, predictions, or mathematical derivations appear in the abstract or described methodology. The central claims rest on falsifiable experimental counts rather than any reduction to inputs by construction or self-citation chains. This is the expected non-finding for a purely empirical testing paper.
Axiom & Free-Parameter Ledger
read the original abstract
As cellular core networks evolve toward distributed and cloud-native architectures, control-plane interactions become more intricate and bring new challenges. Among these challenges, we find that introducing specific timing between two control-plane interactions can cause network function crash, which we define as timing-induced interaction failures. Prior research primarily addresses identifying malformed inputs and specification violations, while timing-induced interaction failures remain largely unexplored. In this paper, we conduct a systematic study of timing-induced interaction failures in LTE and 5G core networks. First, we establish a taxonomy of control-plane interaction patterns and analyze the failure modes of each pattern. Then, we design and implement Kairos, a lightweight testing framework to expose timing-induced interaction failures without analyzing cellular standard documents. Evaluating Kairos on two open source and two commercial LTE and 5G core networks, we uncover 20 new vulnerabilities and reproduce 34 existing issues. Our results show that timing-induced interaction failures are prevalent in LTE and 5G core networks and should be explicitly considered in future specifications.
Figures
Reference graph
Works this paper leans on
-
[1]
General Packet Radio Service (GPRS) Enhance- ments for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) Access
3GPP. General Packet Radio Service (GPRS) Enhance- ments for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) Access. Technical Specification (TS) 23.401, 2022. V ersion18.0.0
2022
-
[2]
System Architecture for the 5G System
3GPP. System Architecture for the 5G System. Techni- cal Specification (TS) 23.501, 2025. V ersion 18.12.0
2025
-
[3]
Security Architecture and Procedures for 5G System
3GPP. Security Architecture and Procedures for 5G System. Technical Specification (TS) 33.501, 2025. V ersion 18.10.0
2025
-
[4]
Procedures for the 5G System (5GS)
3GPP. Procedures for the 5G System (5GS). Technical Specification (TS) 23.502, 2025. V ersion 18.12.0
2025
-
[5]
Non-Access-Stratum (NAS) Protocol for 5G System (5GS); Stage 3
3GPP. Non-Access-Stratum (NAS) Protocol for 5G System (5GS); Stage 3. Technical Specification (TS) 24.501, 2025. V ersion 18.13.1
2025
-
[6]
5G Security Assurance Specification (SCAS); Access and Mobility management Function (AMF)
3GPP. 5G Security Assurance Specification (SCAS); Access and Mobility management Function (AMF). Technical Specification (TS) 33.512, 2023. V ersion 18.0.0
2023
-
[7]
Open Source 5G Core Network
Open5GS. Open Source 5G Core Network. https:// open5gs.org
-
[8]
Open Source 5G Core Network
Free5GC. Open Source 5G Core Network. https:// www.free5gc.org
-
[9]
Open Source RAN and Core Net- work Software
SRSRAN Project. Open Source RAN and Core Net- work Software. https://www.srsran.com
-
[10]
Open Source 5G UE and RAN Simulator
UERANSIM. Open Source 5G UE and RAN Simulator. https://github.com/aligungr/UERANSIM
-
[11]
To- ward a cloud-native telecom infrastructure: Analysis and evaluations of kubernetes networking
Shu Sekigawa, Chikara Sasaki, and Atsushi Tagami. To- ward a cloud-native telecom infrastructure: Analysis and evaluations of kubernetes networking. In 2022 IEEE Globecom W orkshops (GC Wkshps) , pages 838–
2022
-
[12]
Exploring ml methods for dynamic scaling of be- yond 5g cloud-native rans
Akrit Mudvari, Nikos Makris, and Leandros Tassiu- las. Exploring ml methods for dynamic scaling of be- yond 5g cloud-native rans. In ICC 2022-IEEE Inter- national Conference on Communications , pages 2284–
2022
-
[13]
Cloud-native orchestration framework for network slice federation across administrative do- mains in 5g/6g mobile networks
Michail Dalgitsis, Nicola Cadenelli, Maria A Ser- rano, Nikolaos Bartzoudis, Luis Alonso, and Angelos Antonopoulos. Cloud-native orchestration framework for network slice federation across administrative do- mains in 5g/6g mobile networks. IEEE Transactions on V ehicular T echnology, 73(7):9306–9319, 2024
2024
-
[14]
5gc-fuzz: Finding deep stateful vulner- abilities in 5g core network with black-box fuzzing
Y u Sun, Xinyu Liu, Qian Sun, Jiaming Wang, Lin Tian, and Jianwei Liu. 5gc-fuzz: Finding deep stateful vulner- abilities in 5g core network with black-box fuzzing. In IEEE INFOCOM 2025-IEEE Conference on Computer Communications, pages 1–10. IEEE, 2025
2025
-
[15]
Corecrisis:threat-guided and context-aware iter- ative learning and fuzzing of 5g core networks
Yilu Dong, Tianchang Y ang, Abdullah Al Ishtiaq, Syed Md Mukit Rashid, Ali Ranjbar, Kai Tu, Tian- wei Wu, Md Sultan Mahmud, and Syed Rafiul Hus- sain. Corecrisis:threat-guided and context-aware iter- ative learning and fuzzing of 5g core networks. In 34th USENIX Security Symposium (USENIX Security 25), pages 5287–5306, 2025
2025
-
[16]
Citesting: Systematic testing of context integrity violations in lte core net- works
Mincheol Son, Kwangmin Kim, Beomseok Oh, Che- olJun Park, and Y ongdae Kim. Citesting: Systematic testing of context integrity violations in lte core net- works. In Proceedings of the 2025 ACM SIGSAC Con- ference on Computer and Communications Security , pages 276–290, 2025
2025
-
[17]
Hermes: Unlocking security analysis of cellular network protocols by synthesizing finite state machines from natural language specifications
Abdullah Al Ishtiaq, Sarkar Snigdha Sarathi Das, Syed Md Mukit Rashid, Ali Ranjbar, Kai Tu, Tianwei Wu, Zhezheng Song, Weixuan Wang, Mujtahid Akon, Rui Zhang, et al. Hermes: Unlocking security analysis of cellular network protocols by synthesizing finite state machines from natural language specifications. In 33rd USENIX Security Symposium (USENIX Security ...
2024
-
[18]
Cellularlint: A systematic approach to iden- tify inconsistent behavior in cellular network specifica- tions
Mirza Masfiqur Rahman, Imtiaz Karim, and Elisa Bertino. Cellularlint: A systematic approach to iden- tify inconsistent behavior in cellular network specifica- tions. In 33rd USENIX Security Symposium (USENIX Security 24), pages 5215–5232, 2024
2024
-
[19]
Unleashing the power of llm to infer state machine from the protocol im- plementation
Haiyang Wei, Ligeng Chen, Zhengjie Du, Y uhan Wu, Haohui Huang, Y ue Liu, Guang Cheng, Fengyuan Xu, Linzhang Wang, and Bing Mao. Unleashing the power of llm to infer state machine from the protocol im- plementation. In 2025 IEEE/ACM 33rd International Symposium on Quality of Service (IWQoS) , pages 1–10. IEEE, 2025
2025
-
[20]
Dissecting privacy-exposing identi- fiers in 5g/4g networks
Munshi Saifuzzaman, Ke Xie, Tian Xie, Xiao Zhang, and Xinyu Lei. Dissecting privacy-exposing identi- fiers in 5g/4g networks. In 2025 IEEE Conference on Dependable and Secure Computing (DSC) , pages 1–9. IEEE, 2025
2025
-
[21]
Instructions unclear: undefined behaviour in cellular network specifications
Daniel Klischies, Moritz Schloegel, Tobias Scharnowski, Mikhail Bogodukhov, David Rup- precht, and V eelasha Moonsamy. Instructions unclear: undefined behaviour in cellular network specifications. In 32nd USENIX Security Symposium (USENIX Security 23), pages 3475–3492, 2023. 15
2023
-
[22]
Noncom- pliance as deviant behavior: An automated black-box noncompliance checker for 4g lte cellular devices
Syed Rafiul Hussain, Imtiaz Karim, Abdullah Al Ish- tiaq, Omar Chowdhury, and Elisa Bertino. Noncom- pliance as deviant behavior: An automated black-box noncompliance checker for 4g lte cellular devices. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security , pages 1082– 1099, 2021
2021
-
[23]
Touching the untouchables: Dynamic security analysis of the lte control plane
Hongil Kim, Jiho Lee, Eunkyu Lee, and Y ongdae Kim. Touching the untouchables: Dynamic security analysis of the lte control plane. In 2019 IEEE Symposium on Se- curity and Privacy (SP), pages 1153–1168. IEEE, 2019
2019
-
[24]
Sherlock on specs: Building lte conformance tests through automated reasoning
Yi Chen, Di Tang, Y epeng Y ao, Mingming Zha, Xi- aoFeng Wang, Xiaozhong Liu, Haixu Tang, and Baoxu Liu. Sherlock on specs: Building lte conformance tests through automated reasoning. In 32nd USENIX Se- curity Symposium (USENIX Security 23) , pages 3529– 3545, 2023
2023
-
[25]
Intelligent fuzzing algorithm for 5g nas protocol based on predefined rules
Fengjiao He, Wenchuan Y ang, Baojiang Cui, and Jia Cui. Intelligent fuzzing algorithm for 5g nas protocol based on predefined rules. In 2022 International Con- ference on Computer Communications and Networks (ICCCN), pages 1–7. IEEE, 2022
2022
-
[26]
Nlp-based cross-layer 5g vulnerabilities detection via fuzzing generated run- time profiling
Zhuzhu Wang and Ying Wang. Nlp-based cross-layer 5g vulnerabilities detection via fuzzing generated run- time profiling. In 2023 IEEE 12th International Confer- ence on Cloud Networking (CloudNet) , pages 194–202. IEEE, 2023
2023
-
[27]
Metastable failures in distributed systems
Nathan Bronson, Abutalib Aghayev, Aleksey Charapko, and Timothy Zhu. Metastable failures in distributed systems. In Proceedings of the W orkshop on Hot T opics in Operating Systems, pages 221–227, 2021
2021
-
[28]
Metastable failures in the wild
Lexiang Huang, Matthew Magnusson, Abishek Ban- galore Muralikrishna, Salman Estyak, Rebecca Isaacs, Abutalib Aghayev, Timothy Zhu, and Aleksey Chara- pko. Metastable failures in the wild. In 16th USENIX Symposium on Operating Systems Design and Imple- mentation (OSDI 22) , pages 73–90, 2022
2022
-
[29]
Analyzing metastable failures
Rebecca Isaacs, Peter Alvaro, Rupak Majumdar, Kiran Kumar, Muniswamy Reddy, Mahmoud Salamati, and Sadegh Soudjani. Analyzing metastable failures. In Proceedings of the 2025 W orkshop on Hot T opics in Op- erating Systems, pages 172–178, 2025
2025
-
[30]
Amfuzz: Black-box fuzzing of 5g core net- works
Francesco Mancini, Sara Da Canal, and Giuseppe Bianchi. Amfuzz: Black-box fuzzing of 5g core net- works. In 2024 19th Wireless On-Demand Network Systems and Services Conference (WONS) , pages 17–
2024
-
[31]
Lteinspector: A systematic ap- proach for adversarial testing of 4g lte
Syed Hussain, Omar Chowdhury, Shagufta Mehnaz, and Elisa Bertino. Lteinspector: A systematic ap- proach for adversarial testing of 4g lte. In Network and Distributed Systems Security (NDSS) Symposium 2018 , 2018
2018
-
[32]
A for- mal analysis of 5g authentication
David Basin, Jannik Dreier, Lucca Hirschi, Saša Radomirovic, Ralf Sasse, and Vincent Stettler. A for- mal analysis of 5g authentication. In Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, pages 1383–1396, 2018
2018
-
[33]
5greasoner: A property-directed security and privacy analysis frame- work for 5g cellular network protocol
Syed Rafiul Hussain, Mitziu Echeverria, Imtiaz Karim, Omar Chowdhury, and Elisa Bertino. 5greasoner: A property-directed security and privacy analysis frame- work for 5g cellular network protocol. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security , pages 669–684, 2019
2019
-
[34]
Component- based formal analysis of 5g-aka: Channel assumptions and session confusion
Cas Cremers and Martin Dehnel-Wild. Component- based formal analysis of 5g-aka: Channel assumptions and session confusion. In Network and Distributed System Security Symposium (NDSS) . Internet Society, 2019
2019
-
[35]
Privacy-preserving and standard-compatible aka pro- tocol for 5g
Y uchen Wang, Zhenfeng Zhang, and Y ongquan Xie. Privacy-preserving and standard-compatible aka pro- tocol for 5g. In 30th USENIX security symposium (USENIX security 21) , pages 3595–3612, 2021
2021
-
[36]
A com- prehensive formal analysis of 5g handover
Aleksi Peltonen, Ralf Sasse, and David Basin. A com- prehensive formal analysis of 5g handover. In Pro- ceedings of the 14th ACM conference on security and privacy in wireless and mobile networks , pages 1–12, 2021
2021
-
[37]
A formal analysis of 5g eap-tls protocol
Min Shi, Jing Chen, Zhuangzhuang Ma, Kun He, Meng Jia, and Ruiying Du. A formal analysis of 5g eap-tls protocol. IEEE Transactions on Networking, 2025
2025
-
[38]
Formal analysis of access con- trol mechanism of 5g core network
Mujtahid Akon, Tianchang Y ang, Yilu Dong, and Syed Rafiul Hussain. Formal analysis of access con- trol mechanism of 5g core network. In Proceedings of the 2023 ACM SIGSAC conference on computer and communications security, pages 666–680, 2023
2023
-
[39]
From control to chaos: A comprehensive for- mal analysis of 5g’s access control
Mujtahid Akon, Md Toufikuzzaman, and Syed Rafiul Hussain. From control to chaos: A comprehensive for- mal analysis of 5g’s access control. In 2025 IEEE Symposium on Security and Privacy (SP) , pages 1081–
2025
-
[40]
For- malization of a security access control model for the 5g system
Luis Suárez, David Espes, Frédéric Cuppens, Philippe Bertin, Cao-Thanh Phan, and Philippe Le Parc. For- malization of a security access control model for the 5g system. In 2020 11th International Conference on Net- work of the Future (NoF) , pages 150–158. IEEE, 2020. 16
2020
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.