Understanding Implicit Trust Errors in Core Carrier Networks through Multi-Agent Flaw Discovery and Analysis
摘要
Cellular core networks (CNs) are critical infrastructure, yet their internal security model has historically relied on physical isolation: interfaces between core components often operate within an assumed trust zone. As CNs transition to cloud-native deployments, this assumption weakens, expanding the attack surface and enabling external adversaries to reach previously internal interfaces. From a root-cause analysis of security flaws reported in GitHub issues for opensource CN implementations, we found a recurring pattern of blind trust among CN components. Components may omit syntactic validation, fail to enforce semantic invariants, or allocate resources without checking availability. Once internal interfaces become reachable, these weaknesses can lead to severe impacts such as denial of service and session hijacking. We call these vulnerabilities implicit trust errors (iTrue). To detect iTrues and understand their security impacts, we designed iFinder, an LLM-driven multi-agent system that summarizes known flaws, distills them into detection patterns, and applies them to discover new iTrues in CN implementations. To suppress hallucinations produced by large language models (LLMs), we built an innovative strategy that crosschecks both 3GPP specifications and CN code to capture existing protection missed by the agents. Further, we developed a technique that uses LLMs to generate proof-of-concept (PoC) exploits for potential iTrues and iteratively refine the PoCs by automatically executing them against CN implementations and analyzing results. Running iFinder on seven prominent open-source CN implementations, we discovered 84 previously unknown vulnerabilities. Among them, 83 have already been confirmed and 81 have been assigned CVEs. Importantly, a session-hijacking flaw has been confirmed on real-world commercial 5G core networks.
引用
@article{arxiv.2607.10315,
title = {Understanding Implicit Trust Errors in Core Carrier Networks through Multi-Agent Flaw Discovery and Analysis},
author = {Ziyu Lin and Ziting Wang and Xinfeng Li and Wei Dong and XiaoFeng Wang},
journal= {arXiv preprint arXiv:2607.10315},
year = {2026}
}
备注
To appear in the 35th USENIX Security Symposium (USENIX Security 2026)