Understanding Implicit Trust Errors in Core Carrier Networks through Multi-Agent Flaw Discovery and Analysis

📅 2026-07-11
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the security risks in cloud-native 5G core networks arising from implicit trust among components—such as the absence of syntactic validation, semantic constraints, and resource checks—which can expose internal interfaces to denial-of-service or session hijacking attacks. To tackle this, the authors propose iFinder, a novel multi-agent framework leveraging large language models to automatically infer implicit trust-related vulnerability patterns from open-source core network implementations. By cross-referencing 3GPP specifications with source code, iFinder mitigates model hallucination and enables end-to-end discovery and proof-of-concept (PoC) generation for previously unknown vulnerabilities. Evaluation across seven widely used open-source 5G core networks uncovered 84 zero-day vulnerabilities, 83 of which were confirmed, and 81 assigned CVE identifiers, including critical session hijacking flaws demonstrably exploitable in commercial deployments.
📝 Abstract
Cellular core networks (CNs) are critical infrastructure, yet their internal security model has historically relied on physical isolation: interfaces between core components often operate within an assumed trust zone. As CNs transition to cloud-native deployments, this assumption weakens, expanding the attack surface and enabling external adversaries to reach previously internal interfaces. From a root-cause analysis of security flaws reported in GitHub issues for opensource CN implementations, we found a recurring pattern of blind trust among CN components. Components may omit syntactic validation, fail to enforce semantic invariants, or allocate resources without checking availability. Once internal interfaces become reachable, these weaknesses can lead to severe impacts such as denial of service and session hijacking. We call these vulnerabilities implicit trust errors (iTrue). To detect iTrues and understand their security impacts, we designed iFinder, an LLM-driven multi-agent system that summarizes known flaws, distills them into detection patterns, and applies them to discover new iTrues in CN implementations. To suppress hallucinations produced by large language models (LLMs), we built an innovative strategy that crosschecks both 3GPP specifications and CN code to capture existing protection missed by the agents. Further, we developed a technique that uses LLMs to generate proof-of-concept (PoC) exploits for potential iTrues and iteratively refine the PoCs by automatically executing them against CN implementations and analyzing results. Running iFinder on seven prominent open-source CN implementations, we discovered 84 previously unknown vulnerabilities. Among them, 83 have already been confirmed and 81 have been assigned CVEs. Importantly, a session-hijacking flaw has been confirmed on real-world commercial 5G core networks.
Problem

Research questions and friction points this paper is trying to address.

implicit trust errors
cellular core networks
cloud-native security
attack surface expansion
5G security
Innovation

Methods, ideas, or system contributions that make the work stand out.

implicit trust errors
multi-agent LLM system
cross-specification validation
automated PoC generation
5G core network security
🔎 Similar Papers
No similar papers found.