{"id":44787102,"url":"https://github.com/SysSec-KAIST/BaseSpec","last_synced_at":"2026-02-28T23:00:54.361Z","repository":{"id":54235454,"uuid":"337615262","full_name":"SysSec-KAIST/BaseSpec","owner":"SysSec-KAIST","description":"A tool for comparing cellular layer 3 protocol messages between the specification documents and baseband implementations","archived":false,"fork":false,"pushed_at":"2021-03-02T01:12:55.000Z","size":16782,"stargazers_count":47,"open_issues_count":0,"forks_count":13,"subscribers_count":4,"default_branch":"release","last_synced_at":"2025-04-10T11:03:09.551Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SysSec-KAIST.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-02-10T04:22:24.000Z","updated_at":"2025-01-13T18:44:22.000Z","dependencies_parsed_at":"2022-08-13T09:50:19.594Z","dependency_job_id":null,"html_url":"https://github.com/SysSec-KAIST/BaseSpec","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/SysSec-KAIST/BaseSpec","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SysSec-KAIST%2FBaseSpec","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SysSec-KAIST%2FBaseSpec/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SysSec-KAIST%2FBaseSpec/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SysSec-KAIST%2FBaseSpec/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SysSec-KAIST","download_url":"https://codeload.github.com/SysSec-KAIST/BaseSpec/tar.gz/refs/heads/release","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SysSec-KAIST%2FBaseSpec/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29954583,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-28T22:53:01.873Z","status":"ssl_error","status_checked_at":"2026-02-28T22:52:50.699Z","response_time":90,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-02-16T10:00:19.651Z","updated_at":"2026-02-28T23:00:54.330Z","avatar_url":"https://github.com/SysSec-KAIST.png","language":"Python","funding_links":[],"categories":["Security"],"sub_categories":["Security Exploitation/fuzzing Frameworks"],"readme":"# Description\nBaseSpec is a system that performs a comparative analysis of baseband\nimplementation and the specifications of cellular networks. The key intuition of\nBaseSpec is that a message decoder in baseband software embeds the protocol\nspecification in a machine-friendly structure to parse incoming messages; hence,\nthe embedded protocol structures can be easily extracted and compared with the\nspecification. This enables BaseSpec to automate the comparison process and\nexplicitly discover mismatches in the protocol implementation, which are\nnon-compliant to the specification. These mismatches can directly pinpoint the\nmistakes of developers when embedding the protocol structures or hint at\npotential vulnerabilities.\n\n![BaseSpec Overview](./overview.png)\n\nWith BaseSpec, we analyzed the implementation of cellular standard L3 messages\nin 18 baseband firmware images of 9 devices models from one of the top three\nvendors. BaseSpec identified hundreds of mismatches that indicate both\nfunctional errors and potentially vulnerable points. We investigated their\nfunctional and security implications and discovered 9 erroneous cases affecting\n33 distinct messages: 5 of these cases are functional errors and 4 of them are\nmemory-related vulnerabilities. Notably, 2 of the vulnerabilities are critical\nremote code execution (RCE) 0-days. We also applied BaseSpec to 3 models from a\ndifferent vendor in the top three. Through this analysis, BaseSpec identified\nmultiple mismatches, 2 of which led us to discover a buffer overflow bug.\n\nFor more details, please see [our\npaper](https://syssec.kaist.ac.kr/pub/2021/kim-ndss2021.pdf).\n\n- BaseSpec will be presented at [NDSS 2021](https://www.ndss-symposium.org/ndss-paper/basespec-comparative-analysis-of-baseband-software-and-cellular-specifications-for-l3-protocols/).\n\n\n## Disclaimer\nThe current release of BaseSpec **only includes the parts that are irrelevant to\nthe vendors**: preprocessing (i.e., memory layout analysis and function\nidentification), complementary specification parsing, and comparison.\n\nWe reported all findings to the two vendors; one strongly refuses to publish the\ndetails, and the other has not responded to us yet. The one that refused,\nparticularly, concerned that complete patch deployment would take a long time\n(over six months) because they should collaborate with each mobile carrier.\nAccording to the vendor, they should request the patches to ~280 carriers to\nupdate ~130 models globally. Due to this complexity, the vendor thinks that\nnumerous devices might remain unpatched and vulnerable to our bugs. We agree\nwith this and anonymize the vendor in the\n[paper](https://syssec.kaist.ac.kr/pub/2021/kim-ndss2021.pdf).\n\n\n# How to use\n\n### 0. Using BaseSpec in IDA Pro\nBaseSpec contains python scripts based on IDA Pro APIs (IDAPython). To use\nBaseSpec, first load the baseband firmware of interest into IDA Pro at the\ncorrect locations, which may require parsing of vendor-specific firmware\nfile formats.\nThen, import `load_ida.py` as a script file in IDA Pro (using Alt+F7).\n\n\n### 1. Preprocessing\nFor scatter-loading, use `basespec.scatterload` as below.\n\n```python\nfrom basespec import scatterload\nscatterload.run_scatterload()\n```\n\nFor function identification, use `basespec.preprocess` as below.\n\n```python\nfrom basespec import preprocess\npreprocess.init_functions()\npreprocess.FUNC_BY_LS # identified functions by linear sweep prologue detection\npreprocess.FUNC_BY_LS_TIME # time spent for linear sweep prologue detection\npreprocess.FUNC_BY_PTR # identified functions by pointer analysis\npreprocess.FUNC_BY_PTR_TIME # time spent for pointer analysis\n```\n\nFor string initialization, use `basespec.preprocess` as below.\n\n```python\nfrom basespec import preprocess\npreprocess.init_strings()\n```\n\n\n### 2. Specification parsing\n\nYou can fetch the dictionary containing all specification msgs by running as\nbelow.\n\n```python\nfrom basespec import parse_spec\nspec_msgs = parse_spec.get_spec_msgs() # spec_msgs[nas_type][msg_type] = ie_list\n```\n\nThis `spec_msgs` dictionary contains a list of IEs for each message. Below is an\nexample to fetch the IE list of the EMM SECURITY MODE COMMAND message.\n\n```python\nemm_msgs = spec_msgs[7] # 7 : the type of EPS Mobility Management\nsmc_ie_list = emm_msgs[0x5d] # 0x5d : the type of SECURITY MODE COMMAND\n```\n\n\n### 3. Specification comparing\n\nTo compare the message structures in the specification and binary, you should\nfirst create the corresponding class instances. Below is an example to compare\nthe IE list of the EMM ATTACH ACCEPT message\n([`examples/ex_check_spec.py`](./examples/ex_check_spec.py)).\n\n```python\nfrom basespec.analyze_spec import check_spec\nfrom basespec.structs.l3msg import IeInfo, L3MsgInfo, L3ProtInfo\n\n# EMM protocol\npd = 7\n\n# EMM attach accept message\nmsg_type = 0x42\n\n# Build a message\n# The information should be extracted from embedded message structures in the binary.\nIE_list = []\nIE_list.append(IeInfo(msg_type, name=\"\", iei=0, min=1, max=1, imperative=True))\nIE_list.append(IeInfo(msg_type, name=\"\", iei=0, min=1, max=1, imperative=True))\nIE_list.append(IeInfo(msg_type, name=\"\", iei=0, min=1, max=1, imperative=True))\nIE_list.append(IeInfo(msg_type, name=\"\", iei=0, min=6, max=96, imperative=True))\n#IE_list.append(IeInfo(msg_type, name=\"\", iei=0, min=0, max=32767, imperative=True)) #missing\nIE_list.append(IeInfo(msg_type, name=\"\", iei=0x50, min=11, max=11, imperative=False))\nIE_list.append(IeInfo(msg_type, name=\"\", iei=0x13, min=5, max=5, imperative=False))\nIE_list.append(IeInfo(msg_type, name=\"\", iei=0x23, min=5, max=8, imperative=False))\nIE_list.append(IeInfo(msg_type, name=\"\", iei=0x53, min=1, max=1, imperative=False))\nIE_list.append(IeInfo(msg_type, name=\"\", iei=0x4A, min=1, max=99, imperative=False)) #invalid\nIE_list.append(IeInfo(msg_type, name=\"\", iei=0xFF, min=5, max=5, imperative=False)) #unknown\nattach_accept_msg = L3MsgInfo(pd, msg_type, name=\"Attach accept\", direction=\"DL\", ie_list=IE_list)\n\n# Build protocol\nEMM_prot = L3ProtInfo(pd, [attach_accept_msg])\n\nl3_list = [EMM_prot]\n\n# Compare with specification\ncheck_spec(l3_list, pd)\n```\n\nThis returns the mismatch results in a CSV format. Below is a part of the output\nin a CSV table format.\n\n|IE Name|Reference|Spec IEI|Spec Presence|Spec Format|Spec Length|Bin IEI|Bin Imperative|Bin Length|Bin Idx|Error 1|Error 2|\n|---|---|---|---|---|---|---|---|---|---|---|---|\n|EPS attach result|EPS attach result||M|V|1/2|00|True|1|0x42|\n|Spare half octet|Spare half octet||M|V|1/2|00|True|1|0x42|\n|T3412 value|GPRS timer||M|V|1|00|True|1|0x42|\n|TAI list|Tracking area identity list||M|LV|7-97|00|True|7-97|0x42|\n|GUTI|EPS mobile identity|50|O|TLV|13|50|False|13|0x42|\n|Location area identification|Location area identification|13|O|TV|6|13|False|6|0x42|\n|MS identity|Mobile identity|23|O|TLV|7-10|23|False|7-10|0x42|\n|EMM cause|EMM cause|53|O|TV|2|53|False|2|0x42|\n|Equivalent PLMNs|PLMN list|4A|O|TLV|5-47|4A|False|3-101|0x42| non-imperative invalid mismatch (min length)| non-imperative invalid mismatch (max length)|\n|-|-|-|-|-|-|FF|False|5|0x42|non-imperative unknown mismatch|\n|ESM message container|ESM message container||M|LV-E|5-n|-|-|-|-|imperative missing mismatch|\n|T3402 value|GPRS timer|17|O|TV|2|-|-|-|-|non-imperative missing mismatch|\n|T3423 value|GPRS timer|59|O|TV|2|-|-|-|-|non-imperative missing mismatch|\n| ... |\n\n\n# Issues\n\n### Tested environment\nWe ran all our experiments on a machine equipped with an Intel Core I7-6700K CPU\nat 4.00 GHz and 64 GB DDR4 RAM. We setup Windows 10 Pro, IDA Pro v7.4, and\nPython 3.7.6 on the machine.\n\nFor converting the doc and pdf files, we ran it on a Linux machine.\nPlease check [this function](./basespec/parse_spec.py#L15).\n\n\n# Authors\nThis project has been conducted by the below authors at KAIST.\n* [Eunsoo Kim](https://hahah.kim) (These two authors contributed equally.)\n* [Dongkwan Kim](https://0xdkay.me/) (These two authors contributed equally.)\n* [CheolJun Park](https://unrloay2.github.io/)\n* [Insu Yun](https://insuyun.github.io/)\n* [Yongdae Kim](https://syssec.kaist.ac.kr/~yongdaek/)\n\n\n# Citation\nWe would appreciate if you consider citing [our\npaper](https://syssec.kaist.ac.kr/pub/2021/kim-ndss2021.pdf).\n```bibtex\n@article{kim:2021:basespec,\n  author = {Eunsoo Kim and Dongkwan Kim and CheolJun Park and Insu Yun and Yongdae Kim},\n  title = {{BaseSpec}: Comparative Analysis of Baseband Software and Cellular Specifications for L3 Protocols},\n  booktitle = {Proceedings of the 2021 Annual Network and Distributed System Security Symposium (NDSS)},\n  year = 2021,\n  month = feb,\n  address = {Online}\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSysSec-KAIST%2FBaseSpec","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FSysSec-KAIST%2FBaseSpec","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSysSec-KAIST%2FBaseSpec/lists"}