{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T08:04:25Z","timestamp":1772006665955,"version":"3.50.1"},"reference-count":85,"publisher":"IEEE","license":[{"start":{"date-parts":[[2025,12,8]],"date-time":"2025-12-08T00:00:00Z","timestamp":1765152000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2025,12,8]],"date-time":"2025-12-08T00:00:00Z","timestamp":1765152000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/100019635","name":"IITP","doi-asserted-by":"publisher","award":["IITP-2025-RS-2023-00266615"],"award-info":[{"award-number":["IITP-2025-RS-2023-00266615"]}],"id":[{"id":"10.13039\/100019635","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025,12,8]]},"DOI":"10.1109\/acsac67867.2025.00036","type":"proceedings-article","created":{"date-parts":[[2026,2,24]],"date-time":"2026-02-24T20:54:58Z","timestamp":1771966498000},"page":"291-307","source":"Crossref","is-referenced-by-count":0,"title":["OTABase: Enhancing Over-the-Air Testing to Detect Memory Crashes in Cellular Basebands"],"prefix":"10.1109","author":[{"given":"CheolJun","family":"Park","sequence":"first","affiliation":[{"name":"Kyung Hee University,Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Marc","family":"Egli","sequence":"additional","affiliation":[{"name":"EPFL,Switzerland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"BeomSeok","family":"Oh","sequence":"additional","affiliation":[{"name":"KAIST,Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Tuan Dinh","family":"Hoang","sequence":"additional","affiliation":[{"name":"KAIST,Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Suhwan","family":"Jeong","sequence":"additional","affiliation":[{"name":"KAIST,Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Martin","family":"Crettol","sequence":"additional","affiliation":[{"name":"EPFL,Switzerland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Insu","family":"Yun","sequence":"additional","affiliation":[{"name":"KAIST,Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mathias","family":"Payer","sequence":"additional","affiliation":[{"name":"EPFL,Switzerland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yongdae","family":"Kim","sequence":"additional","affiliation":[{"name":"KAIST,Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref1","article-title":"Putting LTE security functions to the test: A framework to evaluate implementation cor-rectness","volume-title":"USENIX Workshop on Offensive Technologies","author":"Rupprecht","year":"2016"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23236"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00038"},{"key":"ref4","article-title":"DoLTEst: In-depth downlink negative testing framework for LTE devices","volume-title":"USENIX Security Symposium","author":"Park","year":"2022"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3690312"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24365"},{"key":"ref7","article-title":"BASECOMP: A comparative analysis for integrity protection in cellular baseband software","volume-title":"USENIX Security Symposium","author":"Kim","year":"2023"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2022.23136"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1145\/3395351.3399360"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1109\/sp40001.2021.00104"},{"key":"ref11","article-title":"Hermes: unlocking security analysis of cellular network protocols by synthesizing finite state machines from natural language specifications","volume-title":"USENIX Security Symposium","author":"Al Ishtiaq","year":"2024"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3485388"},{"key":"ref13","article-title":"Logic Gone Astray: A Security Analysis Frame-work for the Control Plane Protocols of 5G Basebands","volume-title":"USENIX Security Symposium","author":"Tu","year":"2024"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23313"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354263"},{"key":"ref16","article-title":"Adap-tover: adaptive overshadowing attacks in cellular networks","volume-title":"Inter-national Conference on Mobile Computing and Networking","author":"Erni","year":"2022"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1145\/2664243.2664272"},{"key":"ref18","article-title":"Hiding in plain signal: Physical signal overshadowing attack on LTE","volume-title":"USENIX Security Symposium","author":"Yang","year":"2019"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00006"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24283"},{"key":"ref21","article-title":"Baseband attacks: Remote exploitation of memory corruptions in cellular protocol stacks","volume-title":"USENIX Workshop on Offensive Technologies","author":"Weinmann","year":"2012"},{"key":"ref22","article-title":"Basebanheimer: Now I Am Become Death, The Destroyer Of Chains","author":"Komaromy","year":"2023","journal-title":"OffensiveCon"},{"key":"ref23","article-title":"Path of Least Resistance: Cellular Baseband to Application Processor Escalation on Mediatek Devices","author":"Miru","year":"2017","journal-title":"Comsecuris Blog"},{"key":"ref24","article-title":"There\u2019s life in the old dog yet: Tearing new holes into intel\/iphone cellular modems","author":"Golde","year":"2018","journal-title":"Comsecuris Blog"},{"key":"ref25","article-title":"Exploitation of a modern smartphone baseband","author":"Grassi","year":"2018","journal-title":"BlackHat USA"},{"key":"ref26","article-title":"Over the air baseband exploit: Gaining remote code execution on 5g smartphones","author":"Grassi","year":"2021","journal-title":"BlackHat USA"},{"key":"ref27","article-title":"A walk with shannon","author":"Cama","year":"2018","journal-title":"OPCDE"},{"key":"ref28","article-title":"ASN.1 and Done: A Journey of Exploiting ASN.1 Parsers in the Baseband","year":"2023","journal-title":"Offensive Con"},{"key":"ref29","doi-asserted-by":"crossref","DOI":"10.1109\/WiMob52687.2021.9606317","article-title":"Berserker: ASN.l-based Fuzzing of Radio Resource Control Protocol for 4G and 5G","volume-title":"arXiv preprint","author":"Potnuru","year":"2021"},{"key":"ref30","volume-title":"Openairinterface"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1145\/2980159.2980163"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23166"},{"key":"ref33","article-title":"LTE RRC Protocol specification","year":"2020","journal-title":"3GPP. TS 36.331, v15.10.0"},{"key":"ref34","article-title":"Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3","year":"2020","journal-title":"3GPP. TS 24.301, v16.5.1"},{"key":"ref35","article-title":"ASN.l Encoding Rules: Specification of Packed Encoding Rules (PER)","volume-title":"ITU-T Recommendation X.691","year":"2021"},{"key":"ref36","article-title":"Llfuzz: An over-the-air dynamic testing framework for cellular baseband lower layers","volume-title":"USENIX Security Symposium","author":"Hoang","year":"2025"},{"key":"ref37","article-title":"5GHOUL: Unleashing Chaos on 5G Edge Devices","author":"Garbelini","year":"2023","journal-title":"SUTD, Tech. Rep."},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1145\/3558482.3590194"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1109\/icdcs51616.2021.00079"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1145\/3317549.3324927"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1109\/SP61157.2025.00142"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1109\/SP61157.2025.00143"},{"key":"ref43","article-title":"Instructions Unclear: Undefined Be-haviour in Cellular Network Specifications","volume-title":"USENIX Security Symposium","author":"Klischies","year":"2023"},{"key":"ref44","article-title":"SMS of Death: From Analyzing to Attacking Mobile Phones on a Large Scale","volume-title":"USENIX Security Symposium","author":"Mulliner","year":"2011"},{"key":"ref45","volume-title":"Firmwire\u2019s experimental data"},{"key":"ref46","volume-title":"Modemmanager, freedesktop.org"},{"key":"ref47","article-title":"Security architecture","year":"2020","journal-title":"3GPP. TS 33.401, v16.3.0"},{"key":"ref48","article-title":"LTE REDIRECTION: Forcing targeted LTE cellphone into unsafe network","volume-title":"Hack In The Box Security Conference (HITBSec- Conf)","author":"Lin","year":"2016"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1145\/3307334.3326082"},{"key":"ref50","article-title":"SIMurai: Slicing through the complexity of SIM card security research","volume-title":"USENIX Security Symposium","author":"Lisowski","year":"2024"},{"key":"ref51","volume-title":"Hacked documents: how Iran can track and control protesters\u2019 phones"},{"key":"ref52","article-title":"The android platform security model (2023)","author":"Mayrhofer","year":"2024","journal-title":"arXiv preprint"},{"key":"ref53","volume-title":"Pycrate, a Python library containing ASN.1 compiler"},{"key":"ref54","volume-title":"Marben Products, ASN.1 Decoder for LTE Networks"},{"key":"ref55","volume-title":"USRP B210"},{"key":"ref56","volume-title":"Sysmocom SIM\/USIM\/ISIM cards"},{"key":"ref57","article-title":"Mobile radio interface Layer 3 specifi-cation; Core network protocols; Stage 3","year":"2019","journal-title":"3GPP. TS 24.008, v16.3.0"},{"key":"ref58","article-title":"Exploring the mediatek baseband","author":"Grassi","year":"2020","journal-title":"Ojfen-siveCon"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1145\/3558482.3590196"},{"key":"ref60","volume-title":"GSMA IMEI Allocation and Approval Process"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1145\/3317549.3319728"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2023.24416"},{"key":"ref63","volume-title":"Tools for samsung shannon baseband"},{"key":"ref64","article-title":"How to design a baseband debugger","volume-title":"Information and Communication Technology Security Symposium (SSTIC)","author":"Berard"},{"key":"ref65","article-title":"Breaking band: reverse engineering and exploiting the shannon baseband","author":"Golde","year":"2016","journal-title":"REcon"},{"key":"ref66","article-title":"srsRAN Project","volume-title":"S. R. Systems"},{"key":"ref67","volume-title":"Accuver XCAL"},{"key":"ref68","article-title":"Comparative analysis of baseband software implementation and cellular specification for layer 3 protocols","volume-title":"KAIST","author":"Kim","year":"2022"},{"key":"ref69","article-title":"GSM\/EDGE Location Services (LCS)","year":"2022","journal-title":"3GPP. TS 44.071"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1145\/3558482.3581774"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243846"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3623113"},{"key":"ref73","article-title":"Seeing the forest for the trees: Understanding security hazards in the 3GPP ecosystem through intelligent analysis on change requests","volume-title":"USENIX Security Symposium","author":"Chen","year":"2022"},{"key":"ref74","article-title":"Sherlock on Specs: Building LTE Conformance Tests through Automated Reasoning","volume-title":"USENIX Security Symposium","author":"Chen","year":"2023"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1145\/3448300.3469133"},{"key":"ref76","article-title":"Fuzzing the phone in your phone","author":"Mulliner","year":"2009","journal-title":"Black Hat USA"},{"key":"ref77","article-title":"How to tame your unicorn: exploring and exploiting zero-click remote interfaces of modern Huawei smartphones","author":"Komaromy","year":"2021","journal-title":"BlackHat USA"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3670320"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1109\/ICCCN54977.2022.9868872"},{"key":"ref80","volume-title":"AFLplusplus (AFL++)","author":"Heuse"},{"key":"ref81","article-title":"How to hack shannon baseband (from a phone)","author":"Silvanovich","year":"2023","journal-title":"OffensiveCon"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1109\/GLOBECOM48099.2022.10001673"},{"key":"ref83","doi-asserted-by":"publisher","DOI":"10.1145\/3558482.3590174"},{"key":"ref84","article-title":"BrakTooth: Causing havoc on bluetooth link manager via directed fuzzing","volume-title":"USENIX Security Symposium","author":"Garbelini","year":"2022"},{"key":"ref85","volume-title":"Objective Systems. ASN1VE: The ASN.l Viewer\/Editor"}],"event":{"name":"2025 IEEE Annual Computer Security Applications Conference (ACSAC)","location":"Honolulu, HI, USA","start":{"date-parts":[[2025,12,8]]},"end":{"date-parts":[[2025,12,12]]}},"container-title":["2025 IEEE Annual Computer Security Applications Conference (ACSAC)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/11391636\/11391706\/11391908.pdf?arnumber=11391908","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T07:09:18Z","timestamp":1772003358000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11391908\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,12,8]]},"references-count":85,"URL":"https:\/\/doi.org\/10.1109\/acsac67867.2025.00036","relation":{},"subject":[],"published":{"date-parts":[[2025,12,8]]}}}