{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:26:55Z","timestamp":1766442415117,"version":"3.48.0"},"publisher-location":"New York, NY, USA","reference-count":58,"publisher":"ACM","funder":[{"DOI":"10.13039\/501100014188","name":"Ministry of Science and ICT, South Korea","doi-asserted-by":"publisher","award":["RS-2024-00397469"],"award-info":[{"award-number":["RS-2024-00397469"]}],"id":[{"id":"10.13039\/501100014188","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,11,19]]},"DOI":"10.1145\/3719027.3765230","type":"proceedings-article","created":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T23:37:25Z","timestamp":1763854645000},"page":"276-290","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["CITesting: Systematic Testing of Context Integrity Violations in LTE Core Networks"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0000-8655-8387","authenticated-orcid":false,"given":"Mincheol","family":"Son","sequence":"first","affiliation":[{"name":"KAIST, Daejeon, Republic of Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-1121-733X","authenticated-orcid":false,"given":"Kwangmin","family":"Kim","sequence":"additional","affiliation":[{"name":"KAIST, Daejeon, Republic of Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-0692-0899","authenticated-orcid":false,"given":"Beomseok","family":"Oh","sequence":"additional","affiliation":[{"name":"KAIST, Daejeon, Republic of Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-5102-2190","authenticated-orcid":false,"given":"CheolJun","family":"Park","sequence":"additional","affiliation":[{"name":"Kyung Hee University, Yongin, Republic of Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4879-1262","authenticated-orcid":false,"given":"Yongdae","family":"Kim","sequence":"additional","affiliation":[{"name":"KAIST, Daejeon, Republic of Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,11,22]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"CITesting. https:\/\/sites.google.com\/view\/citesting."},{"key":"e_1_3_2_1_2_1","unstructured":"3GPP. C1-224987. https:\/\/www.3gpp.org\/ftp\/tsg_ct\/WG1_mm-cc-sm_ex-CN1\/TSGC1_137e\/Docs."},{"key":"e_1_3_2_1_3_1","first-page":"3","author":"PP.","year":"2018","unstructured":"3GPP. TS 24.301, v15.4.0. Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3, 2018.","journal-title":"Stage"},{"key":"e_1_3_2_1_4_1","first-page":"3","author":"PP.","year":"2022","unstructured":"3GPP. TS 24.301, v17.6.0. Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3, 2022.","journal-title":"Stage"},{"key":"e_1_3_2_1_5_1","first-page":"3","author":"PP.","year":"2024","unstructured":"3GPP. TS 24.301, v18.8.0. Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3, 2024.","journal-title":"Stage"},{"key":"e_1_3_2_1_6_1","first-page":"3","author":"PP.","year":"2023","unstructured":"3GPP. TS 24.501, v18.5.0. Non-Access-Stratum (NAS) protocol for 5G System (5GS); Stage 3, 2023.","journal-title":"Stage"},{"key":"e_1_3_2_1_7_1","volume-title":"USENIX Security Symposium","author":"Al Ishtiaq A.","year":"2024","unstructured":"A. Al Ishtiaq, S. S. S. Das, S. M. M. Rashid, A. Ranjbar, K. Tu, T. Wu, Z. Song, W. Wang, M. Akon, R. Zhang, and S. R. Hussain. Hermes: Unlocking Security Analysis of Cellular Network Protocols by Synthesizing Finite State Machines from Natural Language Specifications. In USENIX Security Symposium, 2024."},{"key":"e_1_3_2_1_8_1","unstructured":"Amarisoft. Amarisoft Callbox Classic. ''https:\/\/www.amarisoft.com''."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243846"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3670320"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/3558482.3590194"},{"key":"e_1_3_2_1_12_1","volume-title":"OPCDE","author":"Cama A.","year":"2018","unstructured":"A. Cama. A Walk with Shannon. OPCDE, 2018."},{"key":"e_1_3_2_1_13_1","volume-title":"OffensiveCon","author":"Cama A.","year":"2023","unstructured":"A. Cama. ASN.1 and Done: A Journey of Exploiting ASN.1 Parsers in the Baseband. OffensiveCon, 2023."},{"key":"e_1_3_2_1_14_1","volume-title":"USENIX Security Symposium","author":"Chen Y.","year":"2023","unstructured":"Y. Chen, D. Tang, Y. Yao, M. Zha, X. Wang, X. Liu, H. Tang, and B. Liu. Sherlock on Specs: Building LTE Conformance Tests through Automated Reasoning. In USENIX Security Symposium, 2023."},{"key":"e_1_3_2_1_15_1","volume-title":"Bookworm Game: Automatic Discovery of LTE Vulnerabilities. In IEEE Symposium on Security and Privacy","author":"Chen Y.","year":"2021","unstructured":"Y. Chen, Y. Yao, X. Wang, D. Xu, X. Liu, C. Yue, K. Chen, H. Tang, and B. Liu. Bookworm Game: Automatic Discovery of LTE Vulnerabilities. In IEEE Symposium on Security and Privacy, 2021."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/3448300.3469133"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/3317549.3324927"},{"key":"e_1_3_2_1_18_1","unstructured":"CICSO ASR 5000 Series (MME Administration Guide). ''https:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/wireless\/asr_5000\/21-28\/mme-admin\/21-28-mme-admin\/m_128k-enodeb-connections.html''."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/2664243.2664272"},{"key":"e_1_3_2_1_20_1","volume-title":"USENIX Security Symposium","author":"Dong Y.","year":"2025","unstructured":"Y. Dong, T. Yang, A. Al Ishtiaq, S. M. M. Rashid, A. Ranjbar, K. Tu, T. Wu, M. S. Mahmud, and S. R. Hussain. CORECRISIS: Threat-Guided and Context-Aware Iterative Learning and Fuzzing of 5G Core Networks. In USENIX Security Symposium, 2025."},{"key":"e_1_3_2_1_21_1","unstructured":"Ericsson Mobility Report Q4 2024 update. ''https:\/\/www.ericsson.com\/en\/reports-and-papers\/mobility-report''."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/3495243.3560525"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/GLOBECOM48099.2022.10001673"},{"key":"e_1_3_2_1_24_1","volume-title":"SUTD","author":"Garbelini M. E.","year":"2023","unstructured":"M. E. Garbelini, Z. Shang, S. Luo, and S. Chattopadhyay. 5GHOUL: Unleashing Chaos on 5G Edge Devices. Technical report, SUTD, 2023."},{"key":"e_1_3_2_1_25_1","unstructured":"I. Gomez-Miguelez A. Garcia-Saavedra P. D. Sutton P. Serrano C. Cano and D. J. Leith. srsRAN: An Open-Source Platform for LTE Evolution and Experimentation. https:\/\/github.com\/srsran\/srsRAN."},{"key":"e_1_3_2_1_26_1","volume-title":"BlackHat USA","author":"Grassi M.","year":"2021","unstructured":"M. Grassi and X. Chen. Over the Air Baseband Exploit: Gaining Remote Code Execution on 5G Smartphones. BlackHat USA, 2021."},{"key":"e_1_3_2_1_27_1","volume-title":"BlackHat USA","author":"Grassi M.","year":"2018","unstructured":"M. Grassi, M. Liu, and T. Xie. Exploitation of a Modern Smartphone Baseband. BlackHat USA, 2018."},{"key":"e_1_3_2_1_28_1","unstructured":"Public Networks and Operators March 2025. ''https:\/\/gsacom.com\/paper\/public-networks-and-operators-march-2025\/''."},{"key":"e_1_3_2_1_29_1","volume-title":"FIRMWIRE: Transparent Dynamic Analysis for Cellular Baseband Firmware. In Network and Distributed Systems Security Symposium (NDSS)","author":"Hernandez G.","year":"2022","unstructured":"G. Hernandez, M. Muench, D. Maier, A. Milburn, S. Park, T. Scharnowski, T. Tucker, P. Traynor, and K. Butler. FIRMWIRE: Transparent Dynamic Analysis for Cellular Baseband Firmware. In Network and Distributed Systems Security Symposium (NDSS), 2022."},{"key":"e_1_3_2_1_30_1","volume-title":"LTESniffer: An Open-source LTE Downlink\/Uplink Eavesdropper. In 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec)","author":"Hoang D. T.","year":"2023","unstructured":"D. T. Hoang, C. Park, M. Son, T. Oh, S. Bae, J. Ahn, B. Oh, and Y. Kim. LTESniffer: An Open-source LTE Downlink\/Uplink Eavesdropper. In 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2023."},{"key":"e_1_3_2_1_31_1","volume-title":"GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier. In Network and Distributed System Security Symposium (NDSS)","author":"Hong B.","year":"2018","unstructured":"B. Hong, S. Bae, and Y. Kim. GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier. In Network and Distributed System Security Symposium (NDSS), 2018."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23313"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354263"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3485388"},{"key":"e_1_3_2_1_35_1","volume-title":"ProChecker: An Automated Security and Privacy Analysis Framework for Communication Protocol. In IEEE International Conference on Distributed Computing Systems","author":"Karim I.","year":"2021","unstructured":"I. Karim, S. Hussain, and E. Bertino. ProChecker: An Automated Security and Privacy Analysis Framework for Communication Protocol. In IEEE International Conference on Distributed Computing Systems, 2021."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3643833.3656141"},{"key":"e_1_3_2_1_37_1","volume-title":"BaseComp: A Comparative Analysis for Integrity Protection in Cellular Baseband Software. In USENIX Security Symposium","author":"Kim E.","year":"2023","unstructured":"E. Kim, M. W. Baek, C. Park, D. Kim, Y. Kim, and I. Yun. BaseComp: A Comparative Analysis for Integrity Protection in Cellular Baseband Software. In USENIX Security Symposium, 2023."},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24365"},{"key":"e_1_3_2_1_39_1","volume-title":"Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane. In IEEE Symposium on Security and Privacy (S&P)","author":"Kim H.","year":"2019","unstructured":"H. Kim, J. Lee, E. Lee, and Y. Kim. Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane. In IEEE Symposium on Security and Privacy (S&P), 2019."},{"key":"e_1_3_2_1_40_1","volume-title":"Instructions Unclear: Undefined Behaviour in Cellular Network Specifications. In USENIX Security Symposium","author":"Klischies D.","year":"2023","unstructured":"D. Klischies, M. Schloegel, T. Scharnowski, M. Bogodukhov, D. Rupprecht, and V. Moonsamy. Instructions Unclear: Undefined Behaviour in Cellular Network Specifications. In USENIX Security Symposium, 2023."},{"key":"e_1_3_2_1_41_1","volume-title":"The Destroyer Of Chains. OffensiveCon","author":"Komaromy D.","year":"2023","unstructured":"D. Komaromy. Basebanheimer: Now I Am Become Death, The Destroyer Of Chains. OffensiveCon, 2023."},{"key":"e_1_3_2_1_42_1","volume-title":"LTrack: Stealthy Tracking of Mobile Phones in LTE. In USENIX Security Symposium","author":"Kotuliak M.","year":"2022","unstructured":"M. Kotuliak, S. Erni, P. Leu, M. Roeschlin, and S. Capkun. LTrack: Stealthy Tracking of Mobile Phones in LTE. In USENIX Security Symposium, 2022."},{"key":"e_1_3_2_1_43_1","unstructured":"S. Lee. Open5GS: Open Source Implementation for 5G Core and EPC. https:\/\/open5gs.org\/."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23098"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3395351.3399360"},{"key":"e_1_3_2_1_46_1","unstructured":"Nokia Corporation CMM 22.0. ''https:\/\/www.nokia.com''."},{"key":"e_1_3_2_1_47_1","volume-title":"DoLTEst: In-depth Downlink Negative Testing Framework for LTE Devices. In USENIX Security Symposium","author":"Park C.","year":"2022","unstructured":"C. Park, S. Bae, B. Oh, J. Lee, E. Lee, I. Yun, and Y. Kim. DoLTEst: In-depth Downlink Negative Testing Framework for LTE Devices. In USENIX Security Symposium, 2022."},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/WiMob52687.2021.9606317"},{"key":"e_1_3_2_1_49_1","volume-title":"USENIX Workshop on Offensive Technologies","author":"Rupprecht D.","year":"2016","unstructured":"D. Rupprecht, K. Jansen, and C. P\u00f6pper. Putting LTE Security Functions to the Test: A Framework to Evaluate Implementation Correctness. In USENIX Workshop on Offensive Technologies, 2016."},{"key":"e_1_3_2_1_50_1","volume-title":"Breaking LTE on Layer Two. In IEEE Symposium on Security and Privacy (S&P)","author":"Rupprecht D.","year":"2019","unstructured":"D. Rupprecht, K. Kohls, T. Holz, and C. P\u00f6pper. Breaking LTE on Layer Two. In IEEE Symposium on Security and Privacy (S&P), 2019."},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24283"},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23236"},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1145\/3317549.3319728"},{"key":"e_1_3_2_1_54_1","volume-title":"OffensiveCon","author":"Silvanovich N.","year":"2023","unstructured":"N. Silvanovich. How to Hack Shannon Baseband (from a Phone). OffensiveCon, 2023."},{"key":"e_1_3_2_1_55_1","volume-title":"USENIX Security Symposium","author":"Tu K.","year":"2024","unstructured":"K. Tu, A. Al Ishtiaq, S. M. M. Rashid, Y. Dong, W. Wang, T. Wu, and S. R. Hussain. Logic Gone Astray: A Security Analysis Framework for the Control Plane Protocols of 5G Basebands. In USENIX Security Symposium, 2024."},{"key":"e_1_3_2_1_56_1","unstructured":"USRP B210. https:\/\/www.ettus.com\/UB210-KIT."},{"key":"e_1_3_2_1_57_1","volume-title":"Hiding in Plain Signal: Physical Signal Overshadowing Attack on LTE. In USENIX Security Symposium","author":"Yang H.","year":"2019","unstructured":"H. Yang, S. Bae, M. Son, H. Kim, S. M. Kim, and Y. Kim. Hiding in Plain Signal: Physical Signal Overshadowing Attack on LTE. In USENIX Security Symposium, 2019."},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196521"}],"event":{"name":"CCS '25: ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Taipei Taiwan","acronym":"CCS '25"},"container-title":["Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3719027.3765230","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:22:19Z","timestamp":1766442139000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3719027.3765230"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,19]]},"references-count":58,"alternative-id":["10.1145\/3719027.3765230","10.1145\/3719027"],"URL":"https:\/\/doi.org\/10.1145\/3719027.3765230","relation":{},"subject":[],"published":{"date-parts":[[2025,11,19]]},"assertion":[{"value":"2025-11-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}