A Systematic Framework for Analyzing the Security and Privacy of Wireless Communication Protocol Implementations

Imtiaz Karim, Purdue University


Wireless communication technologies, such as cellular ones, Bluetooth, and WiFi, are fundamental for today’s and tomorrow’s communication infrastructure. Networks based on those technologies are or will be increasingly deployed in many critical domains, such as critical infrastructures, smart cities, healthcare, and industrial environments. Protecting wireless networks against attacks and privacy breaches is thus critical. A fundamental step for the security and privacy of these networks is ensuring that their protocols are implemented as mandated by the standards. These protocols are however quite complex and unfortunately, the lack of secure-by-design approaches for these complex protocols often induces vulnerabilities in implementations with severe security and privacy repercussions. For these protocols, the standards are thousands of pages long, written in natural language, describe the high-level interaction of the protocol entities, and most often depend on human interpretation—which is open to misunderstanding and ambiguity. This inherently entails the question of whether these wireless protocols and their communication equipment implement the corresponding standards correctly or whether the implementations introduce vulnerabilities that can have severe consequences. In this dissertation, we systematically analyze the security and privacy of these wireless communication protocol implementations (e.g., cellular networks and Bluetooth) and develop techniques useful for both white-box and black-box analysis. For the white-box analysis, we propose a model-based testing approach–ProChecker which (1) extracts a precise semantic model as a finite state machine of the implementation by combining dynamic testing with static instrumentation, and (2) verifies the properties against the extracted model by combining a symbolic model checker and a cryptographic protocol verifier. We demonstrate the effectiveness of ProChecker by evaluating it on a closed source and two of the most popular open-source 4G LTE control plane protocol implementations with 62 properties. ProChecker unveiled 3 new protocol-specific logical attacks, 6 implementation issues, and detected 14 prior attacks. The impact of the attacks ranges from denial-of-service, broken integrity, encryption, and replay protection to privacy leakage.




Bertino, Purdue University.

Subject Area

Computer science

Off-Campus Purdue Users:
To access this dissertation, please log in to our
proxy server