Holistic 4G/5G Security & Functional Test Plan

Version: 1.0
Date: 2026-03-28
Lab Stack: Open5GS v2.7.7 · UERANSIM v3.2.7 · Docker / Kubernetes
Standards Basis: 3GPP TS 33.501 v18.9.0 · 3GPP TS 33.117 v18.x · GSMA FS.40 v3.0 · NIST SP 800-187

1. Purpose and Scope

This test plan provides structured, repeatable test cases for validating the security, functional correctness, and resilience of a 4G EPC and 5G SA core network built on Open5GS. It takes a holistic approach spanning:

• Protocol correctness (NAS, S1AP, NGAP, GTP, Diameter, SBI HTTP/2)
• Authentication and cryptographic enforcement
• Threat emulation (STRIDE categories)
• Denial-of-service and robustness
• Network slice isolation
• Infrastructure/container security
• Interconnect and roaming interfaces
• Monitoring and detection validation

In-scope systems:

Out of scope (this version): Physical RF spectrum testing, live network interconnect, O-RAN open interfaces beyond F1/E1/E2 concepts.

2. Resource Requirements

2.1 Minimum Hardware (Single-node lab)

2.2 Multi-node / Kubernetes Lab

For a single workstation running kind (Kubernetes in Docker), 8 vCPU / 16 GB / 100 GB is the target spec.

2.3 Software Requirements

Core Lab Stack

Analysis and Capture Tools

Vulnerability Reference

3. Test Environment Setup

3.1 Pre-Test Checklist

[ ] Open5GS v2.7.7 containers running (docker compose ps — all healthy)
[ ] UERANSIM gNB registered to AMF (check AMF log: "gNB-ID[...] is registered")
[ ] UERANSIM UE attached with PDU session (ping 8.8.8.8 via uesimtun0)
[ ] Wireshark 4.4+ running on control plane bridge (capture filter: sctp || http2 || diameter || gtp)
[ ] tcpdump baseline pcap saved
[ ] MongoDB subscriber exists (IMSI 001010000000001, key/opc matching UERANSIM config)
[ ] All NFs reachable (curl http://nrf:7777/nnrf-nfm/v1/nf-instances)

3.2 Network Reference

4. Test Cases

Test cases are grouped into 10 domains. Each has an ID, objective, steps, expected result, pass/fail criteria, and standards reference.

Domain 1: Subscriber Registration and Mobility

TC-REG-01: Normal 5G Registration (5G-AKA)

Objective: Verify a UE can complete a full 5G registration procedure with 5G-AKA authentication.
Standard: 3GPP TS 33.501 §6.1; TS 24.501
Tools: UERANSIM, tshark on N2/N11 interfaces

Steps:

1. Start UERANSIM gNB: nr-gnb -c gnb.yaml
2. Start UERANSIM UE: nr-ue -c ue.yaml
3. Capture N2 (NGAP/SCTP on 172.22.0.0/24 port 38412) and N11 (SBI HTTP/2)
4. Observe packet capture

Expected Results:

• NGAP: InitialUEMessage → DownlinkNASTransport (AuthRequest) → UplinkNASTransport (AuthResponse) → InitialContextSetupRequest → RegistrationAccept
• NAS: 5G-AKA RAND/AUTN present in Authentication Request; RES* sent back
• SBI: AMF calls POST /nudm-uecm/v1/{supi}/registrations/amf-3gpp-access on UDM; AUSF called for AKA
• UE state: Registered, PDU session established
• ping via uesimtun0 succeeds

Pass Criteria: UE registers, obtains IP, passes traffic. No NAS reject codes.

TC-REG-02: 4G Attach Procedure (EPS-AKA)

Objective: Verify full 4G attach with EPS-AKA and default bearer establishment.
Standard: 3GPP TS 33.401 §6.1; NIST SP 800-187 §4.2
Tools: srsRAN 4G (srsENB + srsUE), tshark on S1-MME (SCTP port 36412) and S6a (Diameter)

Steps:

1. Start Open5GS EPC containers
2. Start srsENB connected to MME
3. Start srsUE
4. Capture S1AP and Diameter traffic

Expected Results:

• S1AP: InitialUEMessage → EMM AuthRequest → SecurityModeCommand → InitialContextSetupRequest → AttachAccept
• Diameter S6a: AIR (Authentication-Information-Request) → AIA with authentication vectors
• UE: Attached, default EPS bearer up, IP assigned from PGW

Pass Criteria: UE attaches successfully; ping via UE tunnel interface succeeds.

TC-REG-03: SUCI Privacy Verification (5G)

Objective: Confirm that SUPI is concealed as SUCI in the initial Registration Request, preventing IMSI exposure over air.
Standard: 3GPP TS 33.501 §6.12; GSMA FS.40 v3.0 §5.2
Tools: tshark, Wireshark NAS-5GS dissector

Steps:

1. Capture NAS-5GS traffic on N2 during TC-REG-01 execution
2. Filter: nas-5gs.mm.5gs_reg_type and inspect Mobile Identity IE in Registration Request
3. Check Mobile Identity type

Expected Results:

• Mobile Identity type = SUCI (0x01) — NOT IMSI (0x02)
• SUCI structure: MCC/MNC plaintext, MSIN encrypted with ECIES (scheme ID 0x01 or 0x02)
• SUPI is only visible to AUSF/UDM after SIDF de-concealment

Pass Criteria: No plaintext IMSI in any initial NAS message; SUCI scheme != null (0x00) in production config.

Note: Open5GS lab defaults may use null-scheme SUCI (scheme 0x00) for simplicity. For security validation, configure ECIES scheme in ausf.yaml and UERANSIM UE profile.

TC-REG-04: Tracking Area Update (4G TAU)

Objective: Verify TAU procedure when UE moves between Tracking Areas.
Standard: 3GPP TS 24.301 §5.5.3
Tools: srsRAN, tshark

Steps:

1. Register UE in TAI-1
2. Modify MME config to include TAI-2 in TA list
3. Trigger UE mobility simulation (change eNB TAC)
4. Capture S1AP and NAS

Expected Results:

• TAU Request sent by UE with EPS update type = TA updating (0x00)
• MME returns TAU Accept with new TA list
• Security context maintained (no full re-authentication unless requested)

Pass Criteria: TAU completes without service interruption; UE retains IP address.

TC-REG-05: 5G Registration — Multiple UEs (Scalability)

Objective: Verify AMF handles concurrent registrations without dropping or misrouting.
Standard: 3GPP TS 23.501 §5.15 (AMF capacity)
Tools: UERANSIM multiple UE instances (scripted), Prometheus metrics

Steps:

1. Launch 10 UERANSIM UE instances with unique IMSIs (001010000000001 – 001010000000010) using a shell loop
2. Stagger launches by 100ms to simulate near-simultaneous arrival
3. Monitor AMF logs and Prometheus amf_registered_ue_count metric

Expected Results:

• All 10 UEs register successfully
• No NGAP setup failures
• AMF Prometheus gauge shows 10 registered UEs
• No duplicate session errors in SMF or UPF logs

Pass Criteria: All 10 UEs pass PDU session establishment and can ping successfully.

Domain 2: Authentication and Key Agreement

TC-AUTH-01: 5G-AKA XRES* Verification

Objective: Verify AMF/AUSF correctly validates XRES* and rejects modified RES*.
Standard: 3GPP TS 33.501 §6.1.3
Tools: pycrate, tshark

Steps:

1. Use pycrate to craft a NAS AuthenticationResponse with a deliberately wrong RES* (flip one bit)
2. Inject it to AMF via a UERANSIM UE interceptor or replay tool
3. Observe AMF / AUSF response

Expected Results:

• AUSF returns authentication failure to AMF
• AMF sends NAS AuthenticationReject (cause: MAC failure 0x14)
• UE de-registered; no PDU session allocated

Pass Criteria: Modified RES* is always rejected; no false accept.

TC-AUTH-02: NAS Null-Cipher (EEA0/EIA0) Downgrade Attempt

Objective: Verify the core rejects or flags attempts to negotiate null integrity (NIA0/EIA0) in non-emergency mode.
Standard: 3GPP TS 33.501 §5.9; NIST SP 800-187 §4.3 (for 4G EIA0/EEA0)
Tools: UERANSIM (modified UE capability), tshark

Steps:

1. Modify UERANSIM ue.yaml to advertise only NIA0 and NEA0 in UE security capability
2. Initiate registration
3. Observe SecurityModeCommand from AMF and SMC response

Expected Results (secure config):

• AMF should reject if its policy disallows null-integrity (configured via amf.yaml integrity_order)
• If AMF is misconfigured to allow NIA0, flag as FINDING (CRITICAL)

Pass Criteria: NIA0 is rejected in all non-emergency bearers. Any acceptance = test FAIL.

TC-AUTH-03: SIM/IMSI Not Provisioned — Rejection

Objective: Verify core correctly rejects registration attempts from unprovisioned subscribers.
Standard: 3GPP TS 24.501 §5.5.1.2
Tools: UERANSIM

Steps:

1. Configure UERANSIM UE with IMSI 001010000099999 (not in MongoDB)
2. Attempt registration
3. Check AMF/UDM logs

Expected Results:

• UDM returns 404 on nudm-sdm subscription call
• AMF sends RegistrationReject (5GMM cause: #11 PLMN not allowed or #3 Illegal UE)
• No session allocated; no IP assigned

Pass Criteria: Unprovisioned IMSI is always rejected; no partial session leak.

TC-AUTH-04: Authentication Vector Replay Prevention

Objective: Verify AUSF detects and rejects replay of a previously used authentication vector.
Standard: 3GPP TS 33.501 §6.1.3.4 (SQN-based replay prevention)
Tools: pycrate, Wireshark, UERANSIM

Steps:

1. Complete a successful registration (TC-REG-01); capture the RAND/AUTN in the AuthRequest
2. Attempt to replay the same RAND/AUTN values in a new AuthResponse
3. Observe AUSF response

Expected Results:

• AUSF detects SQN out of range or AUTN MAC failure on second use
• AMF rejects with Authentication Reject
• AUSF may trigger AV re-sync procedure if SQN delta is within sync window

Pass Criteria: Replayed AV is never accepted as a valid authentication.

Domain 3: Service-Based Interface (SBI) Security — 5G Only

TC-SBI-01: NRF Registration — Unauthorized NF Injection

Objective: Verify that a rogue NF cannot register with NRF without valid credentials (mTLS / OAuth2 token).
Standard: 3GPP TS 33.501 §13.3; GSMA FS.40 v3.0 §5.4
Tools: curl, openssl

Steps:

1. Attempt to register a fake AMF to NRF without a client certificate:

   curl -X PUT http://nrf:7777/nnrf-nfm/v1/nf-instances/fake-amf-uuid \
     -H "Content-Type: application/json" \
     -d '{"nfInstanceId":"fake-amf-uuid","nfType":"AMF","nfStatus":"REGISTERED"}'
   

2. Attempt with an invalid/self-signed TLS certificate if TLS is enabled
3. Check NRF registration store

Expected Results (secure config):

• NRF returns HTTP 401 Unauthorized or HTTP 403 Forbidden
• Fake NF does not appear in GET /nnrf-nfm/v1/nf-instances

Finding Flag: If NRF accepts unauthenticated registration → CRITICAL FINDING (rogue NF injection enables MitM on all SBI calls between that NF type and consumers).

Pass Criteria: No unauthenticated NF registration accepted.

Lab Note: Open5GS defaults to HTTP (no TLS) for SBI in lab deployments. Document this as a lab limitation and treat any unauthenticated acceptance as an expected finding to be mitigated.

TC-SBI-02: OAuth2 Token Enforcement on NF Service Calls

Objective: Verify NF consumers present valid OAuth2 access tokens and that the NRF/NF enforces them.
Standard: 3GPP TS 33.501 §13.4; RFC 6749
Tools: curl

Steps:

1. Call an NF API (e.g., UDM's nudm-sdm subscriber data) without Authorization header:

   curl http://udm:7777/nudm-sdm/v1/imsi-001010000000001/sm-data
   

2. Call with an expired/tampered JWT token
3. Call with a valid token (baseline)

Expected Results:

• No token → HTTP 401
• Invalid/expired token → HTTP 401 with WWW-Authenticate header
• Valid token → HTTP 200 with subscriber data

Pass Criteria: All unauthorized calls rejected at NF level.

TC-SBI-03: SCP as Single Point of Failure

Objective: Verify system behavior when SCP fails; validate fallback/redundancy.
Standard: 3GPP TS 23.501 §7.1 (SCP); GSMA FS.40 §5.4
Tools: Docker, curl, Prometheus

Steps:

1. Establish baseline (all UEs registered, traffic flowing)
2. Kill SCP container: docker stop open5gs-scp
3. Monitor AMF-to-SMF calls (N11 path) and NRF discovery
4. Attempt new UE registration during SCP outage
5. Restart SCP; verify recovery

Expected Results:

• NF-to-NF calls that route through SCP fail during outage
• AMF should fall back to direct NF-to-NF if configured (scp_addr absent = direct mode)
• Existing PDU sessions (not requiring SCP mid-session) should survive
• On SCP restart, new registrations proceed normally

Pass Criteria: Document exact behavior. Flag any permanent session loss on SCP restart as a finding.

TC-SBI-04: HTTP/2 Input Validation — Malformed SBI Request

Objective: Verify NFs handle malformed JSON/HTTP2 SBI requests without crashing (aligns with CVE-2025-x NULL ptr via multipart SBI).
Standard: 3GPP TS 33.117 §4.2.3 (Input Validation); CVE-2025-14953
Tools: curl, pycrate

Steps:

1. Send an empty HTTP/2 body to NRF registration endpoint:

   curl -X PUT http://nrf:7777/nnrf-nfm/v1/nf-instances/test \
     -H "Content-Type: multipart/related" \
     --data-binary ""
   

2. Send oversized JSON payload (>1MB) to AMF N1/N2 interface
3. Send NULL bytes in IMSI field of UDM subscription request
4. Monitor NF logs for crashes or unexpected restarts

Expected Results:

• All NFs return HTTP 400 Bad Request with descriptive error
• No NF process crash or container restart
• No memory disclosure in error response

Pass Criteria: All inputs handled gracefully; no crashes. If container restarts → CRITICAL FINDING (DoS vector; correlates with CVE class from RANsacked).

Domain 4: GTP and User Plane Security

TC-GTP-01: GTP-U Tunnel Injection (4G S1-U / 5G N3)

Objective: Verify that spoofed GTP-U packets with a valid TEID but wrong source are dropped by UPF.
Standard: GSMA FS.40 §5.7 (UPF security); 3GPP TS 33.501 §5.10
Tools: Scapy, tshark

Steps:

1. Identify a live GTP-U TEID from active session (capture N3 traffic with tshark)
2. Craft a GTP-U packet with the valid TEID from a spoofed source IP using Scapy:

   from scapy.all import *
   from scapy.contrib.gtp import GTP_U_Header
   pkt = IP(src="172.23.1.99", dst="172.23.0.5") / \
         UDP(sport=2152, dport=2152) / \
         GTP_U_Header(teid=<valid_teid>) / \
         IP(dst="8.8.8.8") / ICMP()
   send(pkt)
   

3. Capture whether the injected packet exits through UPF

Expected Results:

• UPF should validate source IP of GTP-U tunnels (FAR rule)
• Injected packet from unknown source IP is silently dropped
• No traffic forwarded via the spoofed TEID

Finding Flag: If packet is forwarded → HIGH FINDING (GTP-U injection; attacker can inject arbitrary data into subscriber session).

Pass Criteria: Injected GTP-U from unauthorized source is dropped; no forwarding.

TC-GTP-02: GTP-C Message Flood (DoS on SGW/SMF)

Objective: Assess resilience of SGW-C/SMF against a flood of malformed GTP-C Create Session Requests.
Standard: 3GPP TS 33.117 §4.2.6 (DoS resistance); CVE-2024-51179
Tools: Scapy, hping3, pycrate

Steps:

1. Craft 1000 GTP-C v2 Create Session Request messages with random IMSIs using pycrate
2. Send to SGW-C/SMF GTP-C port (2123/UDP) at 100 pps
3. Monitor SGW-C/SMF CPU, memory (via docker stats), and response to legitimate UE sessions

Expected Results:

• SGW-C/SMF handles flood without crashing
• Legitimate UE sessions remain active during flood
• CPU usage spikes but returns to baseline after flood stops
• Rate limiting or PFCP error responses observed

Pass Criteria: No container restart; legitimate sessions unaffected. Any crash = test FAIL.

TC-GTP-03: PFCP Session Modification Replay

Objective: Verify SMF rejects replayed PFCP Session Modification Requests.
Standard: 3GPP TS 29.244; CVE-2025-14953
Tools: pycrate, tshark

Steps:

1. Capture a valid PFCP Session Modification Request (tshark on N4 PFCP port 8805/UDP)
2. Replay the captured PFCP message byte-for-byte
3. Observe SMF/UPF response

Expected Results:

• SMF/UPF detects duplicate Sequence Number in PFCP header
• Returns PFCP Session Modification Response with Cause = Request rejected (unspecified) (0x41)
• No duplicate session modification applied

Pass Criteria: Replayed PFCP message rejected; no duplicate side effects.

Domain 5: Signaling Protocol Attacks (SS7/Diameter)

TC-SS7-01: SS7 Location Tracking Simulation (UpdateLocation)

Objective: Simulate an SS7 MAP UpdateLocation attack to understand exposure; validate whether lab SS7 interface accepts unauthenticated peer connections.
Standard: GSMA FS.11 (SS7 Vulnerability); NIST SP 800-187 §Appendix A
Tools: SigPloit (Python 2.7 environment), tshark

Authorization Required: This test must only be performed against the isolated lab environment. Never execute against production or interconnect networks.

Steps:

1. Configure SigPloit with lab SS7 Point Code (if SS7 interface is present in Open5GS lab)
2. Execute UpdateLocation attack module targeting HLR IMSI
3. Capture MAP traffic on SCTP

Expected Results (lab):

• In an isolated lab, SigPloit may succeed (demonstrating the vulnerability)
• Document whether the lab HLR accepts the unauthorized location update
• Validate mitigation: SS7 Firewall (Category 1–3 filtering per GSMA FS.11)

Pass Criteria (for defended lab): UpdateLocation from unauthorized peer rejected.

TC-DIA-01: Diameter S6a — Unauthorized Authentication-Information-Request

Objective: Test whether MME-to-HSS Diameter S6a interface accepts requests from an unauthenticated Diameter peer.
Standard: 3GPP TS 33.210 (Diameter security); NIST SP 800-187 §4.4
Tools: FreeDiameter, pycrate

Steps:

1. Set up a rogue Diameter client (FreeDiameter configured with a non-whitelisted Origin-Host)
2. Send an AIR (Authentication-Information-Request) for a valid IMSI to the HSS Diameter port
3. Observe HSS response

Expected Results (secure config):

• HSS rejects the connection at TLS/DTLS or peer-verification layer
• If no TLS configured (lab default): HSS accepts peer but should return DIAMETER_UNKNOWN_PEER (3010) if Origin-Host not in whitelist
• No authentication vectors returned to unauthorized peer

Finding Flag: If AV returned to unauthorized Diameter peer → CRITICAL FINDING (enables AKA bypass / intercept).

Pass Criteria: Unauthorized Diameter peer cannot retrieve authentication vectors.

TC-DIA-02: Diameter Gx PCRF — Unauthorized Policy Rule Push

Objective: Verify PCRF validates Diameter Gx peer identity before accepting Re-Auth-Request to push policy rules.
Standard: 3GPP TS 29.212; GSMA FS.40 §5.3
Tools: FreeDiameter, pycrate

Steps:

1. Send a crafted Re-Auth-Request (RAR) from a rogue Gx peer to PCRF
2. RAR contains modified QoS rules (e.g., bandwidth upgrade for a subscriber)
3. Observe whether PCRF applies the modified policy

Expected Results:

• Rogue Gx peer connection rejected (if peer whitelisting configured)
• No unauthorized QoS modification applied
• SGW-C not notified of fraudulent rule

Pass Criteria: Only whitelisted Gx peers can modify policies.

Domain 6: Network Slice Isolation

TC-SLICE-01: Slice Access Control — Unauthorized Slice Request

Objective: Verify AMF/NSSF rejects UE requests for network slices the subscriber is not authorized to use.
Standard: 3GPP TS 33.501 §5.15; GSMA FS.40 §5.5
Tools: UERANSIM (modified S-NSSAI in UE config)

Steps:

1. Provision subscriber in MongoDB with allowed NSSAI: SST=1, SD=000001 (eMBB)
2. Configure UERANSIM UE to request SST=2, SD=000002 (URLLC — not provisioned)
3. Initiate registration and PDU session with URLLC slice

Expected Results:

• NSSF returns allowed NSSAI without the requested URLLC slice
• AMF sends RegistrationAccept with only authorized slices in Allowed NSSAI
• If UE insists on URLLC-only PDU session → PDU Session Establishment Reject with cause #37 Slice not subscribed

Pass Criteria: UE cannot access unauthorized slices regardless of what it requests.

TC-SLICE-02: Cross-Slice Traffic Leakage

Objective: Verify user-plane traffic from Slice A cannot be received or injected into Slice B sessions.
Standard: 3GPP TS 33.501 §5.15; 3GPP TS 23.501 §5.15.3
Tools: UERANSIM (two UE instances, different slices), Scapy, tshark

Steps:

1. Register UE-A on eMBB slice (SST=1) with IP 10.45.0.2
2. Register UE-B on IoT slice (SST=3) with IP 10.46.0.2 (separate DNN/UPF)
3. From UE-A's TUN interface, attempt to send traffic to UE-B's IP address
4. Capture at UPF N6 interface

Expected Results:

• UPF PDRs route Slice A traffic only through Slice A's UPF instance
• No traffic crosses slice boundaries at UPF
• UE-A cannot reach UE-B's IP (different DN, routing isolation)

Pass Criteria: Zero cross-slice packets observed at either UE TUN interface.

TC-SLICE-03: Slice QoS Enforcement — URLLC Latency Budget

Objective: Verify that URLLC slice (5QI=82, 1ms PDB) receives priority handling vs eMBB under load.
Standard: 3GPP TS 23.501 §5.7.3 (5QI tables); 3GPP TS 23.503 (PCF)
Tools: UERANSIM, iperf3, ping with timestamps

Steps:

1. Establish eMBB UE and URLLC UE simultaneously
2. Generate heavy UDP traffic (iperf3) from eMBB UE to saturate UPF
3. Simultaneously measure latency from URLLC UE: ping -i 0.01 -c 1000 8.8.8.8
4. Measure eMBB UE latency for comparison

Expected Results:

• URLLC UE shows measurably lower latency than eMBB during congestion
• PCF has configured 5QI=82 with GBR QoS flows for URLLC PDU session

Pass Criteria: URLLC UE latency < eMBB UE latency under load (demonstrates QoS enforcement).

Domain 7: Denial of Service and Robustness

TC-DOS-01: NGAP Flood — Rogue gNB Registration Storm

Objective: Verify AMF handles a flood of NGAP NGSetupRequest from rogue gNBs without crashing.
Standard: 3GPP TS 33.117 §4.2.6; RANsacked findings
Tools: pycrate, Scapy, UERANSIM (scripted)

Steps:

1. Script 100 concurrent UERANSIM gNB instances with unique gNB IDs, all attempting NGSetupRequest
2. Send requests over 10 seconds (10/sec)
3. Monitor AMF memory and CPU via docker stats
4. Verify legitimate gNB (pre-registered) can still serve UEs

Expected Results:

• AMF accepts connections up to its configured limit; rejects beyond
• No memory leak (AMF RSS growth stops after storm ends)
• Legitimate gNB continues serving UEs during flood
• AMF does not crash or restart

Pass Criteria: AMF survives flood; legitimate gNB sessions unaffected.

TC-DOS-02: NAS Registration Storm — Invalid UEs

Objective: Flood AMF with Registration Requests from UEs with invalid credentials.
Standard: 3GPP TS 33.117 §4.2.6; CVE-2024-24428 (zero-length NAS 5GMM)
Tools: pycrate, UERANSIM scripted

Steps:

1. Send 500 NAS Registration Requests via NGAP with random IMSIs (none provisioned in DB)
2. Also include 10 malformed NAS messages (zero-length 5GMM, as per CVE-2024-24428 pattern)
3. Monitor AMF and UDM

Expected Results:

• AMF rejects all invalid IMSIs with RegistrationReject (cause #3 or #11)
• Malformed NAS handled gracefully (HTTP 400 or NAS reject, no crash)
• AMF does not exhaust connection pool or file descriptors

Pass Criteria: No AMF crash; malformed NAS handled without assertion failure.

TC-DOS-03: SMF PDU Session Flood

Objective: Flood SMF with concurrent PDU session establishment requests.
Standard: 3GPP TS 33.117 §4.2.6
Tools: UERANSIM (10 UEs), scripting

Steps:

1. Register 10 UEs simultaneously (from TC-REG-05)
2. Each UE requests 3 PDU sessions rapidly (DNN: internet, ims, iot)
3. Monitor SMF container resources

Expected Results:

• SMF handles concurrent sessions up to configured maximum
• Excess sessions rejected gracefully with NAS cause #26 Insufficient resources
• No SMF memory exhaustion or crash

Pass Criteria: SMF survives; legitimate sessions within limit are maintained.

TC-DOS-04: UPF GTP-U Flood (N3 Interface)

Objective: Test UPF resilience against high-rate GTP-U packet flood from unauthorized source.
Standard: CVE-2024-51179; 3GPP TS 33.117 §4.2.6
Tools: Scapy, iperf3

Steps:

1. Flood UPF N3 interface with 100,000 GTP-U packets using invalid TEIDs at line rate
2. Monitor UPF CPU/memory (docker stats)
3. Check active UE sessions continue to pass traffic

Expected Results:

• UPF drops packets with unknown TEIDs (no FAR found → drop)
• UPF CPU < 90% during flood
• Active sessions maintain > 50% of baseline throughput

Pass Criteria: No UPF crash; active sessions degraded but not terminated.

TC-DOS-05: PFCP Malformed Packet — CVE-2025-14953 Regression

Objective: Verify Open5GS v2.7.7 is not vulnerable to the PFCP null pointer deref (CVE-2025-14953).
Standard: CVE-2025-14953 (patched in v2.7.6+)
Tools: pycrate (PFCP message crafting)

Steps:

1. Craft a PFCP Session Establishment Request with a Create PDR IE containing a FAR-ID referencing a non-existent FAR (null pointer trigger condition)
2. Send to UPF PFCP port 8805/UDP
3. Monitor UPF container for crash/restart

Expected Results (v2.7.7+):

• UPF returns PFCP Session Establishment Response with Cause = Rejected (0x41) or similar error
• No UPF container crash or restart
• Verify via: docker inspect --format '{{.State.RestartCount}}' open5gs-upf (must stay at 0)

Pass Criteria: No crash. If UPF restarts → CRITICAL FINDING (regression; downgrade Open5GS must be tested with intentionally vulnerable version as baseline).

Domain 8: Threat Emulation (STRIDE Mapped)

TC-STRIDE-S01: Spoofing — Rogue eNB / Rogue gNB (IMSI Catcher Simulation)

Objective: Simulate a rogue gNB that attracts UEs and captures identities.
STRIDE Category: Spoofing
Standard: GSMA FS.40 §4.2; CVE-2019-14934 (IMSI catcher, LTE)
Tools: UERANSIM (rogue gNB config), srsRAN 4G

Steps (5G):

1. Configure a second UERANSIM gNB with stronger signal parameters (TAC = same as lab TAC, PLMN = same)
2. Point it at a separate Open5GS AMF instance (rogue core) or configure without core to capture NAS Init messages only
3. Attempt to register UERANSIM UE against the rogue gNB
4. Observe whether SUPI is exposed (should be SUCI in 5G) or whether UE rejects missing N2 security

Expected Results (5G):

• UE sends RegistrationRequest with SUCI (not IMSI) — SUPI protected
• Rogue gNB cannot de-conceal SUCI without HSK (Home Network Private Key at AUSF)
• UE rejects Security Mode Command from rogue network if ciphered with wrong keys

Expected Results (4G comparison):

• 4G UE may expose IMSI in AttachRequest if rogue eNB sends Identity Request for IMSI before security setup
• Demonstrates improvement of 5G SUCI over 4G IMSI exposure

Pass Criteria (5G): No SUPI/IMSI leakage from 5G UE to rogue gNB.

TC-STRIDE-T01: Tampering — GTP-U Packet Modification MitM

Objective: Demonstrate user-plane integrity gap in 4G and verify 5G UP integrity option.
STRIDE Category: Tampering
Standard: 3GPP TS 33.501 §5.10 (UP integrity); NIST SP 800-187 §4.6
Tools: tshark, Scapy, iptables/nftables

Steps (4G — demonstrating known gap):

1. Position a host between eNB and SGW-U on S1-U path (lab VM with IP forwarding)
2. Use Scapy to intercept and modify GTP-U payload (change packet content in transit)
3. Verify modification reaches UE (demonstrating S1-U is unencrypted/unprotected)

Steps (5G — testing mitigation):

1. Enable UP integrity in Open5GS smf.yaml (integrity_order: [ NIA2, NIA1 ] at AS level)
2. Repeat MitM attempt on N3 GTP-U
3. Verify UE detects integrity failure (PDCP integrity check failure)

Pass Criteria: 4G modification succeeds (expected — documents known gap). 5G modification detected when UP integrity is enabled.

TC-STRIDE-I01: Information Disclosure — CDR / Billing Record Access

Objective: Verify that CDR (Call Detail Record) data in MongoDB is access-controlled.
STRIDE Category: Information Disclosure
Standard: GSMA FS.40 §5.8 (privacy); GDPR Article 32
Tools: mongo shell, Docker network inspection

Steps:

1. Attempt direct MongoDB connection from UERANSIM container (lateral movement simulation):

   docker exec -it ueransim-ue mongosh mongodb://mongodb:27017/open5gs
   

2. Attempt from a newly started container with no explicit network assignment
3. Check whether MongoDB requires authentication

Expected Results (secure config):

• MongoDB should be on an isolated network accessible only by Open5GS NFs
• MongoDB requires authentication (SCRAM-SHA-256); anonymous access rejected
• UERANSIM container cannot resolve mongodb hostname (not on same Docker network)

Finding Flag: If MongoDB accessible without auth from any container → HIGH FINDING (subscriber PII at risk).

Pass Criteria: MongoDB not accessible from RAN-side containers; authentication enforced.

TC-STRIDE-E01: Elevation of Privilege — SMF Bearer Resource Modification

Objective: Attempt to modify QoS on another UE's bearer from a different UE context.
STRIDE Category: Elevation of Privilege
Standard: 3GPP TS 33.501 §5.15; 3GPP TS 23.502 §4.3.4
Tools: pycrate (NAS message crafting), UERANSIM

Steps:

1. Register UE-A and UE-B (distinct IMSIs, both active PDU sessions)
2. From UE-A's NAS context, craft a PDU Session Modification Request with UE-B's PDU Session ID
3. Send to AMF via NGAP (requires pycrate NAS crafting injected into NGAP wrapper)
4. Observe whether SMF applies the modification to UE-B's session

Expected Results:

• AMF binds PDU Session ID to the NAS Security Context of the originating UE
• UE-A cannot modify UE-B's session — AMF returns NAS Reject or ignores cross-UE modification
• SMF validates session binding (AMF UE-NGAP-ID, SUPI context)

Pass Criteria: Cross-UE bearer modification rejected; no privilege escalation between subscriber contexts.

Domain 9: Container and Kubernetes Security

TC-K8S-01: Network Policy Enforcement — NF Isolation

Objective: Verify Kubernetes NetworkPolicies prevent unauthorized cross-NF communication.
Standard: 3GPP TS 33.117 §4.3.1 (network access controls); GSMA FS.40 §6.2
Tools: kubectl, netshoot pod, curl

Steps:

1. Deploy Open5GS on kind cluster with NetworkPolicies (from Part 7 lab)
2. Launch a netshoot debug pod in the default namespace (simulating a compromised workload)
3. Attempt to reach NF pods in open5gs namespace from default namespace:

   kubectl run netshoot --rm -it --image=nicolaka/netshoot -- curl http://amf.open5gs.svc.cluster.local:80
   

4. Attempt to reach MongoDB from outside open5gs namespace

Expected Results:

• NetworkPolicy deny-all + allow-intra-namespace blocks cross-namespace traffic
• netshoot in default namespace cannot reach any open5gs namespace service
• MongoDB only reachable from NF pods within open5gs namespace

Pass Criteria: All cross-namespace traffic blocked by NetworkPolicy.

TC-K8S-02: RBAC — Least Privilege Verification

Objective: Verify NF service accounts have minimal RBAC permissions; no cluster-admin binding.
Standard: 3GPP TS 33.117 §4.3.2 (least privilege); CIS Kubernetes Benchmark
Tools: kubectl, kube-bench (optional)

Steps:

1. Inspect all service accounts in open5gs namespace:

   kubectl get rolebindings,clusterrolebindings -n open5gs -o yaml | grep -A5 "serviceAccount"
   

2. Check for cluster-admin bindings:

   kubectl get clusterrolebinding -o json | jq '.items[] | select(.roleRef.name=="cluster-admin") | .subjects'
   

3. Verify NF pods cannot list secrets in other namespaces using their SA token

Expected Results:

• No NF service account has cluster-admin
• NF SAs have only namespace-scoped permissions (ConfigMap read, own-pod management)
• No * wildcard permissions in any Role or ClusterRole for NF SAs

Pass Criteria: No over-privileged SAs; no cluster-admin binding for NF accounts.

TC-K8S-03: Container Escape Prevention — Read-Only Filesystem

Objective: Verify NF containers run with read-only root filesystems and non-root UIDs.
Standard: 3GPP TS 33.117 §4.4 (software integrity); CIS Docker Benchmark
Tools: kubectl, docker inspect

Steps:

1. Check Pod Security Context for all NF deployments:

   kubectl get pods -n open5gs -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.spec.securityContext}{"\n"}{end}'
   

2. Attempt to write to root filesystem from inside a running NF container:

   kubectl exec -n open5gs <amf-pod> -- touch /test-write
   

3. Check that containers run as non-root:

   kubectl exec -n open5gs <amf-pod> -- id
   

Expected Results:

• readOnlyRootFilesystem: true in container securityContext
• Write to / rejected: Read-only file system
• id returns UID ≠ 0 (non-root)

Pass Criteria: All NF containers run non-root with read-only FS.

TC-K8S-04: etcd Access Control

Objective: Verify etcd (Kubernetes data store) is not accessible without valid client credentials.
Standard: CIS Kubernetes Benchmark §2.1; 3GPP TS 33.117
Tools: kubectl, etcdctl

Steps:

1. From within a running NF pod, attempt direct etcd connection:

   kubectl exec -n open5gs <amf-pod> -- curl http://etcd-endpoint:2379/v3/kv/range
   

2. Verify etcd requires mTLS (cert + key)
3. From a non-control-plane node, attempt unauthenticated etcd access

Expected Results:

• Unauthenticated etcd access rejected (connection refused or TLS required)
• etcd only accepts connections from control-plane components with valid client certs

Pass Criteria: etcd unreachable without valid client TLS certificate.

Domain 10: Monitoring, Detection, and Logging

TC-MON-01: Prometheus Metrics — AMF Registration Counter

Objective: Verify Prometheus scrapes AMF metrics and correctly increments registration counters.
Standard: GSMA FS.40 §7 (monitoring); 3GPP TS 28.552 (KPIs)
Tools: Prometheus, Grafana, curl

Steps:

1. Query Prometheus for AMF metrics baseline:

   curl http://prometheus:9090/api/v1/query?query=amf_registered_ue_count
   

2. Register 5 UERANSIM UEs
3. Re-query; verify counter increased by 5
4. Deregister UEs; verify counter decrements

Expected Results:

• amf_registered_ue_count increments per registration
• Decrements on deregistration
• Metrics scrape interval < 30 seconds

Pass Criteria: Metrics accurately reflect UE registration state in real time.

TC-MON-02: Anomaly Detection — Rapid Deregistration Pattern (SIM Swap Signal)

Objective: Verify that rapid deregistration and re-registration of the same IMSI (SIM swap indicator) generates an alertable event.
Standard: GSMA FS.40 §7.3 (fraud detection); GSMA FS.07 (SIM swap fraud)
Tools: UERANSIM, Prometheus alertmanager (or custom log grep)

Steps:

1. Register, deregister, and re-register the same IMSI 10 times in 60 seconds using UERANSIM
2. Check AMF logs for repeated deregistration entries for same SUPI
3. Verify a Prometheus alert or log pattern rule would fire (configure PrometheusRule if present)

Expected Results:

• AMF logs contain [AMF] UE SUPI[imsi-00101000000001] de-registered repeated > 5 times in 1 minute
• Alert rule (if configured): amf_deregistration_rate{supi="..."} > 5 over 1m fires
• Operator can correlate with SIM swap fraud investigation

Pass Criteria: Log evidence sufficient to trigger forensic investigation; alert fires if configured.

TC-MON-03: Audit Log Completeness — SBI Call Logging

Objective: Verify that all SBI (NF-to-NF) calls are logged with sufficient detail for audit.
Standard: 3GPP TS 33.117 §4.2.5 (logging); GDPR Article 30
Tools: Docker logs, ELK stack (optional), grep

Steps:

1. Perform a complete registration (TC-REG-01)
2. Collect logs from all 5GC NFs: docker compose logs amf smf nrf scp ausf udm
3. Verify the following events are logged with SUPI, timestamp, and result:
   • AMF: Registration Request received, Registration Accept sent
   • AUSF: AKA challenge issued, AKA result (success/fail)
   • UDM: Subscriber data queried (SUPI, data type, requestor NF-ID)
   • SMF: PDU Session Establishment (SUPI, DNN, slice, IP assigned)
   • NRF: NF discovery request (requester NF-ID, NF type queried)

Expected Results:

• Each event logged within 1 second of occurrence
• SUPI/IMSI associated with each relevant event
• No gaps in call chain between NFs (traceable end-to-end)

Pass Criteria: Full call chain reconstructable from logs alone for any given SUPI.

TC-MON-04: pcap Forensics — Attack Reconstruction

Objective: Verify that a captured pcap from the lab contains sufficient detail to reconstruct a GTP-U injection attack (TC-GTP-01).
Standard: GSMA FS.40 §7 (forensics); NIST SP 800-86 (forensic guide)
Tools: Wireshark 4.4+, 5g-trace-visualizer

Steps:

1. Run TC-GTP-01 with full packet capture active
2. Load pcap in Wireshark 4.4+
3. Apply filter: gtp && ip.src == 172.23.1.99 (rogue source)
4. Generate SVG sequence diagram using 5g-trace-visualizer

Expected Results:

• Injected GTP-U packets clearly visible with rogue source IP
• Wireshark GTP-U dissector decodes inner IP payload
• Sequence diagram shows injection point relative to normal session flow
• Timestamps allow correlation with UPF drop logs

Pass Criteria: Attack fully reconstructable from pcap; sequence diagram generated without errors.

5. Test Execution Summary Table

STRIDE Key: S=Spoofing, T=Tampering, R=Repudiation, I=Information Disclosure, D=DoS, E=Elevation of Privilege

6. Risk and Finding Classification

7. Standards and References

8. Scope Limitations and Lab Caveats

1. No mTLS/OAuth2 by default: Open5GS lab deployments use plain HTTP for SBI. TC-SBI-01 and TC-SBI-02 will produce "expected findings" in default config. Test validates the detection of this gap and verifies it can be mitigated by enabling TLS.

2. SUCI null-scheme in lab: UERANSIM defaults to Protection Scheme 0x00 (null SUCI) for lab simplicity. TC-REG-03 requires configuring ECIES scheme. Document this change.

3. No physical RF: This plan does not cover over-the-air testing with real radio hardware (USRP, ADALM-Pluto). For RF-layer tests (5Ghoul modem CVEs, actual signal jamming), hardware extension is required.

4. SS7 interface: Open5GS EPC exposes Diameter S6a, not SS7 MAP. TC-SS7-01 requires a separate SS7-to-Diameter gateway or a standalone HLR with SS7 interface (e.g., OsmoHLR + OpenBSC stack).

5. UERANSIM maintenance mode: UERANSIM v3.2.7 (Feb 2024) is the current release. Community forks may provide additional features (e.g., multi-cell handover). For 5G Advanced features (Release 18), supplement with srsRAN Project + real UE hardware.

6. Open5GS v2.7.7 assumed: All CVE regression tests assume v2.7.7 is deployed. If running an older version, treat all CVE tests (TC-DOS-05, TC-SBI-04) as expected-fail until patched.