LLFuzz: An Over-the-Air Dynamic Testing Framework for Cellular Baseband Lower Layers
Tuan Dinh Hoang
34th USENIX Security Symposium (USENIX Security '25) · Day 3 · Network Security 3: BLE and Cellular
This talk introduces LLFuzz, an innovative over-the-air dynamic testing framework designed to uncover memory corruption vulnerabilities within the lower layers of cellular basebands. Presented by Tuan Dinh Hoang, a PhD student from CEC Lab, KAIST Korea, LLFuzz addresses a critical gap in existing security research, which has predominantly focused on the higher layers (Layer 3) of cellular protocol stacks. The research highlights the severe implications of vulnerabilities in these often-overlooked lower layers, which lack cryptographic protections and can lead to remote code execution or information leakage, even after authentication and key agreement.
AI review
Solid original research from a PhD student who clearly did the actual work — 11 previously unknown memory corruptions, 9 CVEs, five major vendors, real OTA framework with 11K+ lines of code. The gap being addressed (L2 baseband fuzzing for LTE/5G) is real and underserved, and the tri-part solution to stateful OTA testing is technically grounded.