5th GeneratiOn Security for Telecom Services

5GhOSTS has analysed and improved the security of service-based implementations of 5G networks, relevant to protect the EU’s critical communication infrastructure. Starting from the emerging 3GPP's service-based architecture for 5G networks, which includes virtualization of mobile and core network functions, the project aims to improve the security of virtualization technologies: containers, lightweight Virtual Machines and orchestration frameworks.

Unlike previous evolutions in the telecommunications sector, the 5th Generation of Telecommunication Systems (5G) presents diverse and novel requirements for technologies such as heterogeneous air interfaces, Software Defined Networking, Network Functions Virtualization, Mobile Edge Computing and Fog Computing, as well as algorithms to optimize the management of such complex networks. As a result, the 5G evolution will mainly built on layers of software services.

The telecom industry has migrated to virtualized and orchestrated environments, allowing the deployment of Virtual Network Functions (VNFs) on cloud infrastructure enabling the concept of network slicing. The main motivation driver for this move is sustainability through cost and energy reduction as well as full automation of telecom systems operations facilitating dynamic and scalable adaptation to service demands. State-of-the-art light-weight virtualization and container platforms clearly contribute to this driver, but did not yet meet the stringent security requirements of telecommunication systems.

The objectives of the 5GhOSTS project are:
1. To form an international and interdisciplinary research group of four ESRs and senior researchers from computer science and law;

2. To design, implement and release a number of building blocks for secure light‐weight virtualization and container orchestration technology for upcoming 5G networks, which provide a strong, well‐understood and formalized notion of security, and which complies with legal requirements with respect to data privacy. The developed building blocks all contribute towards improved security and privacy of container-based VNFs;

3. To address the growing need of the EU economy for young researchers with a strong profile (technical, legal and economic) in the 5G telecommunications domain. An ambitious and challenging training programme has been successfully adapted to the Covid-19 pandemic situation.

Four Early Stage Researchers (ESRs) have focused on various aspects of improving security and privacy of container-based VNFs running on Multi-Access Edge Computing (MEC) platforms.

ESR1 initially worked on enhancing integrity protection of container images using trusted computing and remote attestation techniques. Shifting focus, he developed the concept of authentic execution for multi-component services, thus preventing data poisoning attacks. Additionally, he addressed credential management in V2X networks by devising mechanisms for efficient revocation of credentials.

ESR2 concentrated on inter-container communication, evaluating the performance overheads of security policies and analyzing security threats in Kubernetes, the de-facto standard in container orchestration. He developed GrassHopper, a prototype for verifying policy correctness and addressing misconfigurations in Kubernetes clusters.

ESR3 aimed to bolster the security and resilience of low-latency system and applications by designing a novel memory isolation technique, called Software-Defined Rewind & Discard (SDRaD). SDRad confines front-end components in their own secure sandboxes to protect them against, e.g. buffer overflow, attacks in other components of the application. Front-end components are rewinded into a consistent and operational state, while infected components are discarded. She has implemented the SDRaD technique for the programming languages C and Rust.

ESR4 studied the privacy implications of software-defined networks in 5G, emphasizing the need for dynamic compliance assurance in cloud-native deployments of 5G networks. Moreover he contributed to various 5G policy recommendations.

Moreover all ESRs have jointly contributed to the definition of a Kubernetes-based MEC architecture that includes a comprehensive and first-class threat model that can be instantiated for particular applications, a novel method for better understanding and modeling trust boundaries and an analysis of privacy-preserving and security properties of this architecture from a legal perspective.

Based on the findings from evaluating the above technical and architectural work, the following conclusions are the basis for their further exploitation:

(1) The authentic execution security property ensures that any sensor data sent to edge servers truthfully reflects the sensor readings made in reality.

(2) Low-latency applications with high reliability requirements are a good fit for the SDRaD hardening methods. The SDRaD mechanism also shows the pathway towards cost-efficient fault-tolerance strategies in edge computing environments where tradition replication techniques do not work.

(3) The enhanced network isolation mechanism of GrassHopper can be applied to isolate different applications in edge- and cloud-based Kubernetes clusters. GrassHopper can also prevent untrustworthy and potentially malicious users to escape a network slice.

(4) Scalable and timely revocation of malicious vehicles, which cannot be bypassed by attackers, can be guaranteed by the V2X Revocation building block. An integrated design with the other building blocks may help to identify malicious users, e.g. if they trigger a rewind in an isolated frontend component, or if their input data is significantly inconsistent with more trustworthy inputs. Such suspicions maybe be raised to the revocation authority via a revocation request. A dedicated decision process may then decide to revoke the credentials of the corresponding participant. Our revocation mechanism can then guarantee that such revocation requests cannot be bypassed, while still allowing users to use the V2X network pseudonymously.

Their research findings have led to 4 awarded patents and 14 publications at top international conferences and journals. Efforts for broader dissemination include lectures and presentations. Integration of technical components into open-source projects like Kubernetes is planned, with considerations for legal compliance and security recommendations from ESR4. All components are open-sourced and intended for integration into Ericsson's product units.

1. 5GhOSTS has fostered innovation and standardization in the mobile networks of the future, focusing on security and privacy in an EU context;

2. The 5GhOSTS building blocks will be a high‐priority asset for the non‐academic beneficiaries’ competitiveness in 5G product development;

3. Conducting top-level research has increased the researchers’ international competitiveness.The ambitious training programme has leveraged this academic excellence, together with a strong business‐ and innovation‐oriented mindset, to further develop the researchers' technical skills with a thorough understanding of legal and business aspects, and to develop their transferable skills, both soft and technical skills.