Matheus-Garbelini
commented
4 months ago Hi @qiqingh, you can refer to the Braktooth paper, which details how the state machine is constructed from PCAP files containing normal (benign) communication between two peers: BrakTooth USENIX Paper
The specific rules used to create such state machine file can be seen in this section of the 5g config. file: https://github.com/asset-group/5ghoul-5g-nr-attacks/blob/master/configs/5gnr_gnb_config.json#L158-L201
More details on the commands to generate the state mapping json file can be seen in the example folder:
https://github.com/asset-group/5ghoul-5g-nr-attacks/blob/master/examples/wdmapper/run_example_wdmapper.sh
The argument -o state_machine.svg of wdmapper can be changed to output a json file instead of svg such that -o state_machine.json is what you want to use with the fuzzer.
qiqingh
I've observed that a state machine file named "configs/nr-softmodem.json" is being loaded within 5g_fuzzer.cpp. Could you kindly share where this state machine file comes from or instruct on how it was constructed? Thanks!