Tianchang Yang, Ali Ranjbar, Gang Tan, and Syed Rafiul Hussain, The Pennsylvania State University
Open RAN (O-RAN) represents a fundamental shift in mobile network architecture, advancing interoperability and flexibility through open interfaces and software-driven components. While enabling programmability and innovation, this shift also makes the logical correctness of O-RAN components essential for the secure and reliable operation of the network. However, validating O-RAN's semantic correctness remains challenging due to system complexity, implementation diversity, and the absence of explicit correctness oracles. We present InvaRAN, a systematic testing framework for detecting logical flaws in O-RAN implementations using dynamically inferred program invariants as proxies for expected behavior. To reduce false positives and focus on semantically meaningful behaviors, InvaRAN classifies invariants into critical and non-critical categories based on their impact on program logic. Beyond traditional template-based invariant inference approaches that infer only limited semantic relations, InvaRAN captures inter-variable correlations across execution traces to discover more expressive semantic linkage. We evaluate InvaRAN on both platform components and xApps of two production-grade O-RAN controllers. InvaRAN uncovers nine previously unknown issues, including seven logical and two memory vulnerabilities, demonstrating the effectiveness of invariant-guided testing in exposing subtle, specification-silent bugs in O-RAN systems.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
