5G defines three application scenarios: eMBB (enhanced Mobile Broadband), mMTC (massive Machine Type of Communication), and uRLLC (ultra Reliable Low Latency Communications). These application scenarios put forward higher requirements for the 5G core network and security protection methods. While supporting emerging services such as AR/VR, eMBB also brings more privacy exposure risks. It is especially urgent to protect privacy. mMTC is the foundation of IoT development and requires more lightweight authentication methods to reduce unnecessary signaling interaction. When uRLLC is applied in low-latency service scenarios such as autopilot and telemedicine, data security transmission must be effectively guaranteed.
ZTE regards constructing a secure and trusted 5G network as its goal and creates "Security in DNA" 5G product security by leveraging advanced methodologies and referring to the best practices in the industry. It regards the maximum security strategy as the cornerstone, security standards and compliance as the framework, the security design and architecture as the support, secure coding and testing as the method, and the security event response as the backup force.
Figure 1 5G Core Network Product Overview
Regarding the maximum security strategy as the cornerstone
ZTE's core network products have always been regarding "focus on customers, comprehensive protection, timely response, security and credibility" as the maximum security strategy
Through the continuous implementation of the maximum security strategy, ZTE's 5G core network can help customers build a highly trusted core network environment.
Regarding security standards and compliance as the framework
ZTE's 5G core network adopts multiple industry security standards and legal regulations in an open manner to ensure product safety:
For example, in order to effectively identify and protect personal identification information (PII), the core network products are designed according to the "purpose control" and "data minimization" principles of GDPR, and the display range and export capability of personal data are determined according to different user rights. A desensitization tool is provided that processes personal data through a secure algorithm and a salt-encryption mechanism to ensure that the derived data meets the requirements of the GDPR specification.
Regarding the security design and architecture as the support
ZTE is committed to the end-to-end security design and architecture. It independently develops hardware-level protection chips, eliminates illegal versions through the hardware chips, identifies high-definition applications, and prevents malicious code from tampering with system files. Its self-developed OS CGSL also provides a variety of compilation techniques, randomizing global symbol tables, key data structures, and address space to prevent against the insertion and spread of malicious code. ZTE makes independent research and development of an active safeguard platform, to prevent outreach attacks, intranet penetration and unknown threats through semantic modeling, machine learning, probability analysis and other means.
These bottom-up security designs and architectures are the guarantee of the security of 5G core network.
Regarding secure coding and testing as the method
Encoding is an important part of product security. It is often the most vulnerable to buffer vulnerabilities such as buffer overflow, integer overflow, SQL injection, and ROP/JOP (Return Oriented Programming for Return/Jump Oriented Programming).
ZTE has long-term security training for developers and uses industry-leading code scanning tools to identify and reduce such security risks.
During the encoding, the security coding specification corresponding to each language is strictly followed, and the static code security scanning tool is embedded in the Devops tool chain. The code security scanning is used as a necessary condition for submitting the code and entering the product library, to truly realize “integrating safety into the blood” during the encoding period.
In addition to the conventional vulnerability scanning, a large number of abuse use cases and automated safety test cases are designed. Each test will verify the existing security functions once, so that there is no omission or dead ends. Through the "Red Army" troops, in the case that the project has no perception, the targeted damage and privilege escalation tests are implemented to the equipment to simulate the external attack scenario and expose potential safety hazards ahead of time.
Regarding the security event response as the backup force
The product may face some security incidents during the commercial period after being released. These events are not introduced during the development and verification phases, but require timely response.
ZTE's outfield security incident response is handled by ZTE PSIRT (ZTE Product Security Incident Response Team). Its responsibilities include responding to and handling security incidents submitted by customers, responding to and handling security incidents published by industry associations, and developing corporate information security incident management strategies and security incident handling solutions, and analysis of vulnerabilities and patches issued by system software vendors and professional security vendors.
The 5G core network can be launched as soon as possible according to the actual situation of external security incidents and the unified requirements of PSIRT:
ZTE's 5G core network follows the maximum security strategy and integrates security elements throughout the life cycle of the product. It truly achieves the aim of “integrating safety into the blood” and becomes the most trusted product for its cu