Content for TR 29.857 Word version: 19.0.0

3.3 Abbreviations 4.1 Excessive Data Exposure
...

1 Scope p. 7

The present document identifies scenarios where excessive data may be exposed over SBI when an NF-Consumer accesses an API exposed by an NF-Producer, and studies potential solutions to limit the same. The document will focus on following aspects:

To study the need and potential solutions for avoiding excessive data exposure over SBI.
To study the need and potential solutions for avoiding indirect access to data via, e.g. subscriptions, even as direct access to the data-set is not allowed.

2 References p. 7

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.

References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
For a specific reference, subsequent revisions do not apply.
For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.

[1]

TR 21.905: "Vocabulary for 3GPP Specifications".

[2]

TS 29.510: "Network Function Repository Services; Stage 3".

[3]

GSMA LS C4-225023: "Research highlighting potential need for granular level checks using "Additional scope" under the OAuth2.0 Token Access" (https://www.3gpp.org/ftp/tsg_ct/WG4_protocollars_ex-CN4/TSGCT4_113_Toulouse/Docs/C4-225023.zip).

[4]

GSMA LS C4-213261: "Prevention of attacks on sliced core network". (https://www.3gpp.org/ftp/tsg_ct/WG4_protocollars_ex-CN4/TSGCT4_104e_meeting/Docs/C4-213261.zip).

[5]

TR 29.831: "Study on NRF API enhancements to avoid signalling and storing of redundant data; Stage 3".

3 Definitions of terms, symbols and abbreviations p. 8

3.1 Void

3.2 Void

3.3 Abbreviations p. 8

For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.

4 Baseline p. 8

4.1 Excessive Data Exposure p. 8

APIs defined by SBI currently do not limit the amount of information exposed to different NF-Service Consumers. While OAuth2.0 mechanism does provide ability to define limited scopes to certain consumers, it is limited only to operation-level scopes as defined in TS 29.510. If multiple consumers are allowed a certain operation-level scope on a resource, all the consumers of the API get access to entire representation of a resource. This leads to excessive information exposure which is undesirable in many scenarios and may result in potential security / privacy exposure.

GSMA LS C4-225023 [3] and GSMA LS C4-213261 [4] highlighted potential security vulnerabilities within 5G Network functions encompassing OAuth2.0 as well as how excessive data exposure may allow a compromised NF trigger attacks on other network functions.