4. What the firmware analysis
• Firmware is the operating system
• Firmware is most exploited *
• 32% of firmware has more then 10 critical KNOWN vulnerabilities **
• Firmware analysis is more
important than ever
* Source https://eclypsium.com/2022/06/28/know-your-enemy-and-yourself-a-deep-dive-on-cisa-kev/
** Source https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report-2022
5. The typical workflow
• Do some strings
• Do some binwalk/unblob
• Do some find
• Do some regex
• Do a lot of research (aka Google it)
• Load something into IDA/Ghidra
• Find weaknesses, vulnerabilities, interesting
areas
6. EMBA to the rescue
Get the firmware (vendor, hardware)
Extract the firmware (e.g., Linux filesystem, Kernel)
Analyze the firmware
Report all the things
7. Get the firmware
• Updates from vendor / web site
• Shell access – copy the filesystem via scp, ftp, tftp, nc or to storage device
• Other vulnerabilities e.g., command injection
• JTAG / SWD
• Communication sniffing (e.g., SPI)
• Desolder Flash memory and extract the content
9. The EMBA extraction process
EMBA
extraction
classifier
Identify Linux
root
filesystem
Ext/UFS
filesystems
VMWare
images
Encrypted
images
Special
images
Other
systems
Mount &
copy
Mount &
copy
Decrypt
(leaked keys)
Custom
tool
Binwalk
EMBA
analyzer
Deep
extraction
Ext/UFS filesystems
VMWare images
Encrypted images
Special images
Other systems
Mount & copy
Mount & copy
Decrypt (leaked keys)
Custom
tool (e.g. Freetz NG)
Binwalk
Identify Linux
root
filesystem
OK
Not OK
Always
Basic
compression
Extract
(patool)
10. Finally, we have something extracted
Which files and directories are there?
Which binaries, configuration files, …
Which architecture are we dealing with?
Which binary protections are in use?
Which Software versions in use?
Is some outdated software in use?
Which areas are from the vendor, which are open source?
Where are possible weak spots or interesting functions used?
Which kernel?
Are there hard-coded passwords?
Scripting issues (shell, python, php, …)?
Insecure permissions?
Weak configurations?
Public exploits?
Dynamic analysis?
Reporting
EMBA
analyzer
modules
12. What is emulation?
In computing, an emulator is hardware or software that enables
one computer system (called the host) to behave like another
computer system (called the guest).
An emulator typically enables the host system to run software or
use peripheral devices designed for the guest system.*
* https://en.wikipedia.org/wiki/Emulator
13. Modes of emulation
• User-mode emulation
QEMU can launch Linux processes compiled for one CPU on another
CPU, translating syscalls on the fly.
14. Modes of emulation
• System-mode emulation
QEMU emulates a full system, including a processor and various
peripherals such as disk, ethernet controller etc.
Challenges:
• Architecture
• Kernel
• Filesystem
• Peripherals
• Furthermore
15. EMBA live tester modules
• Full system mode emulation goes to automated firmware analysis
• Based on firmadyne and FirmAE*
• Both projects are not actively maintained anymore
• Complete re-implementation as EMBA modules
• Automated testing of emulation and basic checks as additional testing modules
• Multiple improvements of emulation capabilities are already in place
• NEW: Metasploit integration
• NEW: Enhanced architecture support (ARM64, MIPS64, x86)
• Further room for future improvements (e.g., more architectures)
* https://github.com/firmadyne/firmadyne and https://github.com/pr0v3rbs/FirmAE/
16. EMBA live tester modules - Benchmark*
* https://github.com/pr0v3rbs/FirmAE/#dataset