SlideShare a Scribd company logo

EMBA - Firmware analysis DEFCON30 demolabs USA 2022

M
MichaelM85042

Penetration testing of current embedded devices is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify, optimize and automate the complex task of firmware security analysis. Project page: https://github.com/e-m-b-a/emba Conference page: https://forum.defcon.org/node/242109

Technology
1 of 20
Download to read offline
EMBA Firmware security analyzer @securefirmware https://github.com/e-m-b-a Michael Messner, Pascal Eckmann
# whoami Michael Messner Penetration tester Firmware analysis Hardware analysis Siemens Energy AG @s3cur1ty_de https://github.com/m-1-k-3 @ michael.messner@siemens-energy.com
# whoami Pascal Eckmann Cybersecurity Engineer Security Research Siemens AG @_p4cx https://github.com/p4cx @ pascal.eckmann@siemens.com
The landscape
What the firmware analysis • Firmware is the operating system • Linux analysis techniques can be used quite often and are well known • Commercial tools are available, but they are expensive and limited • EMBA has no limits, costs no money and gives the best results
The typical workflow • Do some strings • Do some binwalk • Do some find • Do some regex • Do a lot google • Load something into IDA/Ghidra • Do something
EMBA to the rescue Get the firmware (vendor, hardware) Extract the firmware (e.g., Linux filesystem, Kernel) Analyze the firmware Report all the things Firmware binary file EMBA extractor modules EMBA analyzer modules EMBA live tester modules EMBA final aggregator Web report generator Access the firmware
Get the firmware • Updates from vendor / web site • Shell access – copy the filesystem via scp, ftp, tftp, nc or to storage device • Other vulnerabilities e.g., command injection • JTAG / SWD • Communication sniffing (e.g., SPI) • Desolder Flash memory and extract the content
The easiest way Binwalk all the things
The EMBA extraction process EMBA extraction modules Identify Linux root filesystem Ext/UFS filesystems VMWare images Encrypted images Special images Other systems Mount & copy Mount & copy Decrypt (leaked keys) Custom tool Binwalk EMBA analyzer Deep extraction Ext/UFS filesystems VMWare images Encrypted images Special images Other systems Mount & copy Mount & copy Decrypt (leaked keys) Custom tool (e.g. Freetz NG) Binwalk Identify Linux root filesystem OK Not OK Always Basic compression Extract (patool)
Finally, we have something extracted Which files and directories are there? Which binaries, configuration files, … Which architecture are we dealing with? Which binary protections are in use? Which Software versions in use? Is some outdated software in use? Which areas are from the vendor, which are open source? Where are possible weak spots or interesting functions used? Which kernel? Are there hard-coded passwords? Scripting issues (shell, python, php, …)? Insecure permissions? Weak configurations? Public exploits? Dynamic analysis? Reporting EMBA analyzer modules
Don’t reinvent the wheel See also: https://github.com/e-m-b-a/emba/wiki/Installation#dependencies Multiple Linux tools binwalk Freetz-NG Checksec.sh CVE and CVSS databases CVE-Search CVE-Searchsploit cwe-checker GHIDRA Docker Radare2 fdtdump linux-exploit-suggester OpenSSL uboot mkimage objdump pixd bandit progpilot Qemu shellcheck sshdcc tree unzip sudo parser sshdc Yara and others …
System mode emulation Fully automated
What is emulation? In computing, an emulator is hardware or software that enables one computer system (called the host) to behave like another computer system (called the guest). An emulator typically enables the host system to run software or use peripheral devices designed for the guest system.* * https://en.wikipedia.org/wiki/Emulator
Modes of emulation • User-mode emulation QEMU can launch Linux processes compiled for one CPU on another CPU, translating syscalls on the fly.
Modes of emulation • System-mode emulation QEMU emulates a full system, including a processor and various peripherals such as disk, ethernet controller etc. Challenges: • Architecture • Kernel • Filesystem • Peripherals • Furthermore
EMBA live tester modules • Full system mode emulation goes to automated firmware analysis • Based on firmadyne and FirmAE* • Both projects are not actively maintained anymore • Complete re-implementation as EMBA modules • Automated testing of emulation and basic checks as additional testing modules • Multiple improvements of emulation capabilities are already in place • A lot of room for future improvements (e.g., new kernels) https://github.com/firmadyne/firmadyne and https://github.com/pr0v3rbs/FirmAE/
EMBA live tester modules - Benchmark* * https://github.com/pr0v3rbs/FirmAE/#dataset
Demo time
@ pascal.eckmann@siemens.com @ michael.messner@siemens-energy.com EMBA Firmware security analyzer @securefirmware https://github.com/e-m-b-a Michael Messner, Pascal Eckmann

Recommended

EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
MichaelM85042
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
MichaelM85042
 
EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22
MichaelM85042
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
Kernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysisKernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysis
Anne Nicolas
 
Static partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-VStatic partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-V
RISC-V International
 
Fun with the Hak5 Rubber Ducky
Fun with the Hak5 Rubber DuckyFun with the Hak5 Rubber Ducky
Fun with the Hak5 Rubber Ducky
kieranjacobsen
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 

Recommended

EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
MichaelM85042
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
MichaelM85042
 
EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22
MichaelM85042
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
Kernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysisKernel Recipes 2015 - Kernel dump analysis
Kernel Recipes 2015 - Kernel dump analysis
Anne Nicolas
 
Static partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-VStatic partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-V
RISC-V International
 
Fun with the Hak5 Rubber Ducky
Fun with the Hak5 Rubber DuckyFun with the Hak5 Rubber Ducky
Fun with the Hak5 Rubber Ducky
kieranjacobsen
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Handling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVMHandling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVM
Min-Yih Hsu
 
Firmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalFirmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan Raval
NSConclave
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Cody Thomas
 
MCA Daemon: Hybrid Throughput Analysis Beyond Basic Blocks
MCA Daemon: Hybrid Throughput Analysis Beyond Basic BlocksMCA Daemon: Hybrid Throughput Analysis Beyond Basic Blocks
MCA Daemon: Hybrid Throughput Analysis Beyond Basic Blocks
Min-Yih Hsu
 
YOW2021 Computing Performance
YOW2021 Computing PerformanceYOW2021 Computing Performance
YOW2021 Computing Performance
Brendan Gregg
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
I2c drivers
I2c driversI2c drivers
I2c drivers
Pradeep Tewani
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
Cygnet Infotech
 
Linux Kernel and Driver Development Training
Linux Kernel and Driver Development TrainingLinux Kernel and Driver Development Training
Linux Kernel and Driver Development Training
Stephan Cadene
 
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Cristofaro Mune
 
進化するArt
進化するArt進化するArt
進化するArt
Takuya Matsunaga
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
Introduction to char device driver
Introduction to char device driverIntroduction to char device driver
Introduction to char device driver
Vandana Salve
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_Analysis
Buland Singh
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
RxNetty vs Tomcat Performance Results
RxNetty vs Tomcat Performance ResultsRxNetty vs Tomcat Performance Results
RxNetty vs Tomcat Performance Results
Brendan Gregg
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Anant Shrivastava
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
VB2013 - Security Research and Development Framework
VB2013 - Security Research and Development FrameworkVB2013 - Security Research and Development Framework
VB2013 - Security Research and Development Framework
Amr Thabet
 

More Related Content

What's hot

Handling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVMHandling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVM
Min-Yih Hsu
 
Firmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalFirmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan Raval
NSConclave
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Cody Thomas
 
MCA Daemon: Hybrid Throughput Analysis Beyond Basic Blocks
MCA Daemon: Hybrid Throughput Analysis Beyond Basic BlocksMCA Daemon: Hybrid Throughput Analysis Beyond Basic Blocks
MCA Daemon: Hybrid Throughput Analysis Beyond Basic Blocks
Min-Yih Hsu
 
YOW2021 Computing Performance
YOW2021 Computing PerformanceYOW2021 Computing Performance
YOW2021 Computing Performance
Brendan Gregg
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
I2c drivers
I2c driversI2c drivers
I2c drivers
Pradeep Tewani
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
Cygnet Infotech
 
Linux Kernel and Driver Development Training
Linux Kernel and Driver Development TrainingLinux Kernel and Driver Development Training
Linux Kernel and Driver Development Training
Stephan Cadene
 
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Cristofaro Mune
 
進化するArt
進化するArt進化するArt
進化するArt
Takuya Matsunaga
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
Introduction to char device driver
Introduction to char device driverIntroduction to char device driver
Introduction to char device driver
Vandana Salve
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_Analysis
Buland Singh
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
RxNetty vs Tomcat Performance Results
RxNetty vs Tomcat Performance ResultsRxNetty vs Tomcat Performance Results
RxNetty vs Tomcat Performance Results
Brendan Gregg
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Anant Shrivastava
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 

What's hot (20)

Handling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVMHandling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVM
 
Firmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalFirmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan Raval
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
 
MCA Daemon: Hybrid Throughput Analysis Beyond Basic Blocks
MCA Daemon: Hybrid Throughput Analysis Beyond Basic BlocksMCA Daemon: Hybrid Throughput Analysis Beyond Basic Blocks
MCA Daemon: Hybrid Throughput Analysis Beyond Basic Blocks
 
YOW2021 Computing Performance
YOW2021 Computing PerformanceYOW2021 Computing Performance
YOW2021 Computing Performance
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
I2c drivers
I2c driversI2c drivers
I2c drivers
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
 
Linux Kernel and Driver Development Training
Linux Kernel and Driver Development TrainingLinux Kernel and Driver Development Training
Linux Kernel and Driver Development Training
 
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
 
進化するArt
進化するArt進化するArt
進化するArt
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
Introduction to char device driver
Introduction to char device driverIntroduction to char device driver
Introduction to char device driver
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_Analysis
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
RxNetty vs Tomcat Performance Results
RxNetty vs Tomcat Performance ResultsRxNetty vs Tomcat Performance Results
RxNetty vs Tomcat Performance Results
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
 
Burp suite
Burp suiteBurp suite
Burp suite
 

Similar to EMBA - Firmware analysis DEFCON30 demolabs USA 2022

Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
VB2013 - Security Research and Development Framework
VB2013 - Security Research and Development FrameworkVB2013 - Security Research and Development Framework
VB2013 - Security Research and Development Framework
Amr Thabet
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
veerababu penugonda(Mr-IoT)
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Lastline, Inc.
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
MAHESHUMANATHGOPALAK
 
SOC-BlueTEam.pdf
SOC-BlueTEam.pdfSOC-BlueTEam.pdf
SOC-BlueTEam.pdf
BeratAkit
 
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
EMERSON EDUARDO RODRIGUES
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
EMERSON EDUARDO RODRIGUES
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
Amitesh Bharti
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introduction
Mostafa Abdel-sallam
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
Silvio Cesare
 
Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
Ravishankar Somasundaram
 
Securitytools
SecuritytoolsSecuritytools
Securitytools
Richmond Adebiaye
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
soctool.pdf
soctool.pdfsoctool.pdf
soctool.pdf
nitinscribd
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
Bangladesh Network Operators Group
 

Similar to EMBA - Firmware analysis DEFCON30 demolabs USA 2022 (20)

Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
VB2013 - Security Research and Development Framework
VB2013 - Security Research and Development FrameworkVB2013 - Security Research and Development Framework
VB2013 - Security Research and Development Framework
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
SOC-BlueTEam.pdf
SOC-BlueTEam.pdfSOC-BlueTEam.pdf
SOC-BlueTEam.pdf
 
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introduction
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
 
Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
 
Securitytools
SecuritytoolsSecuritytools
Securitytools
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
soctool.pdf
soctool.pdfsoctool.pdf
soctool.pdf
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 

Recently uploaded

Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 

Recently uploaded (20)

Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 

EMBA - Firmware analysis DEFCON30 demolabs USA 2022

  • 2. # whoami Michael Messner Penetration tester Firmware analysis Hardware analysis Siemens Energy AG @s3cur1ty_de https://github.com/m-1-k-3 @ michael.messner@siemens-energy.com
  • 3. # whoami Pascal Eckmann Cybersecurity Engineer Security Research Siemens AG @_p4cx https://github.com/p4cx @ pascal.eckmann@siemens.com
  • 5. What the firmware analysis • Firmware is the operating system • Linux analysis techniques can be used quite often and are well known • Commercial tools are available, but they are expensive and limited • EMBA has no limits, costs no money and gives the best results
  • 6. The typical workflow • Do some strings • Do some binwalk • Do some find • Do some regex • Do a lot google • Load something into IDA/Ghidra • Do something
  • 7. EMBA to the rescue Get the firmware (vendor, hardware) Extract the firmware (e.g., Linux filesystem, Kernel) Analyze the firmware Report all the things Firmware binary file EMBA extractor modules EMBA analyzer modules EMBA live tester modules EMBA final aggregator Web report generator Access the firmware
  • 8. Get the firmware • Updates from vendor / web site • Shell access – copy the filesystem via scp, ftp, tftp, nc or to storage device • Other vulnerabilities e.g., command injection • JTAG / SWD • Communication sniffing (e.g., SPI) • Desolder Flash memory and extract the content
  • 9. The easiest way Binwalk all the things
  • 10. The EMBA extraction process EMBA extraction modules Identify Linux root filesystem Ext/UFS filesystems VMWare images Encrypted images Special images Other systems Mount & copy Mount & copy Decrypt (leaked keys) Custom tool Binwalk EMBA analyzer Deep extraction Ext/UFS filesystems VMWare images Encrypted images Special images Other systems Mount & copy Mount & copy Decrypt (leaked keys) Custom tool (e.g. Freetz NG) Binwalk Identify Linux root filesystem OK Not OK Always Basic compression Extract (patool)
  • 11. Finally, we have something extracted Which files and directories are there? Which binaries, configuration files, … Which architecture are we dealing with? Which binary protections are in use? Which Software versions in use? Is some outdated software in use? Which areas are from the vendor, which are open source? Where are possible weak spots or interesting functions used? Which kernel? Are there hard-coded passwords? Scripting issues (shell, python, php, …)? Insecure permissions? Weak configurations? Public exploits? Dynamic analysis? Reporting EMBA analyzer modules
  • 12. Don’t reinvent the wheel See also: https://github.com/e-m-b-a/emba/wiki/Installation#dependencies Multiple Linux tools binwalk Freetz-NG Checksec.sh CVE and CVSS databases CVE-Search CVE-Searchsploit cwe-checker GHIDRA Docker Radare2 fdtdump linux-exploit-suggester OpenSSL uboot mkimage objdump pixd bandit progpilot Qemu shellcheck sshdcc tree unzip sudo parser sshdc Yara and others …
  • 14. What is emulation? In computing, an emulator is hardware or software that enables one computer system (called the host) to behave like another computer system (called the guest). An emulator typically enables the host system to run software or use peripheral devices designed for the guest system.* * https://en.wikipedia.org/wiki/Emulator
  • 15. Modes of emulation • User-mode emulation QEMU can launch Linux processes compiled for one CPU on another CPU, translating syscalls on the fly.
  • 16. Modes of emulation • System-mode emulation QEMU emulates a full system, including a processor and various peripherals such as disk, ethernet controller etc. Challenges: • Architecture • Kernel • Filesystem • Peripherals • Furthermore
  • 17. EMBA live tester modules • Full system mode emulation goes to automated firmware analysis • Based on firmadyne and FirmAE* • Both projects are not actively maintained anymore • Complete re-implementation as EMBA modules • Automated testing of emulation and basic checks as additional testing modules • Multiple improvements of emulation capabilities are already in place • A lot of room for future improvements (e.g., new kernels) https://github.com/firmadyne/firmadyne and https://github.com/pr0v3rbs/FirmAE/
  • 18. EMBA live tester modules - Benchmark* * https://github.com/pr0v3rbs/FirmAE/#dataset
  • 20. @ pascal.eckmann@siemens.com @ michael.messner@siemens-energy.com EMBA Firmware security analyzer @securefirmware https://github.com/e-m-b-a Michael Messner, Pascal Eckmann