EA
Uploaded byEMBA Firmware Analyzer
PDF, PPTX300 views

EMBA - Firmware analysis DEFCON30 demolabs USA 2022

The EMBA Firmware Security Analyzer is a comprehensive tool for analyzing and extracting firmware, designed by Michael Messner and Pascal Eckmann from Siemens. It simplifies the firmware analysis process by integrating multiple workflows and tools, allowing for deep extraction, analysis, and reporting of vulnerabilities found in firmware. EMBA utilizes various methods, including user-mode and system-mode emulation, to enhance automated analysis capabilities and highlight potential security weaknesses in embedded systems.

Technology
Related topics:
Information Security

Embed presentation

Download as PDF, PPTX
EMBA Firmware security analyzer @securefirmware https://github.com/e-m-b-a Michael Messner, Pascal Eckmann
# whoami Michael Messner Penetration tester Firmware analysis Hardware analysis Siemens Energy AG @s3cur1ty_de https://github.com/m-1-k-3 @ michael.messner@siemens-energy.com
# whoami Pascal Eckmann Cybersecurity Engineer Security Research Siemens AG @_p4cx https://github.com/p4cx @ pascal.eckmann@siemens.com
The landscape
What the firmware analysis • Firmware is the operating system • Linux analysis techniques can be used quite often and are well known • Commercial tools are available, but they are expensive and limited • EMBA has no limits, costs no money and gives the best results
The typical workflow • Do some strings • Do some binwalk • Do some find • Do some regex • Do a lot google • Load something into IDA/Ghidra • Do something
EMBA to the rescue Get the firmware (vendor, hardware) Extract the firmware (e.g., Linux filesystem, Kernel) Analyze the firmware Report all the things Firmware binary file EMBA extractor modules EMBA analyzer modules EMBA live tester modules EMBA final aggregator Web report generator Access the firmware
Get the firmware • Updates from vendor / web site • Shell access – copy the filesystem via scp, ftp, tftp, nc or to storage device • Other vulnerabilities e.g., command injection • JTAG / SWD • Communication sniffing (e.g., SPI) • Desolder Flash memory and extract the content
The easiest way Binwalk all the things
The EMBA extraction process EMBA extraction modules Identify Linux root filesystem Ext/UFS filesystems VMWare images Encrypted images Special images Other systems Mount & copy Mount & copy Decrypt (leaked keys) Custom tool Binwalk EMBA analyzer Deep extraction Ext/UFS filesystems VMWare images Encrypted images Special images Other systems Mount & copy Mount & copy Decrypt (leaked keys) Custom tool (e.g. Freetz NG) Binwalk Identify Linux root filesystem OK Not OK Always Basic compression Extract (patool)
Finally, we have something extracted Which files and directories are there? Which binaries, configuration files, … Which architecture are we dealing with? Which binary protections are in use? Which Software versions in use? Is some outdated software in use? Which areas are from the vendor, which are open source? Where are possible weak spots or interesting functions used? Which kernel? Are there hard-coded passwords? Scripting issues (shell, python, php, …)? Insecure permissions? Weak configurations? Public exploits? Dynamic analysis? Reporting EMBA analyzer modules
Don’t reinvent the wheel See also: https://github.com/e-m-b-a/emba/wiki/Installation#dependencies Multiple Linux tools binwalk Freetz-NG Checksec.sh CVE and CVSS databases CVE-Search CVE-Searchsploit cwe-checker GHIDRA Docker Radare2 fdtdump linux-exploit-suggester OpenSSL uboot mkimage objdump pixd bandit progpilot Qemu shellcheck sshdcc tree unzip sudo parser sshdc Yara and others …
System mode emulation Fully automated
What is emulation? In computing, an emulator is hardware or software that enables one computer system (called the host) to behave like another computer system (called the guest). An emulator typically enables the host system to run software or use peripheral devices designed for the guest system.* * https://en.wikipedia.org/wiki/Emulator
Modes of emulation • User-mode emulation QEMU can launch Linux processes compiled for one CPU on another CPU, translating syscalls on the fly.
Modes of emulation • System-mode emulation QEMU emulates a full system, including a processor and various peripherals such as disk, ethernet controller etc. Challenges: • Architecture • Kernel • Filesystem • Peripherals • Furthermore
EMBA live tester modules • Full system mode emulation goes to automated firmware analysis • Based on firmadyne and FirmAE* • Both projects are not actively maintained anymore • Complete re-implementation as EMBA modules • Automated testing of emulation and basic checks as additional testing modules • Multiple improvements of emulation capabilities are already in place • A lot of room for future improvements (e.g., new kernels) https://github.com/firmadyne/firmadyne and https://github.com/pr0v3rbs/FirmAE/
EMBA live tester modules - Benchmark* * https://github.com/pr0v3rbs/FirmAE/#dataset
Demo time
@ pascal.eckmann@siemens.com @ michael.messner@siemens-energy.com EMBA Firmware security analyzer @securefirmware https://github.com/e-m-b-a Michael Messner, Pascal Eckmann

More Related Content

PDF
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
byEMBA Firmware Analyzer
 
PDF
EMBA - From Firmware to Exploit - BHEU22
byEMBA Firmware Analyzer
 
PDF
EMBA Firmware analysis - TROOPERS22
byEMBA Firmware Analyzer
 
PDF
CSSLP & OWASP & WebGoat
bySurachai Chatchalermpun
 
PDF
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
byMITRE - ATT&CKcon
 
PPT
IT Security management and risk assessment
byCAS
 
PPT
Security policy
byDhani Ahmad
 
PPTX
Information Security Blueprint
byZefren Edior
 
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
byEMBA Firmware Analyzer
 
EMBA - From Firmware to Exploit - BHEU22
byEMBA Firmware Analyzer
 
EMBA Firmware analysis - TROOPERS22
byEMBA Firmware Analyzer
 
CSSLP & OWASP & WebGoat
bySurachai Chatchalermpun
 
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
byMITRE - ATT&CKcon
 
IT Security management and risk assessment
byCAS
 
Security policy
byDhani Ahmad
 
Information Security Blueprint
byZefren Edior
 

What's hot

PDF
Windows Threat Hunting
byGIBIN JOHN
 
PPTX
Cissp Training PPT
byADEPT TECHNOLOGY
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
PDF
Attacker's Perspective of Active Directory
bySunny Neo
 
PPTX
PowerShell for Practical Purple Teaming
byNikhil Mittal
 
PDF
How to Hunt for Lateral Movement on Your Network
bySqrrl
 
PPT
Basic Linux kernel
byMorteza Nourelahi Alamdari
 
PDF
Threat Hunting with Splunk Hands-on
bySplunk
 
PDF
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
PDF
Understanding the Event Log
bychuckbt
 
PPTX
Yocto Project introduction
byYi-Hsiu Hsu
 
PPTX
CISSP - Chapter 4 - Network Fundamental
byKarthikeyan Dhayalan
 
PPTX
Windows Forensic 101
byDigit Oktavianto
 
PPTX
Abusing Microsoft Kerberos - Sorry you guys don't get it
byBenjamin Delpy
 
PPTX
Chapter 1 Security Framework
byKarthikeyan Dhayalan
 
PDF
Up is Down, Black is White: Using SCCM for Wrong and Right
byenigma0x3
 
PPT
Basic 50 linus command
byMAGNA COLLEGE OF ENGINEERING
 
PPTX
Design of security architecture in Information Technology
bytrainersenthil14
 
PDF
The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
PPTX
User and entity behavior analytics: building an effective solution
byYolanta Beresna
 
Windows Threat Hunting
byGIBIN JOHN
 
Cissp Training PPT
byADEPT TECHNOLOGY
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
Attacker's Perspective of Active Directory
bySunny Neo
 
PowerShell for Practical Purple Teaming
byNikhil Mittal
 
How to Hunt for Lateral Movement on Your Network
bySqrrl
 
Basic Linux kernel
byMorteza Nourelahi Alamdari
 
Threat Hunting with Splunk Hands-on
bySplunk
 
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
Understanding the Event Log
bychuckbt
 
Yocto Project introduction
byYi-Hsiu Hsu
 
CISSP - Chapter 4 - Network Fundamental
byKarthikeyan Dhayalan
 
Windows Forensic 101
byDigit Oktavianto
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
byBenjamin Delpy
 
Chapter 1 Security Framework
byKarthikeyan Dhayalan
 
Up is Down, Black is White: Using SCCM for Wrong and Right
byenigma0x3
 
Basic 50 linus command
byMAGNA COLLEGE OF ENGINEERING
 
Design of security architecture in Information Technology
bytrainersenthil14
 
The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
User and entity behavior analytics: building an effective solution
byYolanta Beresna
 

Similar to EMBA - Firmware analysis DEFCON30 demolabs USA 2022

PPTX
EMBA - BlackHat Middle East and Africa 2024
byEMBA Firmware Analyzer
 
PDF
CNIT 126: Ch 2 & 3
bySam Bowne
 
PPTX
Malware 101 by saurabh chaudhary
bySaurav Chaudhary
 
PDF
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
bySam Bowne
 
PDF
Malware Analysis Tips and Tricks.pdf
byYushimon
 
PPTX
Malware vm setup
byAspen Lindblom
 
PDF
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
bySegInfo
 
PPTX
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
bygrecsl
 
PPTX
Uefi and bios
byShubham Pendharkar
 
PDF
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
byFelipe Prado
 
PDF
What's New in RHEL 6 for Linux on System z?
byIBM India Smarter Computing
 
PDF
Beyond BIOS Developing with the Unified Extensible Firmware Interface Third E...
byazyrahednea
 
PDF
XPDS14 - Xen in EFI World - Daniel Kiper, Oracle
byThe Linux Foundation
 
PDF
Beginners guide on how to start exploring IoT 2nd session
byveerababu penugonda(Mr-IoT)
 
PPTX
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
bylior mazor
 
ODP
Malware analysis
byxabean
 
PDF
#WeSpeakLinux Session
byKellyn Pot'Vin-Gorman
 
PDF
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
byChong-Kuan Chen
 
PDF
Embedded. What Why How
byVolodymyr Shymanskyy
 
PDF
Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...
bylinuxlab_conf
 
EMBA - BlackHat Middle East and Africa 2024
byEMBA Firmware Analyzer
 
CNIT 126: Ch 2 & 3
bySam Bowne
 
Malware 101 by saurabh chaudhary
bySaurav Chaudhary
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
bySam Bowne
 
Malware Analysis Tips and Tricks.pdf
byYushimon
 
Malware vm setup
byAspen Lindblom
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
bySegInfo
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
bygrecsl
 
Uefi and bios
byShubham Pendharkar
 
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
byFelipe Prado
 
What's New in RHEL 6 for Linux on System z?
byIBM India Smarter Computing
 
Beyond BIOS Developing with the Unified Extensible Firmware Interface Third E...
byazyrahednea
 
XPDS14 - Xen in EFI World - Daniel Kiper, Oracle
byThe Linux Foundation
 
Beginners guide on how to start exploring IoT 2nd session
byveerababu penugonda(Mr-IoT)
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
bylior mazor
 
Malware analysis
byxabean
 
#WeSpeakLinux Session
byKellyn Pot'Vin-Gorman
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
byChong-Kuan Chen
 
Embedded. What Why How
byVolodymyr Shymanskyy
 
Michele Dionisio & Pietro Lorefice - Developing and testing a device driver w...
bylinuxlab_conf
 

Recently uploaded

PDF
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
PPTX
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
PDF
ODSC AI West: Agent Optimization: Beyond Context engineering
byShashikant Jagtap
 
PDF
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
PPTX
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
PDF
Cheryl Hung, Vibe Coding Auth Without Melting Down! isaqb Software Architectu...
byCheryl Hung
 
PDF
Lets Build a Serverless Function with Kiro
byChris Bingham
 
PDF
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
PDF
[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...
byWintari Yasmin
 
PDF
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
PDF
[DevFest Strasbourg 2025] - NodeJs Can do that !!
bymoassiongbon
 
PDF
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
PDF
[BDD 2025 - Mobile Development] Mobile Engineer and Software Engineer: Are we...
bywintari3
 
PDF
[BDD 2025 - Full-Stack Development] Digital Accessibility: Why Developers nee...
bywintari3
 
PPTX
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
PDF
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
PDF
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
PDF
Transcript: The partnership effect: Libraries and publishers on collaborating...
byBookNet Canada
 
PDF
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
PDF
How Much Does It Cost To Build Software
bycollinmishell2
 
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
ODSC AI West: Agent Optimization: Beyond Context engineering
byShashikant Jagtap
 
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
Cheryl Hung, Vibe Coding Auth Without Melting Down! isaqb Software Architectu...
byCheryl Hung
 
Lets Build a Serverless Function with Kiro
byChris Bingham
 
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...
byWintari Yasmin
 
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
[DevFest Strasbourg 2025] - NodeJs Can do that !!
bymoassiongbon
 
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
[BDD 2025 - Mobile Development] Mobile Engineer and Software Engineer: Are we...
bywintari3
 
[BDD 2025 - Full-Stack Development] Digital Accessibility: Why Developers nee...
bywintari3
 
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
Transcript: The partnership effect: Libraries and publishers on collaborating...
byBookNet Canada
 
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
How Much Does It Cost To Build Software
bycollinmishell2
 
In this document
Powered by AI

Introduction to EMBA firmware security analyzer and its creators, Michael Messner and Pascal Eckmann.

Discusses firmware definition and analysis techniques, emphasizing EMBA as a free alternative to expensive commercial tools.

Outlines the typical workflow for firmware analysis, including the steps and methods for extracting and reporting firmware.

Describes the easiest methods for firmware extraction using Binwalk and the detailed extraction process through various tools.

Details the potential insights obtained after extraction, including vulnerabilities, architecture, and software versions.

Encourages the use of existing Linux tools and resources for firmware analysis, providing a comprehensive toolset.

Introduces emulation in computing, its modes, and the challenges faced during system-mode emulation.

Explains the EMBA live tester modules, their basis on prior projects, and improvements for automated testing.

Wrap up of the presentation, inviting questions and providing contact information for further queries.

EMBA - Firmware analysis DEFCON30 demolabs USA 2022

  • 1.
  • 2.
    # whoami Michael Messner Penetrationtester Firmware analysis Hardware analysis Siemens Energy AG @s3cur1ty_de https://github.com/m-1-k-3 @ michael.messner@siemens-energy.com
  • 3.
    # whoami Pascal Eckmann CybersecurityEngineer Security Research Siemens AG @_p4cx https://github.com/p4cx @ pascal.eckmann@siemens.com
  • 4.
  • 5.
    What the firmwareanalysis • Firmware is the operating system • Linux analysis techniques can be used quite often and are well known • Commercial tools are available, but they are expensive and limited • EMBA has no limits, costs no money and gives the best results
  • 6.
    The typical workflow •Do some strings • Do some binwalk • Do some find • Do some regex • Do a lot google • Load something into IDA/Ghidra • Do something
  • 7.
    EMBA to therescue Get the firmware (vendor, hardware) Extract the firmware (e.g., Linux filesystem, Kernel) Analyze the firmware Report all the things Firmware binary file EMBA extractor modules EMBA analyzer modules EMBA live tester modules EMBA final aggregator Web report generator Access the firmware
  • 8.
    Get the firmware •Updates from vendor / web site • Shell access – copy the filesystem via scp, ftp, tftp, nc or to storage device • Other vulnerabilities e.g., command injection • JTAG / SWD • Communication sniffing (e.g., SPI) • Desolder Flash memory and extract the content
  • 9.
  • 10.
    The EMBA extractionprocess EMBA extraction modules Identify Linux root filesystem Ext/UFS filesystems VMWare images Encrypted images Special images Other systems Mount & copy Mount & copy Decrypt (leaked keys) Custom tool Binwalk EMBA analyzer Deep extraction Ext/UFS filesystems VMWare images Encrypted images Special images Other systems Mount & copy Mount & copy Decrypt (leaked keys) Custom tool (e.g. Freetz NG) Binwalk Identify Linux root filesystem OK Not OK Always Basic compression Extract (patool)
  • 11.
    Finally, we havesomething extracted Which files and directories are there? Which binaries, configuration files, … Which architecture are we dealing with? Which binary protections are in use? Which Software versions in use? Is some outdated software in use? Which areas are from the vendor, which are open source? Where are possible weak spots or interesting functions used? Which kernel? Are there hard-coded passwords? Scripting issues (shell, python, php, …)? Insecure permissions? Weak configurations? Public exploits? Dynamic analysis? Reporting EMBA analyzer modules
  • 12.
    Don’t reinvent thewheel See also: https://github.com/e-m-b-a/emba/wiki/Installation#dependencies Multiple Linux tools binwalk Freetz-NG Checksec.sh CVE and CVSS databases CVE-Search CVE-Searchsploit cwe-checker GHIDRA Docker Radare2 fdtdump linux-exploit-suggester OpenSSL uboot mkimage objdump pixd bandit progpilot Qemu shellcheck sshdcc tree unzip sudo parser sshdc Yara and others …
  • 13.
  • 14.
    What is emulation? Incomputing, an emulator is hardware or software that enables one computer system (called the host) to behave like another computer system (called the guest). An emulator typically enables the host system to run software or use peripheral devices designed for the guest system.* * https://en.wikipedia.org/wiki/Emulator
  • 15.
    Modes of emulation •User-mode emulation QEMU can launch Linux processes compiled for one CPU on another CPU, translating syscalls on the fly.
  • 16.
    Modes of emulation •System-mode emulation QEMU emulates a full system, including a processor and various peripherals such as disk, ethernet controller etc. Challenges: • Architecture • Kernel • Filesystem • Peripherals • Furthermore
  • 17.
    EMBA live testermodules • Full system mode emulation goes to automated firmware analysis • Based on firmadyne and FirmAE* • Both projects are not actively maintained anymore • Complete re-implementation as EMBA modules • Automated testing of emulation and basic checks as additional testing modules • Multiple improvements of emulation capabilities are already in place • A lot of room for future improvements (e.g., new kernels) https://github.com/firmadyne/firmadyne and https://github.com/pr0v3rbs/FirmAE/
  • 18.
    EMBA live testermodules - Benchmark* * https://github.com/pr0v3rbs/FirmAE/#dataset
  • 19.
  • 20.
    @ pascal.eckmann@siemens.com @michael.messner@siemens-energy.com EMBA Firmware security analyzer @securefirmware https://github.com/e-m-b-a Michael Messner, Pascal Eckmann