固件分析工具

现有的框架及工具

  • firmadyne
  • firmflaws
  • binbloom
  • Firmware Slap
  • cotopaxi
  • FACT_core

firmflaws

分析完整固件

  • 自动化提取文件系统
  • 简易的规则提取
    • 字符串
    • 配置
    • 证书
    • 密钥
    • 数据库

https://github.com/Ganapati/firmflaws


已在FACT中有实现

Binbloom

分析单个可执行文件

  • loading address
  • 大小端
  • UDS数据库

 

https://github.com/quarkslab/binbloom

 

只做了可执行文件的部分解析

Loaded firmware.bin, size:624128, bit:fff00000, 000fffff, nb_segments:4096, shift:20
End address:00098600
Determining the endianness
Computing heuristics in big endian order:
Base: 00000000: unique pointers:1839, number of array elements:217900
Base: 01000000: unique pointers:1343, number of array elements:13085
Base: 02000000: unique pointers:621, number of array elements:5735
Base: 03000000: unique pointers:566, number of array elements:3823
Base: 05000000: unique pointers:575, number of array elements:6139
Base: 80000000: unique pointers:642, number of array elements:528
247210
Computing score in little endian order:
Base: 00000000: unique pointers:8309, number of array elements:515404
515404
This firmware seems to be LITTLE ENDIAN

Firmware Slap

2019 Defcon提出的工具

 

  • angr做符号分析
  • 配合Ghidra做函数原型提取
  • 用K-Means聚类在函数层面做查找

 

https://github.com/ChrisTheCoolHut/Firmware_Slap

 

 

firmadyne

NDSS(B) paper

Towards Automated Dynamic Analysis for Linux-based Embedded Firmware

 

https://github.com/firmadyne/firmadyne

cotopaxi

Blackhat-US 20

 

针对网络iot设备的

协议fuzz

 

AMQP, CoAP, DTLS,

HTCPCP, HTTP,

HTTP/2, gRPC,

KNX, mDNS, MQTT, MQTT-SN, QUIC, RTSP, SSDP.

https://github.com/Samsung/cotopaxi

FACT

  • 通用平台
  • 模块化
  • 主要目的
    • 固件内容提取
    • 初步分析
    • 固件对比

现有的思路

  • 自动化提取基本信息
  • QEMU模拟+fuzz
  • 静态分析(函数)
  • 对于网络接口的灰盒测试
  • 已知EXP的利用

deck

By yoshino-s

Made with Slides.com

deck

  • 48

More from yoshino-s