固件分析工具
现有的框架及工具
- firmadyne
- firmflaws
- binbloom
- Firmware Slap
- cotopaxi
- FACT_core
firmflaws
分析完整固件
- 自动化提取文件系统
- 简易的规则提取
- 字符串
- 配置
- 证书
- 密钥
- 数据库
https://github.com/Ganapati/firmflaws
已在FACT中有实现
Binbloom
分析单个可执行文件
- loading address
- 大小端
- UDS数据库
https://github.com/quarkslab/binbloom
只做了可执行文件的部分解析
Loaded firmware.bin, size:624128, bit:fff00000, 000fffff, nb_segments:4096, shift:20
End address:00098600
Determining the endianness
Computing heuristics in big endian order:
Base: 00000000: unique pointers:1839, number of array elements:217900
Base: 01000000: unique pointers:1343, number of array elements:13085
Base: 02000000: unique pointers:621, number of array elements:5735
Base: 03000000: unique pointers:566, number of array elements:3823
Base: 05000000: unique pointers:575, number of array elements:6139
Base: 80000000: unique pointers:642, number of array elements:528
247210
Computing score in little endian order:
Base: 00000000: unique pointers:8309, number of array elements:515404
515404
This firmware seems to be LITTLE ENDIANFirmware Slap
2019 Defcon提出的工具
- angr做符号分析
- 配合Ghidra做函数原型提取
- 用K-Means聚类在函数层面做查找
https://github.com/ChrisTheCoolHut/Firmware_Slap
firmadyne
NDSS(B) paper
Towards Automated Dynamic Analysis for Linux-based Embedded Firmware
https://github.com/firmadyne/firmadyne
cotopaxi
Blackhat-US 20
针对网络iot设备的
协议fuzz
AMQP, CoAP, DTLS,
HTCPCP, HTTP,
HTTP/2, gRPC,
KNX, mDNS, MQTT, MQTT-SN, QUIC, RTSP, SSDP.
https://github.com/Samsung/cotopaxi
FACT
- 通用平台
- 模块化
- 主要目的
- 固件内容提取
- 初步分析
- 固件对比
现有的思路
- 自动化提取基本信息
- QEMU模拟+fuzz
- 静态分析(函数)
- 对于网络接口的灰盒测试
- 已知EXP的利用