Firmware Reviewer

Firmware Reviewer provides in-depth firmware analysis (binaries, file systems, containers, virtual machines, IoT, UEFI, Appliances, Network Devices, Smart Meters, Surveillance devices, Drones, etc.), allowing to explore vulnerabilities at the same time to keeping the software securely in your own hands, at your premises. It can be used for a bunch of binary file formats, with No need of related physical device.

Firmware Reviewer is part of Security Reviewer Suite.

Firmware analysis is a tough challenge with a lot of tasks. Many of these tasks can be automated (either with new approaches or incorporation of existing tools) so that a security analyst can focus on his main task: Analyzing the firmware (and finding vulnerabilities).

It is available On premise (install kit or VMWare image) or in Cloud. You can plan your own Tasks by choosing the ones available over 100+

For further explaination, please take a look to FAQ section.

Main Topics

Architecture

Firmware Reviewer, further to its own engine, makes use of other well-known platforms, like FACT (Firmware Analysis Comparison Tool), Intel ME Analyzer, RedBoot, FirmWalker, Firmware Modification Kit, angr, Radare, Firmware Analysis Tool, Firmadyne, ByteSweep, Karonte, FWAnalyzer, Ghidra, FIT, IoTSecFuzz, EXPLioT, CapStone Framework and Binwalk engines to analyze and compare different versions against vendor's databases, Karonte Dataset and Fraunhofer Institute database. Analysis are normalized and correlated, presenting a unique dashboard. This is possible through our Plugin Developer’s Toolkit.

Firmware Reviewer shares FACT (Firmware Analysis Comparison Tool) architecture, adding a lot of new features (Tasks Plan automation included). Respect than FACT, it is more flexible on hardware configuration, while enhancing performances 12x.

  • Front-end Browser web GUI so that you can start right away without any further knowledge about Firmware Reviewer or the firmware you want to look at. Web Server is based on clusterizable NGINX, with uWSGI and Flask.

  • Back-end Linux Engine. Includes an automated and scalable (and clusterizable) system for performing Emulation and Dynamic Analysis. Backend emulation machine can be detached.

  • Database based on scalable MongoDB

  • REST API interface. Integration is easy as well since we provide a REST API covering almost all features

  • Agent. Optionally used in encrypted firmwares and to gain access credentials. Our Bootloader Agent gives the user the ability to make changes to a firmware image without recompiling the firmware sources. It works by extracting the firmware bootloader parts, then extracting the file init system image, and rebuild the bootloader

  • Plugin Developer's toolkit. It provides a framework for Plugin Development. New Unpackers are implemented as plug-ins, as well as Analysis features and Compare functionalities

  • Alert System. You can send alert on: Analysis process started, Analysis process terminated, Vulnerability threshold, User’s access. Alert platforms: Slack, WebHooks.

Compliance

Firmware Reviewer provides reports compliant to:

IoT

With widespread publicity of the Internet of Things (IoT), more and more devices are becoming network connected evidencing how essential it is to create secure coding guidelines for embedded software. Embedded Application Security is often not a high priority for embedded developers when they are producing devices such as routers, managed switches, medical devices, Industrial Control Systems (ICS), VoIP phones, IoT devices, and ATM Kiosks due to other challenges outside of development. Other challenges developers face may include, but are not limited to, the Original Design Manufacturer (ODM) supply chain, limited memory, a small stack, and the challenge of pushing firmware updates securely to an endpoint.

Firmware Reviewer can assist you to apply OWASP Embedded Best Practices, for:

  • E1 – Buffer and Stack Overflow Protection

  • E2 – Injection Prevention

  • E3 – Firmware Updates and Cryptographic Signatures

  • E4 – Securing Sensitive Information

  • E5 – Identity Management

  • E6 – Embedded Framework and C-Based Hardening

  • E7 – Usage of Debug Code and Interfaces

  • E8 – Transport Layer Security

  • E9 – Data collection Usage and Storage – Privacy

  • E10 – Third Party Code and Components

 

Firmware Reviewer results are enriched with threat intelligence from Shodan and the NIST NVD.

Supported Devices

Firmware Reviewer has been tested with the following devices types:

  • 3D-Printers

  • Appliances

  • Base Stations

  • Biometric

  • BIOS

  • Cameras

  • Drones

  • Industry 4.0 Devices

  • IoT Gateways

  • Mobile

  • Network (Consumer, Core, Radio)

  • Receivers

  • Satellite

  • SCADA-PLC-PAC

  • Smart Meters

  • Smart TV

  • Surveillance (Home, Industry, Government, Banking)

Supported Vendors

Firmware Reviewer supports both BIN and IMG files (compressed or uncompressed) from the following vendors: 

 

Further, eCos hardware is supported. Some of the types might seem curious. E.g. postscript while being used for text mainly is seen as container for update formats of printer firmware.

Firmware Security Testing Methodology

The OWASP Firmware Security Testing Methodology is composed of nine stages tailored to enable security researchers, software developers, consultants, hobbyists, and Information Security professionals with conducting firmware security assessments. Firmware analysis is a tough challenge with a lot of tasks. Many of these tasks can be automated (either with new approaches or incorporation of existing tools) so that a security analyst can focus on its main task: Analyzing the firmware (and finding vulnerabilities). Firmware Reviewer implements this automation leading to more complete analysis as well as a massive speedup in vulnerability hunting and is able to assist you during all the nine stages:

Stage

Description

1. Information gathering and reconnaissance

Acquire all relative technical and documentation details pertaining to the target device's firmware

2. Obtaining firmware

Attain firmware using one or more of the proposed methods listed

3. Analyzing firmware

Examine the target firmware's characteristics

4. Extracting the filesystem

Carve filesystem contents from the target firmware

5. Analyzing filesystem contents

Statically analyze extracted filesystem configuration files and binaries for vulnerabilities

6. Emulating firmware

Emulate firmware files and components

7. Dynamic analysis

Perform dynamic security testing against firmware and application interfaces

8. Runtime analysis

Analyze compiled binaries during device runtime

9. Binary Exploitation

Exploit identified vulnerabilities discovered in previous stages to attain root and/or code execution


Firmware Detections

Section

Description

Device Firmware Vulnerabilities

·         Out-of-date core components

·         Unsupported core components

·         Expired and/or self-signed certificates

·         Same certificate used on multiple devices

·         Admin web interface concerns

·         Hardcoded or easy to guess credentials

·         Sensitive information disclosure

·         Sensitive URL disclosure

·         Encryption key and Password hashes exposure

·         Backdoor accounts

·         Vulnerable services (web, ssh, tftp, etc.)

·         Unauthenticated access

·         Weak authentication

·         Hidden back-doors

·         Unauthenticated CGI

·         Encryption keys stored in firmware

·         Buffer overflows vulnerabilities

·         Debug services in production systems

Manufacturer Recommendations

·         Ensure that supported and up-to-date software is used by developers

·         Ensure that robust update mechanisms are in place for devices

·         Ensure that certificates are not duplicated across devices and product lines.

·         Ensure supported and up-to-date software is used by developers

·         Develop a mechanism to ensure a new certificate is installed when old ones expire

·         Disable deprecated SSL versions

·         Ensure developers do not code in easy to guess or common admin passwords

·         Ensure services such as SSH have a secure password created

·         Develop a mechanism that requires the user to create a secure admin password during initial device setup

·         Ensure developers do not hard code passwords or hashes

·         Have source code reviewed by a third party before releasing device to production

·         Ensure industry standard encryption or strong hashing is used

Device Firmware Guidance and Instruction

·         Firmware extraction and file analysis

·         Dynamic binary analysis

·         Static binary and code analysis

·         Firmware emulation

·         File system analysis

·         Software Composition Analysis (Third-party libraries)

Firmware Reviewer provides a set of plugins (test cases) which are used to perform the assessment and can be extended easily with new ones.

There is obviously no silver bullet (read tool) that can cover (test) the whole Firmware/IoT eco-system attack surface. Our aim is to reach as close as possible i.e. to cover as many Firmware/IoT protocols, hardware platforms and products as possible. We will explain the coverage of the framework based on protocols and technologies including the what, why and how of each plugin.

Code Of Practice

In October 2018, Government of UK published code of practice for IoT vendors to improve the security of consumer IoT products, The document listed 13 guidelines for consumer IoT devices that are connected to the Internet and/or home network such as smart cameras, TVs, home appliances and home automation systems. The GOV.UK guidelines can also be mapped to several industry standards and best practices on IoT security that includes ENISA and IoT Security Foundation. A detailed mapping between these guidelines has been published in a separate document. The following guidelines were concerned with secure firmware development:

Firmware Reviewer automatically addresses those UK Goverment Guidelines. However, there have been different IoT Security guidelines published by different parties as good practices or baselines while there is no global standard for IoT Device Security, which as a result has created confusions in both vendors and users. They not only know which guidelines they should follow or which practices they should apply but also find a significant number of the practices impractical or irrelevant to their cases.

Unique Features

  • REST API with a full user- and client-management system and a lot of integration capabilities

  • Analyze files on multiple different environments in parallel

  • Use any prepared image to detect APTs and harden against evasive malware

  • Unique, Highly configurable Hybrid Analysis Technology that analyzes full process memory

  • Extensive third-party integrations (e.g. IP cross-reference checks, whitelisting)

  • Advanced anti-analysis detection (e.g. action scripts that simulate human behavior)

  • Threat Score (quickly understand the malicious impact of your artifact), further to Compliance Standards

  • Compare between different versions

  • Offered both in SaaS (Cloud) and on premises (Linux)

Supported CPU

Firmware Reviewer supports the following CPU Architectures:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 'ARM': ['ARM'], 'AARCH64': ['aarch64'], 'PPC': ['PowerPC', 'PPC'], 'MIPS': ['MIPS'], 'x86': ['x86', '80386', '80486', 'i386'], 'SPARC': ['SPARC'], 'RISC': ['RISC', 'RS6000', '80960', '80860'], 'S/390': ['IBM S/390', 's390'], 'SuperH': ['Renesas SH', 'sh4', 'sh4eb'], 'Alpha': ['Alpha'], 'hppa': ['hppa', 'pa-risc'], 'sb4': ['sb4'], 'ia64': ['ia64', 'itanium', 'ia-64'], 'cuda': ['cuda'], 'avr': ['avr', 'atmel', 'Atmega32A'], 'dlx': ['DLX'], 'mico': ['mico32'], 'mmix': ['MMIX'], 'M68K': ['m68k', '68020'] 


Supported Platforms

Firmware Reviewer analyzes cyber threats on:

  • Embedded Linux

  • RTOS (QNX/MQX/FreeRTOS/eCos)

  • VxWorks

  • WindRiver Linux

  • LynxOS

  • OpenWrt

  • PTXdist

  • FireOS

  • Cisco IOS

  • ThreadX

  • MicroC_OS

  • Contiki

  • VMWare, QEMU, VirtualBox Virtual Machines

  • Proprietary Firmware (Routers, Network Core, Network Radio, Smart Meters, Surveillance, Mobile, IoT, Storage, etc.)

Binary Reviewer analyzes more 'traditional' binaries in the following platforms:

  • Windows (XP, Vista, W7, W7 x64, W8, W10)

  • Linux (RedHat, CentOS, Fedora, Ubuntu, Debian, FreeBSD, NetBSD, and OpenBSD)

  • Unix (A/UX, AIX, HP-UX, illumos, IRIX, OpenServer, Solaris, Tru64 UNIX)

  • Mac OSX

  • Android

  • iOS

Supported File Systems

Firmware Reviewer is able to analyze several file systems like:

  • ABISS

  • AuFS

  • vam-sqfs-fake

  • AXFS

  • btrfs

  • cramFS

  • dosmbr

  • ext2/3/4

  • FAT/VFat

  • F2FS

  • hfs

  • InitRAMFS

  • jffs2/jffs2big

  • jfs

  • LogFS

  • mini_fo

  • minix

  • NTFS

  • PramFS

  • reiserfs

  • RomFS

  • SquashFS

  • UBIFS filesystem images

  • udf

  • xfs

  • UnionFS

  • YAFFS

  • cpio archives

  • directory content using a set of configurable rules.

The main idea is to provide a tool for rapid analysis of filesystem images as part of a firmware security. Firmware Reviewer takes a configuration file that defines various rules for files and directories and runs the configured checks against a given filesystem image. 

 

Supported Protocols

Further to NRF24, Wifi, and IP-networking, the following protocol are supported:

  • AMQP

  • BACNet

  • Bluetooth LE

  • CANBus

  • CoAP

  • DICOM

  • DNP3

  • DNS

  • HL7

  • I2C

  • LoRA

  • mDNS

  • Modbus

  • MQTT

  • NFC

  • ProfiBus

  • RFID

  • SPI

  • SSH

  • UART

  • UDP

  • UPnP

  • XMPP

  • WebSocket

  • Wireless HART

  • Zigbee

  • Zwave

Comparison between Versions

The File Compare check is a mechanism to compare a file from a previous run with the file from the current run. It provides more insights into file changes, since it allows comparing two versions of a file rather than comparing only a digest. Last, the Tree Check will produce an informational output listing new files, deleted files, and modified files. Firmware Reviewer can compare several images or single files. Furthermore, Unpacking, analysis and compares are based on plug-ins guaranteeing maximal flexibility and expandability.

In many cases you might want to compare Firmware samples. For instance, you might want to know if and where a manufacturer fixed an issue in a new firmware version. Or you might want to know if the firmware on your device the original firmware is of provided by the manufacturer. If they differ, you want to know which parts are changed for further investigation. Again, Firmware Reviewer is able to automate many of these challenges, like: Identify changed / equal files and Identify changed software versions.

Find other affected Firmware Images
If you find a new vulnerability or a new container format, you might want to know if other firmware images share your finding. Therefore, FIrmware Reviewer stores all firmware files and analysis results in a searchable database. You can search for byte patterns on all unpacked files as well as any kind of analysis result.

Accuracy

For validating our result’s accuracy, we have developed a fully automated framework and used it to test vulnerability discovery at large scale. Our system was able to find statically 38 new vulnerabilities for each of 16785 firmware packages. In addition to this, our system was able to discover dynamically 225 high-impact vulnerabilities (OWASP IoT Top Ten 2018) in at least 20% of emulated embedded web interfaces.

We also used the framework to test automated firmware and device classification. Our automated system was able to correctly classify firmware packages and identify live devices with an accuracy of 90% or more.

We explore several feature sets derived from the characteristics of firmware images, such as file size, file entropy and common strings. Then, we recommend the optimal feature set for this type of classification problems and show that our approach achieves high accuracy. Moreover, using sound statistical methods such as confidence intervals we estimate the performance of our classifiers for large scale real world datasets. The following is an overview of the automated testing architecture:

The first component of our analysis platform is the Firmware Datastore, which stores the unmodified firmware files that have been retrieved either by the web Crawler or that have been submitted through the public web interface. We are current crawling 43 Vendors' sites. When a new file is received by the Firmware Datastore, it is automatically scheduled to be processed by the analysis cloud. The analysis cloud consists of a Master node, and a number of worker and hash cracking nodes. The master node distributes unpacking jobs to the worker nodes, which unpack and analyze firmware images. Hash cracking nodes process password hashes that have been found during the analysis, and try to find the corresponding plaintext passwords. Apart from coordinating the Worker nodes, the master node also runs the Correlation Engine and the Data Enrichment system modules. These modules improve the reports with results from the cross-firmware analysis. The analysis cloud is where the actual analysis of the firmware takes place. Each firmware image is first submitted to the master node. Subsequently, worker nodes are responsible for unpacking and analyzing the firmware and for returning the results of the analysis back to the master node. At this point, the master node will submit this information to the Reports Database. If there were any uncracked password hashes in the analyzed firmware, it will additionally submit those hashes to one of the hash cracking nodes which will try to recover the plaintext passwords.

Finally, we enhanced our system with additional intelligence by employing Machine Learning (ML) and classification techniques. To classify collected firmware files, we explored Random Forests (RF) and Decision Trees (DT) algorithms in combination with several feature sets. On our firmware dataset, we showed that the RF algorithm with the feature set of [size, entropy, entropy extended, category strings, category unique strings] is the best choice among the four main feature sets we explored. For example, our system achieved more than 90% classification accuracy when the training sets were based on at least 40% of each known firmware category. To classify online embedded devices, we explored web interface level fingerprinting based on multi-metric score fusion techniques. Our system relies on fingerprints of the embedded web interfaces computed over six metrics. Then it ranks the fingerprint metrics using three scoring systems, and uses score fusion technique in the final evaluation of the best fingerprint match. We also reasonably motivated our choices for the metrics and the scoring systems in the context of embedded web interfaces. For example, on average our system achieved 89.4% accuracy in device identification based on a database of 31 fingerprints of embedded web interfaces. Ultimately, we demonstrated that it is possible to classify firmware files and identify online embedded devices with high accuracy.

In our fingerprinting experiments we used 16875 firmware images originating from 43 vendors that split across 7 functional categories. Out of these 16875 emulated firmware images, 30% of them where also part of the firmware Machine Learning classification experiments. Specifically, these 5062 firmware packages were classified by our ML firmware model with an accuracy of 100% using Random Forest (and around 99.5% using Decision Tree).

In our evaluation, we used the score fusion technique to improve the accuracy of identification. The Score Fusion technique is widely and actively used in various research fields, such as biometrics and sensors data. It is used to increase the confidence in the results and to counter the effect of imprecisely approximated data (e.g., fingerprints in biometrics) and unstable data readings (e.g., sensors data). We take as input the decreasingly ordered rankings from each of the scoring systems described above. Then, we apply majority voting to each ranking from these three scoring systems. This allows our system to decide which match is the most accurate based on its scores computed using the three different scoring systems.

DISCLAIMER: Firmware Reviewer never operates on physical devices.

COPYRIGHT (C) 2014-2021 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.