Firmware Reviewer

Firmware Reviewer Cloud Service provides in-depth firmware analysis (binaries, file systems, containers, virtual machines, IoT, UEFI, Appliances, Network Devices, Smart Meters, Surveillance devices, Drones, etc.), allowing to explore vulnerabilities at the same time to keeping the software securely in your own hands, for your eyes only. It can be used for a bunch of binary file formats, with No need of related physical device. Further, we offer a Firmware Image Check certification.

 

Quick Overview in PDF Format.

Firmware Reviewer is part of Security Reviewer Suite.

Main Topics

 

Task Automation

Firmware analysis is a tough challenge with a lot of tasks, completely automated by Firmware Reviewer, either with new approaches or incorporation of existing tools, so that a security analyst can focus on his main task: Analyzing the firmware (and finding vulnerabilities).

It is available in Cloud only. For further explanation, please take a look to FAQ section.

System Requirements

Firmware Reviewer is a Cloud service accessible via Internet through a Standard Browser. Latest versions of Edge Chromium, Google Chrome and Mozilla FireFox are supported.

Optionally, you can use our Client App for analyzing your Firmware Image locally.

  • Minimum RAM: 4GB (8GB is recommended)

  • CPU Cores: 2 (4 is recommended)

  • Free Disk Space: the minimum required by your browser. In case the Client App is used, you need triple the size of your Firmware Image available on your disk.

Cloud Service

Firmware Reviewer offers a Cloud platform for Analyzing and continuously Monitoring your Firmware images.

Accelerate digital transformation with comprehensive security across your IoT/OT infrastructure. 98

Firmware Reviewer shares FACT (Firmware Analysis Comparison Tool) architecture, adding a lot of new features. Respect than FACT, it is more flexible on hardware configuration, while enhancing performances 12x.

  • Front-end Browser web GUI so that you can start right away without any further knowledge about Firmware Reviewer or the firmware you want to look at. Web Server is based on clusterizable NGINX, with uWSGI and Flask.

  • Back-end Linux Engine. Includes an automated and scalable (and clusterizable) system for performing Emulation and Dynamic Analysis. Backend emulation machine can be detached.

  • Database based on scalable MongoDB

  • Alert System. You can send alert on: Analysis process started, Analysis process terminated, Vulnerability threshold, User’s access. Alert platforms: Slack, WebHooks.

Keep your Firmware Secured

For Linux Users, a Client App (Firmware Reviewer Local Analyzer) is optionally available, enabling teams to scan locally.

Registered Linux Customers simply use this App for retrieving image’s relevant information and send it encrypted to Firmware Reviewer engine.

Using this App:

  • Firmware images won’t be uploaded to the internet

  • Firmware images never leave your workstation.

  • Firmware Analysis' Results and Reports will be stored and downloaded using AES-256 encryption.

  • Nor the Cloud server administrator can access the results and reports.

  • The encryption key is known only by you.

 

 

Compliance

Firmware Reviewer provides Reports compliant to:

IoT

With widespread publicity of the Internet of Things (IoT), more and more devices are becoming network connected evidencing how essential it is to create secure coding guidelines for embedded software. Embedded Application Security is often not a high priority for embedded developers when they are producing devices such as routers, managed switches, medical devices, Industrial Control Systems (ICS), VoIP phones, IoT devices, and ATM Kiosks due to other challenges outside of development. Other challenges developers face may include, but are not limited to, the Original Design Manufacturer (ODM) supply chain, limited memory, a small stack, and the challenge of pushing firmware updates securely to an endpoint.

Firmware Reviewer can assist you to apply OWASP Embedded Best Practices, for:

  • E1 – Buffer and Stack Overflow Protection

  • E2 – Injection Prevention

  • E3 – Firmware Updates and Cryptographic Signatures

  • E4 – Securing Sensitive Information

  • E5 – Identity Management

  • E6 – Embedded Framework and C-Based Hardening

  • E7 – Usage of Debug Code and Interfaces

  • E8 – Transport Layer Security

  • E9 – Data collection Usage and Storage – Privacy

  • E10 – Third Party Code and Components

 

Firmware Reviewer results are enriched with threat intelligence from Shodan and the NIST NVD.

Supported Devices

Firmware Reviewer has been tested with the following devices types:

  • 3D-Printers

  • Appliances

  • Base Stations

  • Biometric

  • BIOS

  • Cameras

  • Drones

  • Industry 4.0 Devices

  • IoT Gateways

  • Mobile

  • Network (Consumer, Core, Radio)

  • Receivers

  • Satellite

  • SCADA-PLC-PAC

  • Smart Meters

  • Smart TV

  • Surveillance (Home, Industry, Government, Banking)

Supported Vendors

Firmware Reviewer supports several file types:

7z, ace, apk, ar, arj, bzip2, CAB, cpio, deb, dmg, gzip, hex, ice, ipa, ISO9660, lha, lz4, lzip, LZMA, lzo,, mpkg, pkg, SFX, SREC, SY_, rar, rpm, rzip, SIT, SQX, tar, TBZ, xar, xapk, xz, zip, zlib, zstd

from the following vendors: 

 

Further, eCos hardware is supported. Some of the types might seem curious. E.g. postscript while being used for text mainly is seen as container for update formats of printer firmware.

Firmware Security Testing Methodology

The OWASP Firmware Security Testing Methodology is composed of nine stages tailored to enable security researchers, software developers, consultants, hobbyists, and Information Security professionals with conducting firmware security assessments. Firmware analysis is a tough challenge with a lot of tasks. Many of these tasks can be automated (either with new approaches or incorporation of existing tools) so that a security analyst can focus on its main task: Analyzing the firmware (and finding vulnerabilities). Firmware Reviewer implements this automation leading to more complete analysis as well as a massive speedup in vulnerability hunting and is able to assist you during all the nine stages:

Stage

Description

1. Information gathering and reconnaissance

Acquire all relative technical and documentation details pertaining to the target device's firmware

2. Obtaining firmware

Attain firmware using one or more of the proposed methods listed

3. Analyzing firmware

Examine the target firmware's characteristics

4. Extracting the filesystem

Carve filesystem contents from the target firmware

5. Analyzing filesystem contents

Statically analyze extracted filesystem configuration files and binaries for vulnerabilities

6. Emulating firmware

Emulate firmware files and components

7. Dynamic analysis

Perform dynamic security testing against firmware and application interfaces

8. Runtime analysis

Analyze compiled binaries during device runtime

9. Binary Exploitation

Exploit identified vulnerabilities discovered in previous stages to attain root and/or code execution


Firmware Detections

Section

Description

Device Firmware Vulnerabilities

·         Out-of-date core components

·         Unsupported core components

·         Expired and/or self-signed certificates

·         Same certificate used on multiple devices

·         Admin web interface concerns

·         Hardcoded or easy to guess credentials

·         Sensitive information disclosure

·         Sensitive URL disclosure

·         Encryption key and Password hashes exposure

·         Backdoor accounts

·         Vulnerable services (web, ssh, tftp, etc.)

·         Unauthenticated access

·         Weak authentication

·         Hidden back-doors

·         Unauthenticated CGI

·         Encryption keys stored in firmware

·         Buffer overflows vulnerabilities

·         Debug services in production systems

Manufacturer Recommendations

·         Ensure that supported and up-to-date software is used by developers

·         Ensure that robust update mechanisms are in place for devices

·         Ensure that certificates are not duplicated across devices and product lines.

·         Ensure supported and up-to-date software is used by developers

·         Develop a mechanism to ensure a new certificate is installed when old ones expire

·         Disable deprecated SSL versions

·         Ensure developers do not code in easy to guess or common admin passwords

·         Ensure services such as SSH have a secure password created

·         Develop a mechanism that requires the user to create a secure admin password during initial device setup

·         Ensure developers do not hard code passwords or hashes

·         Have source code reviewed by a third party before releasing device to production

·         Ensure industry standard encryption or strong hashing is used

Device Firmware Guidance and Instruction

·         Firmware extraction and file analysis

·         Dynamic binary analysis

·         Static binary and code analysis

·         Firmware emulation

·         File system analysis

·         Software Composition Analysis (Third-party libraries)

Firmware Reviewer provides a set of plugins (test cases) which are used to perform the assessment and can be extended easily with new ones.

There is obviously no silver bullet (read tool) that can cover (test) the whole Firmware/IoT eco-system attack surface. Our aim is to reach as close as possible i.e. to cover as many Firmware/IoT protocols, hardware platforms and products as possible. We will explain the coverage of the framework based on protocols and technologies including the what, why and how of each plugin.

Code Of Practice

In October 2018, Government of UK published code of practice for IoT vendors to improve the security of consumer IoT products, The document listed 13 guidelines for consumer IoT devices that are connected to the Internet and/or home network such as smart cameras, TVs, home appliances and home automation systems. The GOV.UK guidelines can also be mapped to several industry standards and best practices on IoT security that includes ENISA and IoT Security Foundation. A detailed mapping between these guidelines has been published in a separate document. The following guidelines were concerned with secure firmware development:

Firmware Reviewer automatically addresses those UK Government Guidelines. However, there have been different IoT Security guidelines published by different parties as good practices or baselines while there is no global standard for IoT Device Security, which as a result has created confusions in both vendors and users. They not only know which guidelines they should follow or which practices they should apply but also find a significant number of the practices impractical or irrelevant to their cases.

Unique Features

  • Analyze files on multiple different environments in parallel

  • Use any prepared image to detect APTs and harden against evasive malware

  • Unique, Highly configurable Hybrid Analysis Technology that analyzes full process memory

  • Extensive third-party integrations (e.g. IP cross-reference checks, whitelisting)

  • Advanced anti-analysis detection (e.g. action scripts that simulate human behavior)

  • Threat Score (quickly understand the malicious impact of your artifact), further to Compliance Standards

  • Compare between different versions

Supported CPUs

Firmware Reviewer supports the following CPU Architectures:

'ARM': ['ARM'], 'AARCH64': ['aarch64'], 'PPC': ['PowerPC', 'PPC'], 'MIPS': ['MIPS'], 'x86': ['x86', '80386', '80486', 'i386'], 'SPARC': ['SPARC'], 'RISC': ['RISC', 'RS6000', '80960', '80860'], 'S/390': ['IBM S/390', 's390'], 'SuperH': ['Renesas SH', 'sh4', 'sh4eb'], 'Alpha': ['Alpha'], 'hppa': ['hppa', 'pa-risc'], 'sb4': ['sb4'], 'ia64': ['ia64', 'itanium', 'ia-64'], 'cuda': ['cuda'], 'avr': ['avr', 'atmel', 'Atmega32A'], 'dlx': ['DLX'], 'mico': ['mico32'], 'mmix': ['MMIX'], 'M68K': ['m68k', '68020'] 


Supported Platforms

Firmware Reviewer analyzes cyber threats on:

  • Embedded Linux

  • RTOS (QNX/MQX/FreeRTOS/eCos)

  • VxWorks

  • WindRiver Linux

  • LynxOS

  • OpenWrt

  • PTXdist

  • FireOS

  • Cisco IOS

  • ThreadX

  • MicroC_OS

  • Contiki

  • VMWare, QEMU, VirtualBox Virtual Machines

  • Proprietary Firmware (Routers, Network Core, Network Radio, Smart Meters, Surveillance, Mobile, IoT, Storage, etc.)

Binary Reviewer analyzes more 'traditional' binaries in the following platforms:

  • Windows (XP, Vista, W7, W7 x64, W8, W10)

  • Linux (RedHat, CentOS, Fedora, Ubuntu, Debian, FreeBSD, NetBSD, and OpenBSD)

  • Unix (A/UX, AIX, HP-UX, illumos, IRIX, OpenServer, Solaris, Tru64 UNIX)

  • Mac OSX

  • Android

  • iOS

Supported File Systems

Firmware Reviewer is able to analyze several file systems like:

  • ABISS

  • AuFS

  • vam-sqfs-fake

  • AXFS

  • btrfs

  • cramFS

  • dosmbr

  • ext2/3/4

  • FAT/VFat

  • F2FS

  • hfs

  • InitRAMFS

  • jffs2/jffs2big

  • jfs

  • LogFS

  • mini_fo

  • minix

  • NTFS

  • PramFS

  • reiserfs

  • RomFS

  • SquashFS

  • UBIFS filesystem images

  • udf

  • xfs

  • UnionFS

  • YAFFS

  • cpio archives

  • directory content using a set of configurable rules.

The main idea is to provide a tool for rapid analysis of filesystem images as part of a firmware security. Firmware Reviewer takes a configuration file that defines various rules for files and directories and runs the configured checks against a given filesystem image. 

 

Supported Protocols

Further to NRF24, Wifi, and IP-networking, the following protocol are supported:

  • AMQP

  • BACNet

  • Bluetooth LE

  • CANBus

  • CoAP

  • DICOM

  • DNP3

  • DNS

  • HL7

  • I2C

  • LoRA

  • mDNS

  • Modbus

  • MQTT

  • NFC

  • ProfiBus

  • RFID

  • SPI

  • SSH

  • UART

  • UDP

  • UPnP

  • XMPP

  • WebSocket

  • Wireless HART

  • Zigbee

  • Zwave

Comparison between Versions

The File Compare check is a mechanism to compare a file from a previous run with the file from the current run. It provides more insights into file changes, since it allows comparing two versions of a file rather than comparing only a digest. Last, the Tree Check will produce an informational output listing new files, deleted files, and modified files. Firmware Reviewer can compare several images or single files. Furthermore, Unpacking, analysis and compares are based on plug-ins guaranteeing maximal flexibility and expandability.

In many cases you might want to compare Firmware samples. For instance, you might want to know if and where a manufacturer fixed an issue in a new firmware version. Or you might want to know if the firmware on your device the original firmware is of provided by the manufacturer. If they differ, you want to know which parts are changed for further investigation. Again, Firmware Reviewer is able to automate many of these challenges, like: Identify changed / equal files and Identify changed software versions.

Find other affected Firmware Images
If you find a new vulnerability or a new container format, you might want to know if other firmware images share your finding. Therefore, FIrmware Reviewer stores all firmware files and analysis results in a searchable database visible to authorized users only. You can search for byte patterns on all unpacked files as well as any kind of analysis result.

Accuracy

For validating our result’s accuracy, we have developed a fully automated framework and used it to test vulnerability discovery at large scale. Our system was able to find statically 38 new vulnerabilities for each of 16785 firmware packages. In addition to this, our system was able to discover dynamically 225 high-impact vulnerabilities (OWASP IoT Top Ten 2018) in at least 20% of emulated embedded web interfaces.

We also used the framework to test automated firmware and device classification. Our automated system was able to correctly classify firmware packages and identify live devices with an accuracy of 90% or more.

We explore several feature sets derived from the characteristics of firmware images, such as file size, file entropy and common strings. Then, we recommend the optimal feature set for this type of classification problems and show that our approach achieves high accuracy. Moreover, using sound statistical methods such as confidence intervals we estimate the performance of our classifiers for large scale real world datasets. The following is an overview of the automated testing architecture:

The first component of our analysis platform is the Firmware Datastore, which stores the unmodified firmware files that have been retrieved either by the web Crawler or that have been submitted through the public web interface. We are current crawling 43 Vendors' sites. When a new file is received by the Firmware Datastore, it is automatically scheduled to be processed by the analysis cloud. The analysis cloud consists of a Master node, and a number of worker and hash cracking nodes. The master node distributes unpacking jobs to the worker nodes, which unpack and analyze firmware images. Hash cracking nodes process password hashes that have been found during the analysis, and try to find the corresponding plaintext passwords. Apart from coordinating the Worker nodes, the master node also runs the Correlation Engine and the Data Enrichment system modules. These modules improve the reports with results from the cross-firmware analysis. The analysis cloud is where the actual analysis of the firmware takes place. Each firmware image is first submitted to the master node. Subsequently, worker nodes are responsible for unpacking and analyzing the firmware and for returning the results of the analysis back to the master node. At this point, the master node will submit this information to the Reports Database. If there were any uncracked password hashes in the analyzed firmware, it will additionally submit those hashes to one of the hash cracking nodes which will try to recover the plaintext passwords.

Finally, we enhanced our system with additional intelligence by employing Machine Learning (ML) and classification techniques. To classify collected firmware files, we explored Random Forests (RF) and Decision Trees (DT) algorithms in combination with several feature sets. On our firmware dataset, we showed that the RF algorithm with the feature set of [size, entropy, entropy extended, category strings, category unique strings] is the best choice among the four main feature sets we explored. For example, our system achieved more than 90% classification accuracy when the training sets were based on at least 40% of each known firmware category. To classify online embedded devices, we explored web interface level fingerprinting based on multi-metric score fusion techniques. Our system relies on fingerprints of the embedded web interfaces computed over six metrics. Then it ranks the fingerprint metrics using three scoring systems, and uses score fusion technique in the final evaluation of the best fingerprint match. We also reasonably motivated our choices for the metrics and the scoring systems in the context of embedded web interfaces. For example, on average our system achieved 89.4% accuracy in device identification based on a database of 31 fingerprints of embedded web interfaces. Ultimately, we demonstrated that it is possible to classify firmware files and identify online embedded devices with high accuracy.

In our fingerprinting experiments we used 16875 firmware images originating from 43 vendors that split across 7 functional categories. Out of these 16875 emulated firmware images, 30% of them where also part of the firmware Machine Learning classification experiments. Specifically, these 5062 firmware packages were classified by our ML firmware model with an accuracy of 100% using Random Forest (and around 99.5% using Decision Tree).

In our evaluation, we used the score fusion technique to improve the accuracy of identification. The Score Fusion technique is widely and actively used in various research fields, such as biometrics and sensors data. It is used to increase the confidence in the results and to counter the effect of imprecisely approximated data (e.g., fingerprints in biometrics) and unstable data readings (e.g., sensors data). We take as input the decreasingly ordered rankings from each of the scoring systems described above. Then, we apply majority voting to each ranking from these three scoring systems. This allows our system to decide which match is the most accurate based on its scores computed using the three different scoring systems.

Firmware Reviewer Security Policy

Firmware Reviewer Cloud Service provides in-depth firmware analysis via Web GUI. Does not require installation on client-side. It needs a Web Browser only.

Firmware Reviewer does not require the Firmware source code.

Users must download the Firmware image themselves. Firmware Reviewer never access to physical devices.

Our Cloud infrastructure guaranteed to stay always up to date on Firmware Vulnerabilities analysis, while maintaining your data secured.

Firmware Reviewer does not handle Sensitive or Personal Data. Usernames are represented by a sequence of alphanumeric characters from which is impossible to reveal information about the real Users. Once the Users got their Username and Password, they can login and Upload the Firmware Image they want to analyze.

The Firmware Image will be encrypted using AES-256, Uploaded using TLS 1.3 secure protocol and stored in a crypted DB Table.

Before Uploading, it is mandatory for the User to accept a Disclaimer to avoid improper use of Analysis’ Results and Reports, and to confirm the User is fully authorized by the Customer and by the Vendor (the Firmware owner).

The Analysis Results will be available between 48 hours from the Upload.

Temporary files and intermediate data, generated during the analysis, even intercepted, do not permit to reverse engineering neither the Firmware Image, nor the Analysis’ Results. They will be securely removed on each Analysis’ step.

The Analysis’ Results and Reports won’t be shared to anyone else, further than authorized internal Users. They won’t be visible neither fully nor partially on the Internet, neither on Social Media, nor in Electronic nor in Paper publications.

Analysis’ Results and Reports will be stored in crypted DB Tables, even intercepted, it will be impossible to relate them to the original Firmware Image.

Not the Firmware Reviewer Cloud Service administrator can download Firmware Images, Results and Reports, without express, written, authorization by Customer.

Users, once the Reports has been downloaded, can decide to erase them or not. The same for Analysis’ Results.

DISCLAIMER: Firmware Reviewer never operates on physical devices. Security Reviewer declines all responsabilities derived by inappropriate use of Firmware Reviewer software.

COPYRIGHT (C) 2015-2024 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.