Leveraging Automated Firmware Analysis with the Open-Source Firmware Analyzer EMBA
The Internet of Things (IoT) ecosystem as well as critical infrastructure represents a rapidly growing technology field that connects billions of devices worldwide. The operating system of these devices is usually called firmware which is the foundational software that controls their functionality. The firmware could be some kind of real-time operating system, it could be Linux based or in very rare cases also a Windows operating system. Ensuring the security and integrity of firmware is crucial to prevent malicious attacks and unauthorized access. Automated firmware analysis is a crucial technique in enhancing the security of these devices, with tools like EMBA (Embedded Analyzer) providing a flexible and powerful open-source solution for firmware security scanning.
Automated Firmware Analysis
The operating system (firmware) of critical products is a valuable target for potential attacks due to its low-level control over the main device functionality. Exploiting firmware vulnerabilities, allows attackers to gain control over a device, allowing them to steal sensitive information, disrupt its operation or use the compromised device for further escalation via lateral movement.
Automated firmware analysis is a technique used to evaluate firmware for potential vulnerabilities and security threats. This process involves extracting and decompiling the firmware, analyzing its components, building the SBOM and identifying potential security risks via available exploits. Usually this process is completely automated, which makes it faster compared to manual analysis. Nevertheless, this automated process is only one piece of the puzzle to a secure device. Beside addressing the security base hygiene with automated tools, manual penetration tests are essential to ensure more complex vulnerabilities are also identified. Beside EMBA other open-source projects and commercial products, such as Binwalk, Firmware Analysis Toolkit (FAT), and the Centrifuge Platform, provide similar capabilities, each with their unique strengths and weaknesses.
Leveraging EMBA in Firmware Analysis
EMBA’s comprehensive, automated, and flexible approach makes it a highly effective tool. By utilizing EMBA, organizations can significantly enhance their product security, protect sensitive assets, and ensure the reliable operation of their critical devices.
EMBA’s deep analysis feature allows the identification of a wide range of potential vulnerabilities. By analyzing binary and file components and optimizing the identified kernel vulnerabilities, EMBA can detect even the most subtle security risks. Beside the identification of already known vulnerabilities, EMBA includes an in-depth analysis engine for currently unknown vulnerabilities. This ensures that potential threats are identified and addressed before they can be exploited.
EMBA’s automation capabilities also make it a highly efficient framework for firmware analysis. By automating the testing process, EMBA can analyze large amounts of firmware data, greatly reducing the time and resources required for manual firmware analysis.
The modular design and open-source approach of EMBA enables users and security teams to tailor the analysis process to their specific needs. This flexibility allows organizations to focus their resources on the most relevant areas, increasing the effectiveness of their firmware analysis efforts.
As an open-source tool, EMBA can be adapted and customized to meet an organization’s unique requirements. This means that organizations are not limited by the tool’s initial capabilities and can modify it to suit their specific needs.
Core EMBA features in detail
The following paragraph highlights several of the main EMBA features more in detail.
SBOM — Software Composition Analysis — Supply Chain threads
SBOM is one of the buzz words in product security for the last couple of years. As regulations are enforcing vendors to maintain and provide SBOMs for their products it will stay on top priority in the future. While most of the testing products out in the market are building such a SBOM on source-code base, EMBA is able to rebuild it from the final binary firmware. Beside rebuilding the plain SBOM including CVE details, EMBA can further match the identified vulnerabilities against multiple exploit databases. Multiple ground-breaking features like the integration of exploit databases allow a better understanding of the real-world threads of the analyzed firmware.
0day detection / unknown vulnerabilities
During the firmware development process as well as in the field of penetration testing the detection of currently unknown vulnerabilities is essential. The rule of thumb “The earlier in the development process a currently unknown threat is identified, the cheaper will be a fix for it” results in the need of automated security testing during the complete product life cycle. EMBA supports detailed 0day detection in multiple scripting languages like php, python or lua. Beside static analysis of such scripts EMBA introduces a multistage analysis approach for compiled binaries. This process starts with simple tests for binary protection mechanisms or the usage of legacy C-functions and moves on to further in-depth analysis mechanisms.
EMBA’s binary analysis engine uses multiple reverse engineering frameworks like Radare2 and Ghidra and the well-established SAST (Static Application Security Testing) framework Semgrep fully automatically on the most critical binary files.
The final report highlights suspicious areas including access to the decompiled source code for further manual analysis.
Integrated web reporting engine
Beside the text-based default logging EMBA can automatically generate csv logs and a final html report. This report allows easy navigation through the comprehensive results.
EMBArk — The centrally managed multiuser collaboration environment
Beside the main firmware analyzer EMBA there is another open-source project called EMBArk available in the EMBA universe. With EMBArk it is possible to centralize the complete firmware analysis process. This includes uploading the firmware, multi firmware testing at the same time and accessing the final results easily through the web browser. Especially for small to medium sized teams this system will massively enhance the firmware testing process. The following screenshots allow some insights into the firmware analysis dashboards:
Conclusion
In the ever-evolving field of product security, maintaining the security of firmware is a critical task. Automated firmware analysis tools like EMBA provide an effective and efficient way to identify and address potential vulnerabilities, ensuring the security and reliability of critical devices. By leveraging EMBA’s open-source characteristics, the comprehensive analysis, automation and flexibility, organizations can significantly enhance their firmware security, protect sensitive information, and ensure the optimal operation of their critical infrastructure. As EMBA is optimized for running automatically in the background, it is ideal for introducing it into the internal build/development environment. Additionally, EMBA is the must-have tool to establish as a quality gate, to ensure that the security of used 3rd party components is sufficient.
For further details check the public EMBA Github project website
