Christopher Krah & Johannes vom Dorp

Talk Title :

Firmware Security Village

Abstract :

The firmware security village is a more in-depth spin-off of the *Enter FACT* Workshop held at 2019.

The village format allows spending more time on the offered challenges as well as more direct interaction with the speakers, for an even better understanding of the capabilities of the used tools and a better understanding of important analysis targets.

The village will offer multiple challenges, targeting different use cases of firmware analysis, including but not limited to

  • Security auditing
  • Penetration testing
  • Security research

To allow both broad and deep insights into analyzing firmware, we have designed a number of CTF challenges that can be done on site using a local setup of the FACT firmware analysis tool and live devices that will be on site and accessible through network infrastructure provided at the village.

Using an analysis demonstration instead of a classic slide-based presentation offers extensive insight into the firmware analysis workflow so that newbies can get an introduction to the topic.

Thus, a participant can observe the application of FACT first hand. More experienced participants can jump directly into the challenges. Assistance is provided throughout the duration of the village.

Some technical contents of the challenges are

  • Identification of software components:
    One of the easiest ways of identifying security issues is to match used software components against vulnerability databases. This also allows identifying hidden functionality in firmware and forgotten debug features.
  • Searching hard coded credentials:
    On embedded Linux firmware, credentials will typically be searched in /etc/shadow. While this can already lead to success, deeper analysis of present scripts and configuration files can offer even easier paths to credentials, some of which might even come as clear text.
  • Identification of bug fixes:
    By comparing firmware versions, we can identify changes and map them against the official change logs provided by the vendor. While most bugs usually are indeed fixed as stated, some fixes are obscure and just shift the issue to another place.

Most of the analysis steps are automated by FACT, so that the focus for the challenges is more towards learning how to find information than generating it.This allows for a better understanding of how to reproduce a given analysis in another environment than e.g. an isolated manual analysis. That said, some steps, including pattern matching and cross-referencing are done manually to also provide an understanding on what manual steps during a firmware analysis can be automated to allow for quicker results.

Another focus of the Village will be on different ways of finding and aggregating information. The accumulation of a firmware database offers a number of possibilities for research purposes, auditing and other firmware related tasks. Besides aggregating data over simple keys like vendor or device class, we show how to cluster firmware, based on analysis results such as included software or known vulnerabilities (e.g. Heartbleed). We also show how a newly discovered design flaw or vulnerability can quickly be rediscovered in other firmware by applying pattern matching on the database.

If participants are interested in customizing their analysis setup, it will also be possible to integrate simple analysis features into FACT on site and observe the resulting automation of the new analysis.

Bio :

Christopher Krah is researcher at Fraunhofer FKIE and part of the software and firmware security group of Fraunhofer FKIE. His research focus includes vulnerability hunting and firmware security.

He has contributed to FACT since being a student assistant in 2017.

Want to connect?

Johannes vom Dorp is researcher at Fraunhofer FKIE and currently head of the software and firmware security group of Fraunhofer FKIE. He works on security analysis, focusing on firmware and hardware security. Since its inception in 2015 he is core developer of FACT.

Want to connect?