Firmware Security Village
The Firmware Security Village (originally a spin-off of the *Enter FACT* Workshop held at hardwear.io 2019) offers a CTF-style experience in a firmware-related setting based on real firmware samples.
The village will offer multiple challenges, targeting different use cases of firmware analysis, including but not limited to:
To allow both broad and deep insights into analyzing firmware, we have designed a number of CTF challenges that can be done on-site using a local setup of the FACT firmware analysis tool and live devices that will be on-site and accessible through network infrastructure provided at the village.
Using an analysis demonstration instead of a classic slide-based presentation offers extensive insight into the firmware analysis workflow so that newbies can get an introduction to the topic. Thus, a participant can observe the application of FACT firsthand.
More experienced participants can jump directly into the challenges. Assistance is provided throughout the duration of the village. Some technical contents of the challenges are:
Identification of software components:
One of the easiest ways of identifying security issues is to match used software components against vulnerability databases. This also allows for identifying hidden functionality in firmware and forgotten debug features.
Searching hard-coded credentials:
On embedded Linux firmware, credentials will typically be searched in /etc/shadow. While this can already lead to success, deeper analysis of present scripts and configuration files can offer even easier paths to credentials, some of which might even come as clear text.
Identification of bug fixes:
By comparing firmware versions, we can identify changes and map them against the official change logs provided by the vendor. While most bugs usually are indeed fixed as stated, some fixes are obscure and just shift the issue to another place.
Most of the analysis steps are automated by FACT so the focus for the challenges is more on learning how to find information than generating it. This allows for a better understanding of how to reproduce a given analysis in another environment than e.g. an isolated manual analysis.
That said, some steps, including pattern matching and cross-referencing, are done manually to also provide an understanding of what manual steps during a firmware analysis can be automated to allow for quicker results.
Another focus of the Village will be on different ways of finding and aggregating information. The accumulation of a firmware database offers a number of possibilities for research purposes, auditing, and other firmware-related tasks.
Besides aggregating data over simple keys like vendor or device class, we show how to cluster firmware, based on analysis results such as included software or known vulnerabilities (e.g. Heartbleed).
We also show how a newly discovered design flaw or vulnerability can quickly be rediscovered in other firmware by applying pattern matching on the database. If participants are interested in customizing their analysis setup, it will also be possible to integrate simple analysis features into FACT on-site and observe the resulting automation of the new analysis.
Jörg Stucke is a researcher at Fraunhofer FKIE and is part of the Software and Firmware Security research group. Since its inception in 2015, he is a core developer of FACT.
Johannes vom Dorp is researcher at Fraunhofer FKIE and currently head of the software and firmware security group of Fraunhofer FKIE. He works on security analysis, focusing on firmware and hardware security. Since its inception in 2015 he is core developer of FACT.