Skip to content

AI supported firmware analysis

Michael Messner edited this page Jan 17, 2025 · 38 revisions

EMBA - The AI powered firmware security analyzer

Why not use AI for firmware analysis? This is the idea we had since the public release of OpenAI's GPT-3 and GPT-4 earlier this year.

We started testing OpenAI's ChatGPT for different possible usage scenarios like the integration of further CVE explanation:

image

Additionally, we thought about a quick lookup for potential exploit code or POC’s:

image

It can be seen that the available information is quite limited because of the limited dataset for these types of requests. As we have already integrated multiple exploit databases, we dropped this idea for now. Probably/Hopefully we will come back to this in the future.

After some poking with OpenAI’s ChatGPT via the Chat interface we decided to give it a try within EMBA. But, currently not for the explanation of CVE identifiers. During our testing we found out that GPT is quite good at highlighting possible weak spots in different scripting languages:

image

The main idea of the current GPT integration into EMBA is to use AI mechanisms to give the tester a better understanding of interesting areas inside the firmware. Where should he spend his time on manual investigation? To optimize the pentesters time, we already have a lot of different mechanisms integrated into EMBA. The AI integration is another valuable source of information for optimizing this task and pointing YOU to the next 0day vulnerability.

EMBA ChatGPT integration

The new Q02 quest-module provides a simple way of querying the OpenAI-API with custom questions and code snippeds. The following notes give you a short overview on how to start AI-assisted firmware analysis with EMBA

Configuration Step1 - Requires Payment Plan for OpenAI-API

Use the config/gpt_config.env.template file to generate the following config/gpt_config.env file:

  • OPENAI_API_KEY="sk-XXXXXXXXXXXXXXXXXXXX"
  • GPT_QUESTION="For the following code I need you to tell me how an attacker could exploit it and point out all vulnerabilities:"
  • MINIMUM_GPT_PRIO=3 -> The OPENAI_API_KEY variable has to be set to be able to make API calls, the other options are for tweaking results.

To generate an API key you need an OpenAI account and generate an API-key

Configuration Step2 (optional) - Requires Payment Plan for OpenAI-API (currently in alpha phase)

  1. export GPT_OPTION=2 will enable the Module to make unrestricted API-calls
  2. changing the template under config/gpt_template.json, for example doing:

"model": "gpt-4"

should enable gpt-4 functionality

Configuration Step3 - enabling the Q02-module

To enable the GPT integration in the next firmware analysis process you need to activate it via setting the GPT_OPTION variable export GPT_OPTION=<1/2>.

Note, that to do this you need to set it for the root user!

The preferred way for enabling GPT is to setup a GPT enabled scan-profile like the example profile scan-profiles/default-scan-gpt.emba. This profile is optimized for GPT enabled firmware analysis.

GPT during firmware analysis

During the next firmware scan the API key gets automatically tested and used from EMBA.

image

After the Q container is started it can be further monitored with docker ps and docker logs:

image

image

The monitoring should show the GPT requests and results during operation:

image

At the end of the firmware test, the finalyzer module F05 generates the relevant linking between the already available results and the GPT results:

image

The web report contains all the results that GPT provides to us:

image

FAQ

Q: Where do I get the needed API key?

Go to https://platform.openai.com/account/api-keys and generate one.


Q: Do I need to pay for the OpenAI account?

No, the default settings of EMBA are working quite good with the free account.

Update 2025: After our latest tests we realized that this feature is only working with throwing some money at OpenAI here


Q: Does the host system need Internet access to query OpenAI servers?

Yes, there is a second, purpose built docker container that needs Internet access.


Q: I'm always running into the "Rate limit handling". What can I do?

This issue is well known with the free OpenAI account. EMBA is trying to handle these issues as good as possible. The only real fix is a payed account.


Q: Is the complete firmware uploaded to OpenAI's ChatGPT?

No, only in case you enabled an AI-assisted scan of your firmware parts of your firmware (see also this question) are uploaded and analysed via OpenAI's GPT solution.


Q: What modules have currently AI-assisted support?

Currently the following modules have AI integration:

  • S20 - Shell analysis module
  • S21 - Python analysis module
  • S22 - PHP analysis module
  • S23 - Lua analysis module

In the future more modules will be enabled.


Q: I have further ideas for a better GPT integration. How can I contact you?

The easiest way is to open an issue here


Q: I found a bug. How can I contact you?

The easiest way is to open an issue here

Clone this wiki locally