Skip to content

System emulation

Michael Messner edited this page Jun 21, 2022 · 56 revisions

This page describes a future feature. You have found it, enjoy the preview of the system emulation feature of EMBA coming in July/August 2022.


With emulation it is possible to move the static only firmware analysis process to the next level. We call it hybrid firmware analysis.


EMBA is using emulation during firmware analysis now for a while. For example a technique called user-mode emulation is used to emulate applications from the tested firmware to gain new insights. This mechanism improves the version detection capabilities massively. This results in the best outcome in identification of known vulnerabilities, exploits and finally the real-world risk of a firmware. For further details take a look at the documentation here. But this technique has its limits and is currently only available for our so called 1-day vulnerability detection.

Beside user-mode emulation multiple projects (e.g., firmadyne and FirmAE) started using system emulation of firmware based on Qemu in an automated way and on a broad basis. Inspired by this paper, we started investigating into the new possibilities more in detail and finally decided to integrate basic system emulation mechanisms into EMBA. Starting with this pull request EMBA got an initial integration of the great firmadyne framework.
After a complete rework we published the new and improved system emulation modules in August 2022 with EMBA version 1.1.0 (Vegas Edt.). This release is based on the evolution of firmadyne called FirmAE. EMBAs system emulation is not a strict re-implementation of firmadyne or FirmAE, it is more the next generation of it. System emulation can now be used during firmware analysis with EMBA in a complete automated way.

Overview - some facts

  • System emulation is now used during automated firmware analysis
  • The system emulator is heavily based on firmadyne and FirmAE
  • As both projects are not actively maintained any more, we decided to completely reimplement them as EMBA modules
  • Automated testing of emulation and basic checks as additional testing modules are realized as L*-modules
  • Currently only MIPS and ARM architecture supported
  • Multiple improvements of emulation capabilities are already in place
  • There is a lot of room for future improvements (e.g., new kernels, more testing modules, ...)

Adopted EMBA architecture

The basic design principles of EMBA includes a highly modular and flexible architecture. Nevertheless, the new system emulation modules do not fit into the available module structure. With this in mind we created a new live tester module category (modules/L*).

image

This category includes all system emulation modules. These modules are executed after the usual EMBA standard checking modules (S*) and are able to use the results from the checking modules. Currently these modules are running in a non-threaded mode. Within this new category EMBA is doing the following tasks:

  • Architecture check to evaluate if an appropriate kernel is available
  • Iterate through the identified root filesystems
  • Create a filesystem for emulation (per root directory)
  • Decide which kernel should be used
  • Identify possible initial processes (init)
  • Identify and create service startup helpers
  • An emulation test run for identification of possible network settings
  • Setup networking
  • Run the firmware in an emulated environment
  • Do further analysis of the running system with tools like Nmap, Nikto, cutycapt, Arachni, testssl.sh

Benchmark

For our initial benchmark we used the dataset that was published by the authors of FirmAE (see here).

We tested this dataset with firmadyne (for verification), with FirmAE (for verification) and with the fresh implementation from EMBA. The firmadyne and FirmAE tests were confirmed. The EMBA tests were able to confirm a working re-implementation and additionally it was possible to confirm a significant improvement of the emulation results.

image

Improved areas

The following overview highlights areas where the reimplementation was optimized through EMBA:

  • EMBA module architecture: Not multiple scripts in different languages - see here
  • EMBA extractor: The EMBA extractor is more powerful compared to a binwalk-only approach

image

  • Multiple root directories: EMBA tests all identified root directories including all identified init scripts/binaries until an open TCP port is identified or EMBA is running out of possibilities

image

  • rdinit vs. init: If we identify a kernel panic we try the other mechanism

image

  • No preInit startup detection: If EMBA does not detect a preInit script startup it tries the other init mechanism
  • VLAN detection: Improved VLAN identification and configuration
  • New inferService script: Detects more services for startup support
  • Check online status: Improved running system and service detection

image

  • Default settings: Always test default settings if no running TCP port was identified (with the automatically identified settings)

image

  • Further analysis: Further analysis tasks are easy to implement with EMBA modules

image

  • Reporting: Final web reporter with improved log coloring

image

  • Qemu archive: EMBA creates a final archive with all needed components included (for later re-run of the emulation and further analysis)

image

Start a system emulation analysis

The following command shows a useful combination of EMBA parameters for initiating a system emulation analysis:

└─$ sudo ./emba.sh -f ~/firmware.bin -l ~/emba_logs -s -z -t -W -m S24 -m S25 -Q
  • -Q: Enable system emulation modules
  • -m S24 -m S25: Uses the kernel modules from the analyzers. The results are improving the system emulation
  • -W: Enable web report (not mandatory)
  • -s -z -t: Improve output of paths in log, colorize log, threading (all not mandatory, but recommended)

Additionally, there is a scan profile available for enabling system emulation on a default scan:

└─$ sudo ./emba.sh -f  ~/firmware.bin -l ~/emba_logs -p ./scan-profiles/default-scan-emulation.emba 

Further areas of upcoming improvements

  • Code and modules cleanup: The current code is fully working but needs further cleanup
  • Further Kernels: Porting the instrumented kernel and needed pre-compiled binaries and libraries to more architectures (x86, PPC, x64, ...)
  • More check modules: Implement more analysis modules
  • Arachni docker support: Get Arachni working in our read-only docker setup

Ack and contribution

Please check out the great work from the original authors of firmadyne here. Also check out the massive improvements of firmadyne by the FirmAE authors here.
We can't thank those people enough for their inspiring work and hope we can carry on the torch with EMBA and if you want to help us in improving this new feature, then think about what is still missing and implement it. We are waiting for your contributions or your inspiring ideas and valuable bug reports.