Firmadyne is an open-source software for automated analysis of embedded Linux system security, developed by Carnegie Mellon UniversityDaming D. Chen. It supports batch detection, with the entire system including firmware crawling, root filesystem extraction, QEMU simulation execution, and vulnerability discovery. The system can be downloaded from github: https://github.com/firmadyne/firmadyne
The framework is shown in the figure below:
Firmadyne Simulation Execution Framework Diagram
I. Installation Process of the System:
The process in an ubuntu14.04 environment:
1. Install necessary third-party libraries:
sudo apt-get install busybox-static fakeroot git kpartx netcat-openbsd nmap python-psycopg2 python3-psycopg2 snmp uml-utilities util-linux vlan
2. Download the entire system source code:
git clone –recursive https://github.com/firmadyne/firmadyne.git
3. Download and install binwalk, jefferson, and sasquatch. These tools are used to extract the filesystem from the firmware.
git clone https://github.com/devttys0/binwalk.git
sudo ./binwalk/deps.sh
sudo python ./binwalk/setup.py install
-
For Python 2.x, sudo apt-get install python-lzma
sudo -H pip install git+https://github.com/ahupp/python-magic
Install jefferson.
Optionally, instead of the upstream sasquatch, our sasquatch fork can be used to prevent false positives by making errors fatal.
4. Install the database system, which is necessary for batch detection:
sudo apt-get install postgresql
sudo -u postgres createuser -P firmadyne, with password firmadyne
sudo -u postgres createdb -O firmadyne firmware
sudo -u postgres psql -d firmware < ./firmadyne/database/schema
5. Download the pre-compiled cross-compilation environment toolchain, console, libnvram, etc. This part can also be completed by compiling the source code yourself.
cd ./firmadyne; ./download.sh
6. Install the QEMU system, or you can directly use the system’s built-in QEMU system.
sudo apt-get install qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils
II. Usage of the System:
1. Set the firmadyne.config file’s FIRMWARE_DIR to point to the root directory;
2. Download the firmware (taking Netgear wnap320 as an example),
wget http://www.downloads.netgear.com/files/GDC/WNAP320/WNAP320%20Firmware%20Version%202.0.3.zip
3. Extract the firmware
./sources/extractor/extractor.py -b Netgear -sql 127.0.0.1 -np -nk “WNAP320 Firmware Version 2.0.3.zip” images
4. Get the architecture
./scripts/getArch.sh ./images/1.tar.gz
5. Store in the database
./scripts/tar2db.py -i 1 -f ./images/1.tar.gz
6. Create the qemu image
sudo ./scripts/makeImage.sh 1
7. Configure the network for the simulation process. This part often fails to generate run.sh, largely because it cannot find the configuration in nvram; this can be generated manually.
./scripts/inferNetwork.sh 1
8. Run the simulation
./scratch/1/run.sh
9. Vulnerability discovery and security analysis. At this point, the simulated firmware runs like a real device, allowing for black-box testing.
./scratch/1/qemu.final.serial.log.
./analyses/snmpwalk.sh 192.168.0.100
./analyses/webAccess.py 1 192.168.0.100 log.txt
mkdir exploits; ./analyses/runExploits.py -t 192.168.0.100 -o exploits/exploit -e x (requires Metasploit Framework)
sudo nmap -O -sV 192.168.0.100
10. Access the firmware’s console:
./scripts/run-debug.sh 1
nc -U /tmp/qemu.1.S1
III. Usage Insights
1. Currently, it supports simulation execution for a wide range of firmware, but for specific firmware simulation, some modifications are required, such as recompiling the linux kernel version and modifying support for nvram.
2. By relying on software simulation, we can modify the contents of some filesystems in the firmware, such as disabling modules that restrict brute-force login attempts.
3. Currently, the support is mainly for routers, and there is still insufficient support for cameras and other devices.
