AI supported firmware analysis
Why not use AI for firmware analysis? This is the idea we had since the public release of OpenAI's GPT-3 and GPT-4 earlier this year.
We started testing OpenAI's ChatGPT for different possible usage scenarios like the integration of further CVE explanation:
Additionally, we thought about a quick lookup for potential exploit code or POC’s:
It can be seen that the available information is quite limited because of the limited dataset for these types of requests. As we have already integrated multiple exploit databases, we dropped this idea for now. Probably/Hopefully we will come back to this in the future.
After some poking with OpenAI’s ChatGPT via the Chat interface we decided to give it a try within EMBA. But, currently not for the explanation of CVE identifiers. During our testing we found out that GPT is quite good at highlighting possible weak spots in different scripting languages:
The main idea of the current GPT integration into EMBA is to use AI mechanisms to give the tester a better understanding of interesting areas inside the firmware. Where should he spend his time on manual investigation? To optimize the pentesters time, we already have a lot of different mechanisms integrated into EMBA. The AI integration is another valuable source of information for optimizing this task and pointing YOU to the next 0day vulnerability.
The new Q02 quest-module provides a simple way of querying the OpenAI-API with custom questions and code snippeds. The following notes give you a short overview on how to start AI-assisted firmware analysis with EMBA
Use the config/gpt_config.env.template file to generate the following config/gpt_config.env file:
OPENAI_API_KEY="sk-XXXXXXXXXXXXXXXXXXXX"GPT_QUESTION="For the following code I need you to tell me how an attacker could exploit it and point out all vulnerabilities:"-
MINIMUM_GPT_PRIO=3-> TheOPENAI_API_KEYvariable has to be set to be able to make API calls, the other options are for tweaking results.
To generate an API key you need an OpenAI account and generate an API-key
-
export GPT_OPTION=2will enable the Module to make unrestricted API-calls - changing the template under
config/gpt_template.json, for example doing:
"model": "gpt-4"
should enable gpt-4 functionality (only available on payment plan)
To enable the GPT integration in the next firmware analysis process you need to activate it via setting the GPT_OPTION variable export GPT_OPTION=<1/2>.
Note, that to do this you need to set it for the root user!
The preferred way for enabling GPT is to setup a GPT enabled scan-profile like the example profile scan-profiles/default-scan-gpt.emba. This profile is optimized for GPT enabled firmware analysis.
During the next firmware scan the API key gets automatically tested and used from EMBA.
After the Q container is started it can be further monitored with docker ps and docker logs:
The monitoring should show the GPT requests and results during operation:
At the end of the firmware test, the finalyzer module F05 generates the relevant linking between the already available results and the GPT results:
The web report contains all the results that GPT provides to us:
Go to https://platform.openai.com/account/api-keys and generate one.
No, the default settings of EMBA are working quite good with the free account.
Yes, there is a second, purpose built docker container that needs Internet access.
This issue is well known with the free OpenAI account. EMBA is trying to handle these issues as good as possible. The only real fix is a payed account.
No, only in case you enabled an AI-assisted scan of your firmware parts of your firmware (see also this question) are uploaded and analysed via OpenAI's GPT solution.
Currently the following modules have AI integration:
- S20 - Shell analysis module
- S21 - Python analysis module
- S22 - PHP analysis module
- S23 - Lua analysis module
In the future more modules will be enabled.
The easiest way is to open an issue here
The easiest way is to open an issue here