-
-
Notifications
You must be signed in to change notification settings - Fork 244
AI supported firmware analysis
Why not using AI for firmware analysis? This is the question we thought since the public release of OpenAI's GPT-4 earlier this year.
We started testing OpenAI's ChatGPT for different possible usage scenarios like the integration of further CVE explanation:
Additionally, we thought about a quick lookup for potential exploit code or POC’s:
It can be seen that the available information is quite limited because of the limited dataset for this type of requests. As we have already integrated multiple exploit databases we dropped this idea for now. Probably we will come back to this again later.
After some poking with OpenAI’s ChatGPT via the Chat interface we decided to give it a try within EMBA. But, currently not for the explanation of CVE identifiers. During our testing we found out that GPT is quite good in highlighting possible weak spots in different scripting languages:
The main idea of the current GPT integration into EMBA is to use AI mechanisms to give the tester a better idea on the interesting areas of the firmware. Where should he spend his time for manual investigation? To optimize the pentesters time we already have a lot of different mechanisms included into EMBA. The AI integration is another valuable source for optimizing this task and pointing you to the next 0day vulnerability.
The new Q02 quest-module provides a simple way of querying the OpenAI-API with custom questions and code snippeds. The following notes give you a short overview on how to start AI powered firmware analysis with EMBA
Use the config/gpt_config.env.template
file to generate the following config/gpt_config.env
file:
OPENAI_API_KEY="sk-XXXXXXXXXXXXXXXXXXXX"
GPT_QUESTION="For the following code I need you to tell me how an attacker could exploit it and point out all vulnerabilities:"
-
MINIMUM_GPT_PRIO=3
-> TheOPENAI_API_KEY
variable has to be set to be able to make API calls
To generate an API key you need an OpenAI account and generate an API-key
-
export GPT_OPTION=2
will enable the Module to make unrestricted API-calls - changing the template under
config/gpt_template.json
, for example doing:
"model": "gpt-4"
should enable gpt-4 functionality (only available on payment plan)
To enable the GPT integration in the next firmware analysis process you need to activate it via setting the GPT_OPTION variable export GPT_OPTION=<1/2>
.
The prefered way for enabling GPT is to setup a GPT enabled scan-profile like the example profile scan-profiles/default-scan-gpt.emba
. This profile is optimised for GPT enabled firmware analysis.
During the next firmware scan the API key gets automatically tested and used from EMBA.
After the Q container is started it can be further monitored with docker ps
and docker logs
:
The monitoring should show the GPT requests and results during operation:
At the end of the firmware test, the finalyzer module F05 generates the relevant linking between the already available results and the GPT results:
The web report contains all the results that GPT provides to us:
Go to https://platform.openai.com/account/api-keys and generate one.
No, the default settings of EMBA are working quite good with the free account.
Yes, we implemented it via a second running docker container that needs Internet access.
The easiest way is to open an issue here
EMBA - firmware security scanning at its best
Sponsor EMBA and EMBArk:
The EMBA environment is free and open source!
We put a lot of time and energy into these tools and related research to make this happen. It's now possible for you to contribute as a sponsor!
If you like EMBA you have the chance to support future development by becoming a Sponsor
Thank You ❤️ Get a Sponsor
You can also buy us some beer here ❤️ Buy me a coffee
To show your love for EMBA with nice shirts or other merch you can check our Spreadshop
EMBA - firmware security scanning at its best