EMBA 2.0: Firmware analyzer achieves 95 percent emulation success
In version 2.0, the firmware analysis tool EMBA achieves an emulation success rate of 95 percent, leaving older tools far behind.
(Image: heise medien)
The developers of EMBA have released version 2.0 of their firmware analysis tool. According to the project, the release marks a milestone on the path to automatic detection and verification of vulnerabilities in firmware images. EMBA is a Bash-based open-source tool for automated firmware analysis. It extracts firmware images, performs static and dynamic analyses, generates Software Bills of Materials (SBOMs), and creates web reports. The new version stands out with a revised system emulation engine that automatically starts devices in an emulated environment, thus verifying detected vulnerabilities.
Benchmarks with router firmware
The developers have compared EMBA 2.0 with several firmware test sets. On the FirmAE corpus, a dataset compiled before 2020 with 1074 firmware images, EMBA achieved a success rate of 95 percent, identifying over 6,000 network services. FirmAE itself was originally optimized for a success rate of 79 percent, while Firmadyne managed only 16 percent. Success here is defined as at least one network service being reachable in the emulated environment.
In a test set from 2020 with 126 firmware images, based on the Fraunhofer FKIE Home Router Security Report, EMBA achieved a success rate of 87 percent (over 600 network services), FirmAE reached 30 percent, and Firmadyne 5 percent. A more recent test set from 2022 with 121 images confirmed the trend: EMBA emulated 76 percent successfully (around 400 network services), FirmAE only 16 percent, and Firmadyne a mere 2 percent. The benchmarks show that the success rate decreases with more recent firmware, but EMBA maintains its lead over older projects.
Videos by heise
AI Integration and SBOM Support
In addition to improved emulation, version 2.0 offers further new features: the integration of Dependency-Track enables the automatic transfer of SBOMs to vulnerability and SBOM management tools. EMBA now supports VEX (Vulnerability Exploitability eXchange) and extended SBOM sources. The tool uses CycloneDX-JSON as its SBOM format and can pass the data directly to Dependency-Track.
AI-assisted firmware analysis complements the classic scan modules. New analysis components such as Capa with ATT&CK support, Semgrep, and Zarn for Perl analyses expand the detection capabilities. The S09 module for binary version detection has been improved in threading, increasing performance. The emulation is based on QEMU with a customized kernel build of version 4.14.336 LTS, which is intended to offer better compatibility with older and current router firmware.
All details about the update to version 2.0.0 can be found on the EMBA project page on GitHub.
Open Questions on Reproducibility
While the benchmark results are impressive, some questions remain open. The exact firmware corpora are not fully documented, and the test sets are based on home router firmware from manufacturers such as AVM, Netgear, and Asus. The raw data of the firmware images are not directly available in the repository but are accessible via external sources like Zenodo. Independent verification of the benchmarks by third parties is pending, although the project refers to academic works such as those on FirmAE.
The emulation uses QEMU and customized kernel patches for bootloader compatibility. According to the issue tracker, these patches are partly project-specific, and an integration into upstream projects like Linux or QEMU is planned. EMBA encounters limitations with proprietary bootloaders and signed firmware images, where the tool resorts to user-mode emulation or static analysis.
When executing potentially malicious firmware in Docker or VM environments, the developers recommend additional security measures such as nested VMs, AppArmor, or SELinux. Network leaks and kernel exploits can pose risks, so production environments should be avoided. Legal aspects such as license compliance for extracted proprietary binaries or GDPR issues for stored credentials are the responsibility of the users.
Enterprise Use and Responsible Disclosure
For enterprise users, EMBA foresees scaling via Docker Swarms and Kubernetes. The web UI EMBArk enables cluster deployments, and performance tests show over 100 analysed images per day on 64-core systems. Integration into CI/CD pipelines is possible via Docker images as GitHub Actions or Jenkins steps.
Mechanisms for responsible disclosure of automatically identified zero-days are not built in. The developers refer to manual CVD processes via First.org and the issue tracker. The currency of vulnerability feeds is ensured via the update script, which updates CVE databases such as cve-bin-tool and cve-search daily.
EMBA positions itself as a free alternative to commercial firmware scanners. The higher emulation coverage compared to proprietary software speaks in favor of the tool, but it requires manual verification of the results.
(fo)
