Skip to content

AI supported firmware analysis

Michael Messner edited this page Jul 19, 2023 · 38 revisions

Why not using AI for firmware analysis? This is the question we also thought since the public release of OpenAI's GPT-4 earlier this year.

We started testing OpenAI's ChatGPT for different possible usage scenarios like the integration of further CVE explanation:

image

Additionally, we thought about a quick lookup for potential exploit code or POC’s:

image

As you can see the available information is quite limited because of the limited dataset for this type of requests. Probably we will come back to this idea again later.

After some poking with OpenAI’s ChatGPT via the Chat interface we decided to give it a try within EMBA. But, currently not for the explanation of CVE identifiers. We also found that GPT is quite good in highlighting possible weak spots in different scripting languages:

image

The main idea of the current GPT integration into EMBA is to use AI mechanisms to give the tester a better idea on the interesting areas of the firmware. Where should he spend his time for manual investigation? To optimize the pentesters time we already have a lot of different mechanisms included into EMBA. The AI integration is another valuable source for optimizing this task and pointing you to the next 0day vulnerability.

EMBA AI integration

The new Q02 quest-module provides a simple way of querying the OpenAI-API with custom questions and code snippeds. The following notes give you a short overview on how to start AI powered firmware analysis with EMBA

Configuration Step1 - Free

Use the config/gpt_config.env.template file to generate the following config/gpt_config.env file:

  • OPENAI_API_KEY="sk-XXXXXXXXXXXXXXXXXXXX"
  • GPT_QUESTION="For the following code I need you to tell me how an attacker could exploit it and point out all vulnerabilities:"
  • MINIMUM_GPT_PRIO=3 -> The OPENAI_API_KEY variable has to be set to be able to make API calls

To generate an API key you need an OpenAI account and generate an API-key

Configuration Step2 (optional)- Requires Payment Plan for OpenAI-API

  1. export GPT_OPTION=2 will enable the Module to make unrestricted API-calls
  2. changing the template under config/gpt_template.json, for example doing:

"model": "gpt-4"

should enable gpt-4 functionality (only available on payment plan)

Configuration Step3 - enabling the Q02-module

To enable the GPT integration in the next firmware analysis process you need to activate it via setting the GPT_OPTION variable export GPT_OPTION=<1/2>.

The prefered way for enabling GPT is to setup a GPT enabled scan-profile like the example profile scan-profiles/default-scan-gpt.emba. This profile is optimised for GPT enabled firmware analysis.

During the next firmware scan the API key gets automatically tested and used.

FAQ

Q: Where do I get this API key?

Go to https://platform.openai.com/account/api-keys and generate one.


Q: Do I need to pay for the OpenAI account?

No, the default settings of EMBA are working quite good with the free account.