Interactive dependency map
The S130_binary_map_builder.sh module is a core static analysis component of the EMBA firmware security analyzer. Its primary purpose is to generate an Interactive Dependency Map, providing a visual representation of how different binary components within a firmware image interact with one another.
This module acts as a "cartographer" for the firmware's internal structure, mapping out the relationships between executables and libraries.
- Dependency Identification: It uses multiple concurrent mechanisms to discover how binaries are linked, including:
- Standard Linux Tools: Utilizing ldd and objdump to find shared library dependencies.
- Heuristic Matching: Searching for string patterns like paths (e.g., strings starting with /) and using fuzzy string matching to find potential links that aren't explicitly defined in the binary headers.
- Emulation-Based Detection: Leveraging results from both user-mode and system-mode emulation to see which files are actually accessed during runtime.
- Data Aggregation: The module collects these findings into a structured format that can be processed by EMBA's reporting engine.
- Visualization: It enables the creation of a graphical map in the final HTML report, allowing security researchers to see at a glance which libraries are most critical or which binaries share common dependencies.
The module is integrated into the default scanning workflow for modern versions of EMBA:
- Automatic Activation: It is enabled by default in the default-scan profile starting with version 2.0.1.
- Manual Control: Beside enabling or disabling this feature in your own custom scan profile using the parameter:
EMBA_MAP_GENERATOR=1(to enable) or 0 (to disable) it is also possible to tweak further options like the maximum runtime and the maximum files EMBA should process for the map.
# enable EMBA binary map dependency generator
EMBA_MAP_GENERATOR=1
MAX_MAP_FILES=1000
SVG_BUILD_TIMEOUT="12h"
- Reporting: The resulting interactive map is found within the generated web report (usually at ../log_dir/html_report/index.html) after the scan completes.
With a helper function it is also possible to run it standalone after the firmware analysis with EMBA is finished:
└─$ ./helpers/firmware_map_builder.sh -e <EMBA log directory>
Additionally, it is also possible to run it without an EMBA scan on an extracted firmware image directory:
└─$ ./helpers/firmware_map_builder.sh -f <firmware directory> -l <log directory>
Note: Keep in mind that as a standalone tool you need to install all dependencies manually on your host.
This module is essential for understanding the "attack surface" of a device by identifying central libraries that, if vulnerable, could compromise multiple system components.
Below is a detailed AI generated breakdown of the external tools and utilities used by this module:
-
strings:- Description: Extracts strings from binary files.
-
Usage:
strings -n 4 "${lFILE_TO_CHECK}" - Purpose: Identifies string dependencies within the binary files.
-
file:- Description: Determines the file type and architecture.
-
Usage:
file -b "${lELF_FILE}" - Purpose: Determines if a file is statically linked, NX (No-Execute) protected, PIE (Position Independent Executable), and other binary security attributes.
-
readelf:- Description: Displays information from ELF files.
-
Usage:
readelf -lW "${lELF_FILE}"readelf -h "${lELF_FILE}"readelf -s "${lELF_FILE}"
- Purpose: Extracts information about the file's sections, headers, and symbols, which is used to determine binary capabilities and security features.
-
objdump:- Description: Dumps various parts of object files.
-
Usage:
objdump -d "${lFILE_TO_CHECK}"objdump -p "${lFILE_TO_CHECK}"
- Purpose: Extracts disassembled code and program headers to identify syscall dependencies and capabilities.
-
ldd:- Description: Lists shared libraries required by a program.
-
Usage:
ldd "${lFILE_TO_CHECK}" - Purpose: Identifies dynamic dependencies of the binary files.
-
timeout:- Description: Runs a command with a time limit.
-
Usage:
timeout 360 ./run.sh - Purpose: Ensures that the system emulation process does not run indefinitely.
-
grep:- Description: Searches text using patterns.
-
Usage:
grep -a 'open\|stat\|bind\|chmod\|link\|write' "${lQEMU_STRACER_FILE}"grep -a "ICMP ok\|TCP ok" "${LOG_DIR}"/emulator_online_results.log
- Purpose: Extracts relevant log entries for dependency analysis.
-
awk:- Description: Processes text using pattern scanning and processing.
-
Usage:
awk '{print $2,$3}' | sort -uawk '{print $3}' | sort -u
- Purpose: Extracts specific fields from log entries and sorts them.
-
sed:
- Description: Streams editor for filtering and transforming text.
-
Usage:
sed -i '/img class.*EMBA-dependency-map.svg.*/i <a href=./s130_binary_map_builder/res/EMBA-dependency-map.html>' "${HTML_PATH}/s130_binary_map_builder.html"sed -i 's|<svg [^>]*>|<svg id="map-svg" style="width:100%;height:100%;">|' "${SVG_FILE}"
- Purpose: Modifies HTML and SVG files to include links and adjust the SVG header for the pan-zoom library.
-
timeout:- Description: Runs a command with a time limit.
-
Usage:
timeout --preserve-status --signal SIGINT "${SVG_BUILD_TIMEOUT}" neato -Goverlap=false -Gsep=+20 -Tsvg "${DOT_FILE}" -o "${SVG_FILE}" - Purpose: Ensures that the SVG generation process does not run indefinitely.
-
neato:- Description: A layout program from the Graphviz graph visualization software suite.
-
Usage:
neato -Goverlap=false -Gsep=+20 -Tsvg "${DOT_FILE}" -o "${SVG_FILE}" - Purpose: Generates a SVG image of the binary dependency graph.
-
dot:- Description: Another layout program from the Graphviz graph visualization software suite.
-
Usage:
dot -Goverlap=false -Gsep=+20 -Tsvg "${DOT_FILE}" -o "${SVG_FILE//\.svg/_dot.svg}" -
Purpose: Generates an alternative SVG image of the binary dependency graph in case
neatofails.