Firmware Sample Analysis - Distinguish between Compressed Encrypted and Plain Binary Files


A device which we use on a daily basis could have flaws which risks the users privacy and security. This means that it is very important to do a analysis over the firmware to find those vulnerabilities that otherwise do not get detected and updated. An analyst might use a variety of tools to help him do their work. The problem that comes with this work is that vendors might encrypt or compress their firmware to hide information or other private things such as certificates. If a forensic stumbles across a firmware which is encrypted it could be very well possible that the encryption or compression algorithm is a standard one and other tools can be used to decrypt or decompress the file at hand. When this is done the file can be analyzed and vulnerabilities could fixed or at least explained to the public and vendor. As there are emerging a lot more vendors and new firmware files there has to be an automatic way to do such analysis because it is not feasible to go over every firmware file in a manual kind of way. But to do the decryption in an automated way it is first necessary to detect firmwares that are encrypted or compressed to then use a decryption- or decompression algorithm on them. This work offers a solution to this problem. This is done by discussing several different approaches which use entropy analysis and byte analysis like signature bytes for files. As the methods are then selected and evaluated the problem gets discussed that encrypted and compressed files sometimes show very similar attributes which makes them very hard to distinguish. A new method was found to distinguish compressed and encrypted files and with those algorithms a software was developed that can be used as a standalone or as a plugin for the Firmware Analysis and Comparison Tool (FACT) to automate the whole process.

TU Wien