Interactive dependency map
The S130_binary_map_builder.sh module is a core static analysis component of the EMBA firmware security analyzer. Its primary purpose is to generate an Interactive Dependency Map, providing a visual representation of how different binary components within a firmware image interact with one another.
This module acts as a "cartographer" for the firmware's internal structure, mapping out the relationships between executables and libraries.
- Dependency Identification: It uses multiple concurrent mechanisms to discover how binaries are linked, including:
- Standard Linux Tools: Utilizing ldd and objdump to find shared library dependencies.
- Heuristic Matching: Searching for string patterns like paths (e.g., strings starting with /) and using fuzzy string matching to find potential links that aren't explicitly defined in the binary headers.
- Emulation-Based Detection: Leveraging results from both user-mode and system-mode emulation to see which files are actually accessed during runtime.
- Data Aggregation: The module collects these findings into a structured format that can be processed by EMBA's reporting engine.
- Visualization: It enables the creation of a graphical map in the final HTML report, allowing security researchers to see at a glance which libraries are most critical or which binaries share common dependencies.
The module is integrated into the default scanning workflow for modern versions of EMBA:
- Automatic Activation: It is enabled by default in the default-scan profile starting with version 2.0.1.
- Manual Control: Beside enabling or disabling this feature in your own custom scan profile using the parameter:
EMBA_MAP_GENERATOR=1(to enable) or 0 (to disable) it is also possible to tweak further options like the maximum runtime and the maximum files EMBA should process for the map.
# enable EMBA binary map dependency generator
EMBA_MAP_GENERATOR=1
MAX_MAP_FILES=1000
SVG_BUILD_TIMEOUT="12h"
- Reporting: The resulting interactive map is found within the generated web report (usually at ../log_dir/html_report/index.html) after the scan completes.
With a helper function it is also possible to run it standalone after the firmware analysis with EMBA is finished:
└─$ ./helpers/firmware_map_builder.sh -e <EMBA log directory>
Additionally, it is also possible to run it without an EMBA scan on an extracted firmware image directory:
└─$ ./helpers/firmware_map_builder.sh -f <firmware directory> -l <log directory>
Note: Keep in mind that as a standalone tool you need to install all dependencies manually on your host.
This module is essential for understanding the "attack surface" of a device by identifying central libraries that, if vulnerable, could compromise multiple system components.