Skip to content
The Firmware Security Testing Methodology (FSTM) is composed of nine stages tailored to enable security researchers, software developers, consultants, hobbyists, and Information Security professionals with conducting firmware security assessments.
Branch: master
Clone or download
Latest commit 7b00358 Nov 1, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
License.md License.md Nov 1, 2019
README.md Release Nov 1, 2019

README.md

OWASP Firmware Security Testing Methodology

The Firmware Security Testing Methodology (FSTM) is composed of nine stages tailored to enable security researchers, software developers, consultants, hobbyists, and Information Security professionals with conducting firmware security assessments.

Stage Description
1. Information gathering and reconnaissance Acquire all relative technical and documentation details pertaining to the target device's firmware
2. Obtaining firmware Attain firmware using one or more of the proposed methods listed
3. Analyzing firmware Examine the target firmware's characteristics
4. Extracting the filesystem Carve filesystem contents from the target firmware
5. Analyzing filesystem contents Statically analyze extracted filesystem configuration files and binaries for vulnerabilities
6. Emulating firmware Emulate firmware files and components
7. Dynamic analysis Perform dynamic security testing against firmware and application interfaces
8. Runtime analysis Analyze compiled binaries during device runtime
9. Binary Exploitation Exploit identified vulnerabilities discovered in previous stages to attain root and/or code execution

The full methodology is available for download in the release section of this repository. Consider visiting the OWASP Internet of Things Project wiki page for the latest methodology updates and forthcoming project releases.

A preconfigured Ubuntu virtual machine (EmbedOS) with firmware testing tools used throughout the methodology can be downloaded via the following [link]. Details regarding EmbedOS' tools can be found on GitHub https://github.com/scriptingxss/EmbedOS.

You can’t perform that action at this time.