Convert Figma logo to code with AI

fkie-cad logoFACT_core

Firmware Analysis and Comparison Tool

1,311
230
1,311
115
View on GitHub

Top Related Projects

mandiant's avatar

capa

5,005

The FLARE team's open-source tool to identify capabilities in executable files.

mandiant's avatar

flare-floss

3,381

FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.

Quick Overview

FACT_core is a framework for the automated analysis of firmware images. It provides a modular and extensible platform for extracting, unpacking, and analyzing firmware files from various sources. The project aims to assist security researchers and analysts in understanding the composition and potential vulnerabilities of firmware components.

Pros

  • Modular and Extensible Architecture: FACT_core is designed with a modular structure, allowing for easy integration of new analysis plugins and functionality.
  • Comprehensive Firmware Analysis: The framework supports a wide range of firmware file formats and provides various analysis capabilities, including extraction, unpacking, and vulnerability detection.
  • Automated Workflow: FACT_core automates the firmware analysis process, reducing the time and effort required for researchers and analysts.
  • Community-Driven Development: The project is actively maintained and developed by a community of contributors, ensuring ongoing improvements and bug fixes.

Cons

  • Steep Learning Curve: The framework's extensive functionality and configuration options may present a challenge for new users, requiring a significant learning curve.
  • Limited Documentation: While the project has some documentation, it could be more comprehensive and user-friendly, especially for newcomers.
  • Dependency Management: The project relies on a complex set of dependencies, which can make installation and setup more challenging, especially on different platforms.
  • Performance Limitations: Depending on the size and complexity of the firmware being analyzed, the framework's performance may be a concern, especially for large-scale analyses.

Code Examples

N/A (This is not a code library)

Getting Started

N/A (This is not a code library)

Competitor Comparisons

mandiant logo

capa

5,005

The FLARE team's open-source tool to identify capabilities in executable files.

Pros of capa

  • Focused specifically on detecting capabilities in executable files
  • Lightweight and can be easily integrated into other tools or workflows
  • Extensive rule set for identifying a wide range of malware behaviors

Cons of capa

  • Limited to analyzing executable files, while FACT_core supports multiple file types
  • Lacks the comprehensive firmware analysis features of FACT_core
  • Does not provide a web-based interface for collaborative analysis

Code Comparison

FACT_core (Python):

def get_binary_and_filename(file_object):
    binary = file_object.binary
    file_name = file_object.file_name
    return binary, file_name

capa (Python):

def is_runtime_linked(binary):
    return lief.parse(binary).header.has_flag(lief.PE.HEADER_CHARACTERISTICS.DLL)

Both projects use Python, but FACT_core focuses on handling file objects and their properties, while capa deals with specific binary analysis tasks like checking runtime linking.

FACT_core provides a more comprehensive firmware analysis platform with a web interface, supporting various file types and collaborative features. capa, on the other hand, excels in detecting capabilities in executable files with its extensive rule set and lightweight design, making it easier to integrate into existing workflows.

mandiant logo

flare-floss

3,381

FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.

Pros of FLARE-FLOSS

  • Lightweight and focused tool specifically for string extraction and deobfuscation
  • Easy to use as a standalone command-line utility
  • Actively maintained by Mandiant, a well-known cybersecurity company

Cons of FLARE-FLOSS

  • Limited in scope compared to FACT_core's comprehensive firmware analysis capabilities
  • Lacks a web interface for easy visualization and collaboration
  • Does not provide extensive plugin support or customization options

Code Comparison

FLARE-FLOSS (Python):

def extract_strings(vw, function_address):
    strings = []
    for block in vw.getCodeBlocks(function_address):
        s = vw.readMemory(block[0], block[1] - block[0])
        strings.extend(re.findall(b"[\x20-\x7f]{4,}", s))
    return strings

FACT_core (Python):

def get_binary_and_filename(file_object):
    binary = file_object.binary
    file_name = file_object.file_name
    return binary, file_name

def get_strings_and_content(file_object):
    strings = file_object.processed_analysis['string_analyzer']['string_list']
    content = file_object.binary
    return strings, content

Both repositories focus on different aspects of binary analysis. FLARE-FLOSS is specialized in string extraction and deobfuscation, while FACT_core offers a more comprehensive firmware analysis platform with a wider range of features and extensibility.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

FACT logo with magnifying glass as the C
The Firmware Analysis and Comparison Tool (FACT)

codecov Codacy Badge Gitter chat CI Build Ruff License: GPL v3

Contents

Why FACT?

Firmware analysis can be used to achieve several interesting goals. Chief among those are identifying functionality, components and potential security weaknesses in black box firmware.

The Firmware Analysis and Comparison Tool (FACT) is intended to automate as much as possible of the manual firmware analysis work. FACT combines a growing set of powerful analyses to create a unified interface that brings the user from an arbitrary firmware sample to a finished analysis. Some of the key features of the FACT analysis, is that results are

  • browsable
  • searchable
  • and comparable.

Furthermore, FACT offers multiple ways of navigating and visualizing analysis results and firmware contents for easy accessibility. The main FACT interface is a html/js/css-based web Interface that can be hosted locally or shared through the network. In addition, FACT offers a REST-like HTTP API that can be explored with an integrated SwaggerUI. Some key features of the web interface are:

  • Easy visualization of firmware by a file tree rendering of all firmware components.
  • Quick navigation of analysis results by observing summaries of results over all firmware components.
  • Highlighting of relevant analysis results as tags on top of each page.
  • Various download options for firmware and components to jump into advanced analysis.

While FACT is maintained as a research prototype, the project is well tested, includes a baseline of documentation and offers a multitude of production level features. We're always looking for feedback and feature requests.

More details and some screenshots can be found on our project page.

Setup

Requirements

FACT is designed as a multiprocess application, the more Cores and RAM, the better.

MinimalRecommended
4 Cores16 Cores
8 GB RAM64 GB RAM
10 GB disk space10* GB disk space

[!NOTE] About 10 GB required to set up FACT code, container, and binaries. Additional space is necessary for storage of unpacked files and analysis results. This can be on a separate partition or drive.

Local Installation

It's principally possible to install FACT on any Linux distribution, but the installer is limited to

  • Debian 11/12 (stable)
  • Ubuntu 20.04/22.04/24.04 (stable)
  • Linux Mint 20/21/22 (stable)
  • Kali (experimental)

FACT requires Python 3.9–3.12 (should be the default in all distributions except Ubuntu 20.04 where you can install a newer version using apt)

The setup process is mostly automated and wrapped in a single script. Some features can be selected specifically though. For a detailed guide on how to install FACT see INSTALL.md.

[!IMPORTANT] Note that while making extensive use of containers, FACT still contains many dependencies (and there is no uninstall provided). If you want to keep your system clean, you can try one of the setup options provided in the following.

Vagrant

We provide monthly and ready-to-use vagrant boxes of our master branch. Vagrant is an easy and convenient way to get started with FACT without having to install it on your machine. Just setup vagrant and import our provided box into VirtualBox. Our boxes can be found here!

Check out on how to get started with FACT and vagrant in our tutorial.

Docker

There is also a dockerized version, but it is currently unmaintained. (see the FACT_docker repo for more information).

Usage

You can start FACT by executing the start_fact.py script. The script detects all installed components automatically.

src/start_fact.py

Afterward, FACT can be accessed on http://localhost:5000 (default) or https://localhost (if FACT is installed with nginx).

You can shut down the system by pressing Ctrl + c or by sending a SIGTERM to the start_fact.py script.

[!CAUTION] FACT is not intended to be used as a public internet service. The web interface is not a hardened application. We try to keep security issues limited by applying SecDevOps but FACT may still offer vulnerabilities. Make sure to reset all passwords in the fact configuration if planning to host FACT on not-fully trusted networks.

Documentation

[!TIP] More documentation on how to use FACT can be found on our wiki pages.

Our Sphinx documentation can be found here.

Information on what FACT is and how it works can also be found in the slides in the docs folder.

REST API

FACT provides a REST API. More information can be found here.

User Management

FACT provides an optional basic authentication, role, and user management. More information can be found here.

Contributing

The easiest way to contribute is writing your own plugin. Our Developer Manual can be found here.

Additional plugins

Currently available additional plugins:

  • Codescanner (:warning: different license)
    • Classification of segments (e.g. ascii / code / high entropy) in arbitrary binaries
    • Classification of cpu architecture in code segments

Analysis Import / Export

The script src/firmware_import_export.py can be used to export unpacked files and analysis results and import them into another FACT instance. The data is stored as a ZIP archive, and this is also the format the script expects during import. To export files and analysis data of analyzed firmware images, run

python3 firmware_import_export.py export FW_UID [FW_UID_2 ...] [-o OUTPUT_DIR]

[!NOTE] The exported archives can take up significant disk space. There is no fixed relation, but it can surpass the size of the original firmware by a factor of 2 - 10.

After this, you can import the exported files with

python3 firmware_import_export.py import FW.zip [FW_2.zip ...]

Presentations

BlackHat Arsenal

We've been happy to show FACT in a number of BlackHat Arsenal sessions.

  • Black Hat Arsenal
  • Black Hat Arsenal
  • Black Hat Arsenal
  • Black Hat Arsenal
  • Black Hat Arsenal

Other

Social

Acknowledgments

Thanks to @botlabsDev, who initially provided a Vagrantfile that is now, however, deprecated.

This project is partly financed by German Federal Office for Information Security (BSI) and others.

License

Firmware Analysis and Comparison Tool (FACT)

Copyright (C) 2015-2024 Fraunhofer FKIE

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program.
If not, see http://www.gnu.org/licenses/.

Some plugins may have different licenses. If so, a license file is provided in the plugin's folder.