feat(S26): add degraded verification mode for kernel vulnerability checking#1927
feat(S26): add degraded verification mode for kernel vulnerability checking#1927nikepakou wants to merge 5 commits intoe-m-b-a:masterfrom
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Thank you for contributing a pull request!
Welcome to the EMBA firmware analysis community!
We are glad you are here and appreciate your contribution. Please keep in mind our contributing guidelines here and here.
Also, please check existing open issues and consider to open a discussion in the dedicated discussion area.
Additionally, we have collected a lot of details around EMBA, the installation and the usage of EMBA in our Wiki.
If you like EMBA you have the chance to support us by becoming a Sponsor or buying some beer here.
To show your love for EMBA with nice shirts or other merch you can check our Spreadshop.
This is an automatic message. Allow for time for the EMBA community to be able to read the pull request and comment on it.
|
Thank you @nikepakou for the bug report and the fix here. Before going into detailed review please ensure that your PR is based on the latest master as we introduced shfmt a few days ago for enforcing a nicer formatting style. |
m-1-k-3
added
bug
|
shfmt is currently not passing. Please check |
nikepakou
force-pushed
the
s26_modify_v2
branch
2 times, most recently
from
33e3f2a to
3d83b34
Compare
…ecking - Add KERNEL_SOURCE_AVAILABLE flag to detect kernel source availability - Implement vuln_checker_threader_degraded() for symbol-based CVE filtering - When kernel source download fails, extract function names from CVE descriptions and match against firmware symbol table - Only report CVEs with matching function names in degraded mode - Update final_log_kernel_vulns() to handle degraded mode statistics - Add English-only comments for international collaboration This addresses the issue of reducing false positives when kernel source download fails during firmware analysis. Closes: e-m-b-a#1925
There was a problem hiding this comment.
Pull request overview
This PR adds a “degraded verification mode” to S26_kernel_vuln_verifier so that when kernel source download is unavailable, the module filters version-derived kernel CVEs by matching function names extracted from NVD descriptions against symbols found in the firmware’s kernel/module ELF data (aiming to reduce false positives, per #1925).
Changes:
- Introduces
KERNEL_SOURCE_AVAILABLEgating and a degraded verification path (vuln_checker_threader_degraded) that performs symbol-name-based CVE filtering when sources can’t be obtained. - Refactors S26 flow to always extract kernel/module symbols and then choose between normal (source-based) vs degraded (symbol-only) verification.
- Reworks final reporting (
final_log_kernel_vulns) and summary update logic to incorporate degraded-mode behavior/statistics.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
m-1-k-3
left a comment
m-1-k-3
left a comment
There was a problem hiding this comment.
A quite huge PR with a lot of changes. I am done around 50% of it. Multiple comments to check and adjust. Please also share your testing firmware and your testing procedure (EMBA start command)
| # - Final vulnerability report | ||
| # ========================================================================================== | ||
|
|
||
| # Set thread priority to 1 (low priority) |
There was a problem hiding this comment.
set to 1 means that this module is a priority modules
| module_wait "S24_kernel_bin_identifier" | ||
|
|
||
| # now we should have a csv log with a kernel version: | ||
| # Check if S24 CSV log exists |
There was a problem hiding this comment.
please adjust the comment that this file should be available if s24 gave us results
| print_output "[+] Identified kernel version: ${ORANGE}${lK_VERSION}${NC}" | ||
|
|
||
| # Find kernel ELF entries matching current version from S24 CSV | ||
| # Sort by column 4 (version) in descending order, prioritize higher versions |
| print_output "[+] Found kernel configuration file: ${ORANGE}${KERNEL_CONFIG_PATH}${NC}" | ||
| # we use the first entry with a kernel config detected | ||
| # Use the first entry with kernel config detected | ||
| # Column 1 is the matching kernel elf file - sometimes only config without elf file |
There was a problem hiding this comment.
this is a kernel file but it does not automatically mean this is a elf file
| # Column 1 is the matching kernel elf file - sometimes only config without elf file | ||
| if [[ "$(echo "${lKERNEL_DATA}" | cut -d\; -f1)" == "/"* ]]; then | ||
| # field 1 is the matching kernel elf file - sometimes we have a config but no elf file | ||
| # field 1 is the matching kernel elf file |
| lKARCH="${lKARCH,,}" | ||
| export COMPILE_SOURCE_FILES=0 | ||
| export COMPILE_SOURCE_FILES_VERIFIED=0 | ||
| local lARCH="${3:-}" |
There was a problem hiding this comment.
the K was for kernel. Please recover the original name
| # -d: debug mode, output detailed info | ||
| # -i: ignore errors | ||
| # Based on paper: https://arxiv.org/pdf/2209.05217.pdf | ||
| make -C "${lKERNEL_DIR}" ARCH="${lARCH}" -Bndi 2>/dev/null | grep -E "\.c|\.h|\.S" >"${LOG_PATH_MODULE}"/kernel-compile-files.log || true |
There was a problem hiding this comment.
please do not remove the LANG as this will result in issue on other language systems
| cp "${lCONFIG}" "${lKERNEL_DIR}/.config" || true | ||
|
|
||
| print_output "[*] Update kernel configuration" | ||
| make -C "${lKERNEL_DIR}" ARCH="${lARCH}" olddefconfig 2>/dev/null || true |
There was a problem hiding this comment.
please leave the reference to stack overflow
| cp "${lCONFIG}" "${lKERNEL_DIR}/.config" || true | ||
|
|
||
| print_output "[*] Update kernel configuration" | ||
| make -C "${lKERNEL_DIR}" ARCH="${lARCH}" olddefconfig 2>/dev/null || true |
There was a problem hiding this comment.
please leave the original logging and the linking to the log for later verification
|
|
||
| print_output "[*] Generating final vulnerability report for kernel ${ORANGE}${lK_VERSION}${NC}" | ||
|
|
||
| # Create CSV report file (header) -保持向后兼容格式 |
Summary
This PR implements a degraded verification mode for the S26 kernel vulnerability verifier module to address issue #1925.
Changes
Problem Solved
The current S26 module generates many false positives when kernel source download fails:
Solution
When kernel source is unavailable:
This significantly reduces false positives while maintaining accurate vulnerability detection.
Closes #1925