Cruise, kamfani ne da ya ƙware a fasahar tuƙi mai sarrafa kansa, lambobin tushen aikin , wanda ke ba da kayan aiki don nazarin hotunan firmware na tushen Linux da kuma gano yuwuwar rashin lahani da leaks ɗin bayanai a cikinsu. An rubuta lambar a cikin harshen Go da lasisi a ƙarƙashin Apache 2.0.
Yana goyan bayan nazarin hotuna ta amfani da ext2/3/4, FAT/VFat, SquashFS da tsarin fayil UBIFS. Don buɗe hoton, ana amfani da daidaitattun abubuwan amfani, kamar e2tools, mtools, squashfs-tools da ubi_reader. FwAnalyzer yana fitar da bishiyar directory daga hoton kuma yana kimanta abun cikin bisa tsarin dokoki. Ana iya ɗaure dokoki zuwa metadata tsarin fayil, nau'in fayil, da abun ciki. Fitowar rahoto ne a tsarin JSON, yana taƙaita bayanan da aka ciro daga firmware da nuna gargaɗi da jerin fayilolin da ba su bi ka'idodin da aka sarrafa ba.
Yana goyan bayan bincika haƙƙin samun dama ga fayiloli da kundayen adireshi (alal misali, yana gano damar rubutawa ga kowa da kowa kuma yana saita UID/GID ba daidai ba), yana ƙayyade kasancewar fayilolin aiwatarwa tare da tutar suid da amfani da alamun SELinux, yana gano maɓallan ɓoye da aka manta da yuwuwar. fayiloli masu haɗari. Abubuwan da ke ciki suna ba da haske game da kalmomin shiga aikin injiniya da aka watsar da bayanan gyarawa, suna ba da ƙarin bayani game da sigar, gano / tabbatar da kayan aiki ta amfani da hashes SHA-256, da bincike ta amfani da abin rufe fuska da maganganu na yau da kullun. Yana yiwuwa a haɗa rubutun bincike na waje zuwa wasu nau'ikan fayil. Don firmware na tushen Android, ana bayyana sigogin ginawa (misali, ta amfani da yanayin ro.secure=1, yanayin ro.build.type da kunna SELinux).
Ana iya amfani da FwAnalyzer don sauƙaƙa nazarin batutuwan tsaro a cikin firmware na ɓangare na uku, amma babban manufarsa shine saka idanu ingancin firmware wanda masu siyar da kwangilar ɓangare na uku suka mallaka ko suka bayar. Dokokin FwAnalyzer suna ba ku damar samar da ingantacciyar ƙayyadaddun ƙayyadaddun yanayin firmware da gano ɓangarorin da ba za a yarda da su ba, kamar sanya haƙƙin samun dama ga kuskure ko barin maɓallai masu zaman kansu da lambar lalata (misali, dubawa yana ba ku damar guje wa yanayi kamar su. ana amfani dashi yayin gwajin uwar garken ssh, kalmar sirri ta injiniya, don karanta /etc/config/shadow ko samuwar sa hannu na dijital).
source: budenet.ru