The release of RBSโs firmware reverse engineering tool is consistent with government and industry calls for higher security standards.
For over a decade, Red Balloon Security has used FRAK โ the Firmware Reverse Analysis Konsole โ in deployments with the US government, commercial engagements with original equipment manufacturers (OEMs), and to conduct independent research on device firmware. It has proven to be a multi-faceted tool that RBS engineers rely on to make sense of, harden, and repack firmware binaries that are essential to the operation of all types of embedded devices, includingย satellite control terminals, PLCs,ย automotive ECUs,ย building control and safety equipment, and ordinary commercial products, such as drones or monitors.
ย
But from its inception, FRAK was meant to be a tool for the security community at large.
ย
RBS CEO and founder, Dr. Ang Cui, originally created FRAK in 2012. โAt the time, I thought, hereโs a framework that would help researchers move embedded security forward,โ Dr. Ang Cui explained recently. โI thought the security community and engineers with all the leading device manufacturers should have it at their disposal.โ
ย
In August 2022, after many refinements, many of which we honed through engagements with DARPA, DHA, and DoD, Red Balloon made FRAK โ OFRAK, in its current interaction โ available to the greater security community.
ย
Red Balloon is dedicated to making firmware easier to understand, easier to improve and easier to secure. We encourage engineers and other technical people to visit https://ofrak.com for a deeper understanding of OFRAKโs functionality and licensing options.
ย
Here are seven answers to more general questions about what OFRAK is, what it does, and why Red Balloon is so excited about this release.
OFRAK is a binary analysis and modification platform that combines the ability to:
ย
ย
OFRAK supports a range of embedded firmware file formats beyond user-space executables, including:
ย
ย
Red Balloon frequently uses OFRAK for firmware unpacking, analysis, modification, and repacking, and maintains it with those purposes in mind.
ย
Both engineers working for device manufacturers and security researchers tasked with discovering or remediating device vulnerabilities can use OFRAK to both analyze how a deviceโs firmware operates and modify it.
โ [OFRAK] is a valuable tool that significantly facilitated security researchersโ work in the field of applied embedded security. I am very happy to see more of this project being made available to such a wide audience through open source.โ
Mudge (Peiter Zatko): Security Researcher, Former Head of DARPA (Defense Advanced Research Projects Agency)
โ [OFRAK] is a valuable tool that significantly facilitated security researchersโ work in the field of applied embedded security. I am very happy to see more of this project being made available to such a wide audience through open source.โ
Mudge (Peiter Zatko): Security Researcher, Former Head of DARPA (Defense Advanced Research Projects Agency)
Essentially, OFRAK allows software engineers to do their work with greater speed and efficiency, freeing them up to tackle harder engineering problems.
ย
For less-experienced users, OFRAK is an excellent platform for learning about binaries and embedded firmware in general.
ย
RBS uses OFRAK to unpack firmware and inject its firmware hardening and runtime protection solutions, such as Symbiote.ย
No. Many firmware unpacking and analysis tools already exist. ย One of the most popular publicly-available tools, Ghidra, was developed and released by the NSA in 2019.
Most binary analysis tools work best when analyzing common executable file formats or binary blobs, but struggle with common firmware formats or navigating nested firmware files. OFRAKโs first-class support for embedded firmware allows a user to unpack and analyze an ELF buried within an XZ-compressed CPIO file system inside of an ISO, modify the ELF, and then repack the entire tree.ย
ย
Furthermore, OFRAK provides a unified interface for interacting with other powerful tools. For example, OFRAK provides a common disassembler interface that allows engineers to switch between supported disassemblers (angr, Binary Ninja, Capstone, Ghidra, IDA Pro). Similarly, the OFRAK PatchMaker provides a common interface for interacting with various assemblers, compilers and toolchains. These common interfaces enable engineers to easily switch between disassemblers, assemblers, and toolchains without having to rewrite their business logic. This flexibility helps save money when the constraints or a project require using a particular tool.
โOftentimes, itโs cost prohibitive for organizations to hire reverse engineers with specialized skills to patch embedded devices.โ Automating the application of a fix turns out to be a hard computer science problem with fundamental research challenges. These challenges must be supported with new classes of modular, community-building, research-enabling tools such as OFRAK.โ
Sergey Bratus, Program Manager, DARPA
โOftentimes, itโs cost prohibitive for organizations to hire reverse engineers with specialized skills to patch embedded devices.โ Automating the application of a fix turns out to be a hard computer science problem with fundamental research challenges. These challenges must be supported with new classes of modular, community-building, research-enabling tools such as OFRAK.โ
Sergey Bratus, Program Manager, DARPA
Not if itโs being used responsibly. This is where OFRAKโs modular component design โ which breaks unpacking, modification, and packing into discrete steps โ is important. OFRAKโs component architecture allows engineers to chain together tested and verified unpackers, modifiers, and packers in a safe way. This reduces the likelihood of introducing unintended changes into a firmware binary.
OFRAK is for any serious student or practitioner of reverse engineering. Every reverse engineer begins as a student or as a curious self-starter. RBS is committed to a process that will train the next generation of engineers. This is why OFRAK is free to individuals who are learning in an academic program or on their own.
Technically, no. OFRAK is source-available, but not open source. The code in OFRAKโs GitHub repository comes with the OFRAK Community License, which is intended for educational use, personal development, or just having fun. Users interested in using OFRAK for commercial purposes can learn more at ofrak.com/license. Free 6-month trials of the OFRAK Pro License are available for a limited time.
To learn more about Red Balloon Security‘s offers, visit ourย Products page or contact us: [email protected]
ยฉ 2024 Red Balloon Security.
All Rights Reserved.
Sal Stolfo was an original founding member of Red Balloon Security, Inc.
Contact us now to discover more about Red Balloon Security’s range of solutions and services or to arrange a demonstration.
Reach out to learn more about our embedded security offering and to schedule a demo.
Reach out to learn more about our embedded security offering and to schedule a demo.
Reach out to learn more about our embedded security offering and to schedule a demo.
Reach out to learn more about our embedded security offering and to schedule a demo.