ISCAP Proceedings: Abstract Presentation
Patch Hunter - A Docker Toolkit for Firmware Differential Analysis
Michael Ham
Dakota State University
Kyle Cronin
Dakota State University
Abstract
The National Security Agency administers the National Centers of Academic Excellence in Cybersecurity (NCAE-C) program. This program designates universities that offer strong cybersecurity curriculum, programs, and support as Centers of Academic Excellence. The goal is to support quality academic programs that contribute to the nation’s cyber workforce in the most critically needed areas.
Among the designations offered through the NCAE-C program, the Cyber Operations (CO) program is the most prestigious and technically rigorous; only 22 schools in the nation have achieved it. Graduates of CO programs possess technical skillsets related to specialized cyber operations such as exploitation, reverse engineering, and computer science. Degree programs are evaluated against prescribed Knowledge Units (KUs) that drive curricular development and learning outcomes. These KUs give a keyhole glimpse into intelligence community priorities. Software Reverse Engineering is a mandatory KU, and Hardware Reverse Engineering and Microcontrollers are listed as optional KUs, highlighting the significance of these areas in the context of embedded systems.
This research introduces a portable and reproducible framework to aid reverse engineers and vulnerability researchers in understanding firmware changes in embedded devices. Often, when the manufacturer updates a target device’s firmware, it will contain feature enhancements, bug fixes, or even regressions. These modifications are instrumental in assisting analysts seeking to pinpoint remediated or newly introduced bugs and vulnerabilities within a system.
The toolkit, under ongoing development and study, automates the comparison of firmware versions by leveraging Binwalk, among other analysis tools, within a Docker container. Analysts provide baseline modified firmware images from an embedded device, at which point the container executes a workflow to extract the embedded file systems, binaries, and scripts from each image using Binwalk. A differential analysis (diff) is performed to identify any altered components. The results of which are captured and presented in a portable JSON data format for the analysts to review and feed into other processes.
The toolkit provides several technical advantages. Docker enables this toolkit to be run in a variety of environments and eliminates cross-platform dependency issues. By automating standard analysis tasks, reverse engineers realize an increase in bandwidth to identify areas of interest in the targets. Furthermore, structured outputs in JSON allow for additional portability of the results to scripts, other tools, and dashboards.
As a research artifact, Patch Hunter has strong potential in academic contexts as it is repeatable in experiential lab exercises. The containerized design ensures instructors can easily distribute the software with minimal setup for on-campus and remote modalities. It supports cybersecurity’s dual mission: advancing offensive capabilities (e.g., exploit creation) and defensive improvement to critical devices (e.g., patch validation).
Software reverse engineering is a crucial competency for the NCAE-C Cyber Operations designation. Patch Hunter addresses a pressing need by providing a portable, automated, and reproducible toolkit for firmware differential analysis. Combining Binwalk’s extraction capabilities with a Docker-based workflow, Patch Hunter enables students and analysts to efficiently identify firmware changes, validate patches, and investigate vulnerabilities. This enhances cybersecurity education and equips practitioners with a practical, scalable solution for real-world firmware analysis.