FACT_core icon indicating copy to clipboard operation
FACT_core copied to clipboard

Published 20 hours ago verified publisher icon fkie-cad

Webhook for finished firmware analysis

Open nstarke opened this issue 4 years ago • 7 comments

This is an idea that I think would be useful.

It would be great if there was a "webhook" that would make an HTTP request to a specified server when a firmware image analysis is complete. The server address could either be specified during the upload process, or configured as part of main.cfg. This would greatly help automated importing. Right now my automation scripts dump everything into FACT and quickly overload the server. A webhook would allow for measured uploading.

Just an idea, you can feel free to close this ticket if you disagree. If you like the idea, I'm happy to work on the implementation.

nstarke avatar Jun 30 '20 13:06 nstarke

Hi, I think this is a great idea. I already thought about whether e-mail notification would be a useful addition but this would probably be even better. Your contribution will be very much appreciated!

jstucke avatar Jun 30 '20 15:06 jstucke

Since FACT is designed to be a multi-user system, making the feature configurable during upload would make the most sense in my opinion.

jstucke avatar Jun 30 '20 15:06 jstucke

I've been looking at the FACT code to try to discern the best place to insert code for this feature, and I'm a bit at a loss. Where would be the preferred location for this code? I'm looking specifically for when a workload is complete. Thanks for your help!

nstarke avatar Jul 19 '20 18:07 nstarke

The function result_collector() in src/scheduler/Analysis.py is used for collecting the results of the analysis plugins. In _remove_from_current_analyses() in line 473 the check, whether the firmware analysis is complete takes place. This is probably the place where the hook should be triggered.

jstucke avatar Jul 20 '20 06:07 jstucke

I tried placing the code at line 483 in that file but the fw_object object was always of type FileObject at the end of the analysis and thus I couldn't access the webhook_url property I added to the Firmware object. I agree with you that that looks like the proper location, but I would need some help figuring out how to get the webhook_url into that function at that time.

nstarke avatar Jul 20 '20 13:07 nstarke

The Firmware object and any unpacked FileObject undergo the analysis process individually. This made the check, if the analysis is complete a bit complicated. But you could simply add the webhook url to the data in _init_current_analysis() when the Firmware object is analyzed and retrieve it in _remove_from_current_analyses() when you know the analysis is finished (when the analysis of the last recursively unpacked FileObject is done).

jstucke avatar Jul 21 '20 06:07 jstucke

I was thinking about this feature and I noticed another problem: the analysis scheduler (where the completed analysis is noticed) and the frontend (from where the signal is sent) may be running on different systems if FACT was set up as a distributed system. Therefore, the information needs to run through the "intercom" (which sits in between). This would require some new logic there is well.

jstucke avatar Jul 23 '20 12:07 jstucke