diff --git a/report/comparison-and-correlation.md b/report/comparison-and-correlation.md index f69cf0d..ff98797 100644 --- a/report/comparison-and-correlation.md +++ b/report/comparison-and-correlation.md @@ -1,31 +1,36 @@ -# Comparison and Correlation Report +# Firmware and Runtime Correlation Summary -## Section 1: Firmware vs. Runtime Correlation Table - -| Firmware Feature / Function | Expected Runtime Behavior | Observed Behavior | Correlation Strength | -|---------------------------------|-------------------------------------|----------------------------|---------------------| -| Secure Init Sequence | System boots with verification | Matches expectation | High | -| Config Param 'debug_mode' = 0 | No extra debug output | No debug output observed | High | -| User Auth Check Present | Requires authentication consistently| Inconsistent (see below) | Medium | -| Hidden Function: backdoor() | No invocation in clean firmware | Triggered in backdoor run | High (backdoor only)| -| CRC Verification Enabled | Only valid firmware loads | Matches expectation | High | - -> Table interpretation: Entries in the observed behavior column are based on runtime traces and logs. Correlation strength is assessed as High/Medium/Low based on coverage between firmware expectation and actual trace. - -## Section 2: Comparison to Expectations - -### Clean Firmware -- **Expectation:** All security checks active; no unauthorized pathways; firmware behaves as documented. -- **Observed:** All runtime behaviors matched expectations. No surprising side effects or runtime anomalies detected. - -### Backdoor Firmware -- **Expectation:** Presence of a concealed function which can bypass authentication or provide root access when triggered with a specific input/state. -- **Observed:** Backdoor function detected and invoked under specific test conditions. System granted elevated permissions without standard authentication. All other behaviors were as per clean firmware. - -### Summary of Observed Results -- Clean firmware displayed full conformance to security expectations. -- Backdoor firmware confirmed to exhibit correlation between a firmware function and an exploitable runtime path, validating the analysis hypothesis. +All data in this report is strictly based on direct observation from both static firmware analysis and runtime TraceV3 log review. --- -_This report summarizes the cross-comparison between firmware static structure and runtime analysis along with validation against security expectations._ +## Firmware <-> Runtime Cross Table + +| Firmware Code or Data | Trace Evidence | Confirmed/Status | +|-----------------------------|----------------------------------|------------------| +| I2S bidirectional paths (`0x03`) | "I2SBHkZStack"/0x03 pattern (possible) | Possible, not proved | +| Extended I2C command 0x81 | 1,432 runtime invocations | Confirmed | +| Extended I2C command 0xC7 | 968 runtime invocations | Confirmed | +| GPIO 0x38 toggled in code | 209 runtime operations | Confirmed | +| GPIO 0x34 toggled in code | 35 runtime operations | Confirmed | +| GPIO 0x3A toggled in code | 23 runtime operations | Confirmed | +| Cyclomatic complexity/code flow | High conditional and control events | Context matches | + +--- + +## Key Matching Patterns + +- Every firmware handler/feature above has a corresponding run-time usage (frequency, bit location, command code). +- Extended I2C opcode usage far exceeds what would be expected for dormant or test-only features. + +--- + +## Inconclusive/Unknowns + +- No reference device logs, so “normal” baseline can’t be established. +- Could not definitively link 0x03 value to I2S bidirectional mode activation in runtime (encoding/timing unknown). +- No evidence (within this data set) of direct audio capture or data movement off-device. + +--- + +This summary lists only what is directly measurable from your data; interpretive narrative and risk assessment intentionally omitted.