Fingerprint creation methodology¶
Create deterministic detection logic for specific vulnerable firmware versions using only static artefacts from the Obsidian Desk.
Input: Obsidian Desk’s Vulnerability Report and Artefact List for a specific firmware version (e.g., VendorX-DeviceY-Firmware-v2.1.4-sha256:abc123).
Output: A fingerprint.yaml specification that can be implemented in a scanner.
Overview¶
Fingerprint creation is a design and logic task. You are an engineer drafting a precise blueprint from static evidence. Coding comes next, guided entirely by these blueprints. This separation keeps the process clean, testable, and tool-agnostic.
Process flow¶
+------------------------+
| Obsidian desk analysis |
+------------------------+
|
v
+-------------------+
| Artefact extraction|
+-------------------+
|
v
+-------------------+
| Probe design |
+-------------------+
|
v
+-----------------------+
| Match logic definition|
+-----------------------+
|
v
+-------------------+
| Static validation |
+-------------------+
|
v
+----------+
| Specific?|
+----------+
|
+-----+-----+
| |
No<--+ +-->Yes
| |
v v
+-------------+ +---------------------+
| Refine & | | YAML Specification |
| Loop Back | | (fingerprint.yaml) |
+-------------+ +---------------------+
|
v
+-------------------------+
| Scanner Implementation |
+-------------------------+
Phase 1: Translating artefacts into probes¶
The raw material is the Artefact List. Ignore anything that requires state, authentication, or behavioural interaction (logins, configuration changes). Focus only on publicly observable items.
For each artefact, write a Probe Definition in plain language. Each probe defines a single, self-contained check.
Examples¶
Desk Artefact |
Probe Definition |
|---|---|
|
“Open TCP connection to port 80. Send |
|
“Perform TLS handshake on port 443. Extract certificate serial number. Compare against exact value |
|
“Connect to port 22. Read initial banner. Match regex |
|
“HTTP GET on port 80, path |
Key Insight: Not every artefact is unique. Some may be shared across versions. Focus on static, version-specific strings.
Phase 2: Defining match logic¶
A Fingerprint is one or more Probe Definitions combined with match logic. Decide what constitutes a positive match for the exact firmware version.
Logic table example¶
Target Firmware Version |
Probe 1: HTTP Banner |
Probe 2: TLS Cert Serial |
Match Logic |
|---|---|---|---|
VendorX Switch v2.1.4 |
|
|
Match if: (Probe 1 is TRUE) |
VendorX Switch v2.1.5 |
|
|
Match if: (Probe 1 is TRUE) |
VendorX Router v2.1.4 |
|
|
Match if: (Probe 1 is TRUE) AND (Probe 2 is TRUE) |
Decision rules¶
Single Unique Probe: If one probe uniquely identifies the firmware, use it alone
Combination Required: If multiple probes needed for uniqueness, combine with AND logic
Insufficient Data: If no combination is unique, fingerprint cannot be created (need more artefacts)
Avoid OR Logic: Reduces specificity; use only when absolutely necessary
Phase 3: Static validation¶
Validation occurs before any code is written. This is logic checking, not live scanning.
Positive check¶
Confirm every artefact in the Probe Definitions exists in the Desk’s analysis/ files (e.g., rootfs dump, strings
output). This proves the probe is valid.
Negative check (False positives)¶
Use analysis of other firmware versions (v2.1.5, v2.0.0). Run thw match logic against artefacts from these versions. A v2.1.4 fingerprint must not match any other version.
All validation uses static files only. No emulators. No live scanning.
Phase 4: The Fingerprint Specification¶
The deliverable is a specification document, not code. It is a blueprint for the scanner.
Example fingerprint.yaml¶
fingerprint_id: "FP-2026-001"
target: "VendorX DeviceY Firmware v2.1.4"
source_hash: "sha256:abc123..."
probes:
- protocol: "tcp/http"
port: 80
send: "GET / HTTP/1.0\r\nHost: {{target}}\r\n\r\n"
receive_match: "Server: DeviceOS/2\\.1\\.4 \\(VendorX\\)"
match_logic: "probes[0].receive_match == true"
author: "@forge"
date_validated: "2026-01-14"
validation_note: "Logic passes positive check against rootfs dump. Does not match string data from v2.1.5 or v2.0.0."
confidence: "high"
Field definitions¶
Field |
Purpose |
Example |
|---|---|---|
|
Unique identifier |
|
|
Human-readable description |
|
|
Reference to source analysis |
|
|
List of probe definitions |
(see above) |
|
Boolean expression for match |
|
|
Likelihood of accurate detection |
|
This methodology produces blueprints. Implementation comes next, guided by these precise specifications.