“Why share such a valuable tool with the public?”
The National Security Agency (NSA) has released the agency’s in-house reverse engineering tool Ghidra to a public audience under an Apache 2.0 open source licence. Unveiled at the RSA conference, Ghidra is now free to download here.
GHIDRA, like commercial alternative IDA Pro and its open source rival FRIDA, allows developers and researchers to “hook” into black box proprietary software and conduct code analysis, debugging, neutralising of malware, or simply add functionalities.
(Tthe NSA has yet to put the code on GitHub, with a placeholder on the site saying “Be assured efforts are under way to make the software available here.)
NSA Ghidra Release: X86, Arm Support + More
It also supports an impressively extensive range of architectures, as senior NSA advisor Rob Joyce, who presented the tool at RSA in San Francisco noted.
Ghidra processor modules: X86 16/32/64, ARM/AARCH64, PowerPC 32/64, VLE, MIPS 16/32/64,micro, 68xxx, Java / DEX bytecode, PA-RISC, PIC 12/16/17/18/24, Sparc 32/64, CR16C, Z80, 6502, 8051, MSP430, AVR8, AVR32, Others+ variants as well. Power users can expand by defining new ones
— Rob Joyce (@RGB_Lights) March 5, 2019
Responding to the most common question about the release (apart from “is it backdoored?”, which the NSA insists it isn’t*) the NSA said: “Why share such a valuable tool with the public instead of keeping it for classified work? We’re doing this because we firmly believe Ghidra is a great addition to a net defender’s toolbox.”
“It will make the software reverse engineering process more efficient. It will help to level the playing field for cybersecurity professionals, especially those that are just starting out. We expect the tool will enhance cybersecurity education from capture-the-flag competitions, to school curriculums and cybersecurity training.”
“Releasing Ghidra also benefits NSA because we will be able to hire folks who know the tool. When they’re coming through our doors, they’ll be able to be impactful faster.”
Just tried out #Ghidra, first impressions:
– Look & feel kinda oldschool (reminiscent of Eclipse 2.x)
– Slow (took about 2m to import/disassemble/decompile notepad.exe)
– Complex UI, graph view in separate Window
– Unnecessary gimmicks: rendering of embedded resource icons
— Christian Blichmann (@AdmVonSchneider) March 6, 2019
One of Ghidra’s most noteworthy features is a processor modeling language called Sleigh that specifies how machine language instructions are dissembled and transformed into the tool’s intermediate representation called P-code. Other significant functions are an undo/redo feature, multi-user collaboration repository, and scripting.
Patrick Miller, a security researcher at Raytheon Intelligence, Information and Services, told Computer Business Review in an emailed statement: “Sleigh allows all of Ghidra’s features to be applied to any architecture or processor that has a sleigh module. Existing modules can be modified, and new ones can be written by the user to support any architecture they need. Ghidra supports scripting via Java or Python. More complex features can be developed using the systems API.”
As with any such closely watched open source tool – particularly one from an agency that, post-Snowden revelations, has a distinctly mixed relationship with the information security community, attempts to find bugs in it came fast.
One of the first to find an issue was Matthew Hickey, who uses online alias “HackerFantastic.” Hickey spotted that it opens JDWP debug port 18001 for all interfaces when a user launches GHIDRA in the debug mode, allowing anyone within the network to remotely execute arbitrary code on the analysts’ system; essentially to allow team collaboration. The port is not opened by default and the issue can be fixed by just changing a line of code in the software, he noted.
Not everyone was a fan of the talk that triggered…
So today you get an cross platform,interactive, multiarch,disassembler,decompiler with collaboration support,version control,undo and much more all for free and even opensource but you only care about that open debug port? Some people cannot be helped ¯_(ツ)_/¯ #Ghidra
— Byte Swap (@byte_swap) March 6, 2019
A Ghidra cheat sheet is here.
* “This is the last community you want to release something out to with a backdoor installed, to people who hunt for this stuff to tear apart” Joyce said.