NSA releases reverse engineering tool Ghidra

The National Security Agency has released a reverse engineering tool, Ghidra, under an Apache 2.0 open source license.
8 March 2019

NSA director Paul Nakasone. Source: AFP

For most of us, the first question that will come to mind is why would the National Security Agencty (NSA) share such a valuable tool— that it’s kept under wraps for around a decade— to the public?

Well, the NSA claims Ghidra is a great addition to the net defender’s toolbox, and as cybersecurity threats are higher than they’ve ever been, developers need all the help they can get.

Ghidra is the agency’s in-house reverse engineering tool and is now available for free to developers, and malware analysts, under an Apache 2.0 open source license.

Reverse engineering allows analysts to reconstruct software into a human-readable structure— it’s a crucial component of malware analysis and threat intelligence, helping analysts find out how malicious software works, who wrote it and where it came from.

“It will make the software reverse engineering process more efficient. It will help to level the playing field for cybersecurity professionals, especially those that are just starting out,” the agency said.

The NSA expects the tool to enhance cybersecurity education from capture-the-flag competitions, to school curriculums and cybersecurity training, and offers a free alternative to IDA Pro— a similar tool available only under a very expensive commercial license.

Releasing the tool also helps the agency with its own recruitment: “Releasing Ghidra also benefits NSA because we will be able to hire folks who know the tool. When they’re coming through our doors, they’ll be able to be impactful faster,” it added.

One of Ghidra’s most noteworthy features is a processor modeling language called ‘Sleigh’ that specifies how machine language instructions are disassembled and transformed into the tool’s intermediate representation called P-code.

Patrick Miller, a security researcher at Raytheon Intelligence, told CBR that Sleigh allows Ghidra’s features to be applied to any architecture of processor that has a sleigh module. Existing modules can be modified, and new ones can be written by the user to support any architecture they need.

As the program supports scripting via Java or Python, more complex features can be developed using the systems API.

Some quarters have questioned the motives of the NSA in releasing such a tool to the public— speculating whether the agency would use it as a ‘backdoor’, while it also presents foreign agents with the same powers— but the overall response from cybersecurity experts has been positive.

Speaking to TechHQ, Adam Brown, manager of security solutions at Synopsys said, “Ghidra should be used and trusted where appropriate, as it’s simply a tool to help decode compiled software.”

He believes an open source tool such as Ghidra makes reversing more accessible and in the long term improves security by garnering talent in those interested in experimenting.

“The more software security people we have the more security reviews can be performed, the better risk is understood, and the faster software can be fixed,” he added.

Chris Doman, a security researcher at AT&T Cybersecurity agreed, adding, Ghidra’s open-sourcing is big news as there has historically been no solid competition to the existing main player IDA Pro which can be cost prohibitive.”

He feels that this may level the reverse engineering playing field, enabling students and newer security researchers to use a high-grade reverse engineering tool: “That’s good news when one of the largest issues facing cyber-security is the lack of qualified people,” he notes.

Finally, Suzanne Spaulding, Nozomi Networks Advisor and former Department of Homeland Security Under Secretary, says that the move to make Ghidra an open-source tool will have great benefits for all.

“Helping the private sector better, and more quickly, understand malware makes us all safer…it can deter bad actors if they know their impact will be limited by defenders who have capacity to more quickly understand how an attack was built.”