The National Security Agency (NSA) has released Ghidra, a free and cross-platform software reverse engineering tool suite used internally by the intelligence agency.
They are also planning on releasing the tool’s source code on GitHub soon.
Ghidra was created and is maintained by the NSA Research Directorate. It’s coded in Java and users need to have JOpenJDK 11 installed on the machine for it to work. It can run in GUI mode but is also capable of running in headless batch mode using the command line.
“In support of NSA’s Cybersecurity mission, Ghidra was built to solve scaling and teaming problems on complex SRE [software reverse engineering] efforts, and to provide a customizable and extensible SRE research platform. NSA has applied Ghidra SRE capabilities to a variety of problems that involve analyzing malicious code and generating deep insights for SRE analysts who seek a better understanding of potential vulnerabilities in networks and systems,” the agency explained.
“[Ghidra] includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, Mac OS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features. Ghidra supports a wide variety of process instruction sets and executable formats and can be run in both user-interactive and automated modes.”
Users can develop their own plugins, scripts and analyzers and the NSA hopes that, once its source code is released, the wider community of software engineers and malware analysts will contribute to its development by reporting bugs, submitting patches, reviewing the code and proposing new features.
For the time being, Ghidra doesn’t have a debugger component that it would allow the software to compete with the popular (and pricy) software disassembler IDA Pro. But an integrated debugger is apparently already in the works, and so are an emulator and additional analysis tools.
A quick overview of its capabilities can be found in these slides.
Reception and discovered bugs
The tool has already been downloaded and is being tested by many in the infosec community and, generally, they seem to be satisfied with it.
Whether they trust the NSA not to sneak backdoors into it is another matter – I expect many have installed it on a spare computer for the time being.
Rob Joyce, the NSA cyber security adviser who unveiled Ghidra at RSA Conference 2019, reassured cybersecurity professionals that it is not backdoored.
“This is the last community you want to release something out to with a backdoor installed,” he noted.
That might be true, but it didn’t take long for Hacker House director Matthew Hickey to unearth and report a bug that could allow unauthenticated attackers to execute code remotely on machines running the software.
Ghidra opens up JDWP in debug mode listening on port 18001, you can use it to execute code remotely 🤦♂️.. to fix change line 150 of support/launch.sh from * to 127.0.0.1 https://t.co/J3E8q5edC7
— Hacker Fantastic (@hackerfantastic) March 6, 2019
The port is open only in debug mode, which is not activated by default, and according to the NSA it is open to allow teams to collaborate over the network – though Hickey told The Register that the feature is provided by another port.