The National Security Agency has a history of releasing its tools to open source and the latest in that lineup, a powerful reverse-engineering tool called Ghidra, has been embraced by infosec professionals after some initial hesitation.
Ghidra, the 35th piece of open source software made public by the NSA, is a modular, cross-platform, Java-based tool that can reverse-engineer software for Windows, Mac, Linux, iOS or Android. The capabilities of Ghidra can be extended with custom plugins and this modular architecture can also help the NSA hold back more proprietary functionality.
Rob Joyce, senior advisor for the NSA, announced the release of the Ghidra tool — although the source code has not yet been posted to GitHub at this time — at the RSA Conference in San Francisco last week and he took on the concerns of the infosec community right away.
“There is no backdoor in Ghidra,” he told the RSAC crowd. “This is the last community you want to release something out to with a backdoor installed, to people who hunt for this stuff to tear apart.”
Despite Joyce’s attempt to calm fears, some experts like Amit Serper, head of security research for the Nocturnus group at Cybereason, still had reservations.
“I haven’t installed Ghidra yet. I am going to wait until all of the source code is pushed to GitHub. I’m not keen on the idea of running JARs by the NSA on my machine without being able to check the code out and run it from the source,” Serper said. “With that being said, personally, I think that having something like Ghidra out is very beneficial for everyone, especially with how expensive IDA Pro is.”
Jake Williams, founder and CEO of Rendition Infosec in Augusta, Ga., noted that although something being open source doesn’t mean it can’t have a backdoor, he thinks the NSA implanting a backdoor in Ghidra “just isn’t a credible threat”.
“It’s written in Java, so it’s trivial to get the source code back out. People are already decompiling the Java and patching it,” Williams said via Twitter direct message. “Backdoors are hard to hide in non-obfuscated Java code (which is what Ghidra is built on). I’ll bet good money that someone will try to backdoor it and distribute a copy just to create some media buzz.”
Matt Suiche, founder of threat detection vendor Comae Technologies, said a possible backdoor isn’t what should worry users.
“I understand the paranoia; we have seen security products with security bugs many times,” Suiche said. “Whatever is software will have security bugs, that’s the AppSec Murphy’s Law. So backdoor or not, I’m sure we will see presentations where people find security bugs.”
Matthew Hickey, co-founder and director of cybersecurity services company Hacker House, made good on that prediction the same day the NSA released Ghidra.
Ghidra opens up JDWP in debug mode listening on port 18001, you can use it to execute code remotely ♂️.. to fix change line 150 of support/launch.sh from * to 127.0.0.1 https://t.co/J3E8q5edC7
— Hacker Fantastic (@hackerfantastic)
March 6, 2019
The value of Ghidra
Despite any concerns, the NSA described the tool as being very powerful, featuring capabilities including “disassembly, assembly, decompilation, graphing and scripting, and hundreds of other features.” Experts have been impressed with the functionality, especially since competing software — IDA Pro or Binary Ninja — could cost thousands of dollars, while Ghidra is free.
Williams said there were pros and cons in choosing between IDA Pro and Ghidra, but the biggest benefit is that Ghidra is free.
“IDA has a debugger, while Ghidra does not. On the other hand, Ghidra has a built-in decompiler but IDA charges separately for its decompiler. The workflow between the two tools (and even some of the hotkeys) is very similar. If you need an integrated debugger, you should consider IDA instead,” Williams said. “Another drawback [of Ghidra] is that it’s written in Java, which tends to be a memory hog. This won’t usually matter, but may on very large files.”
Suiche said it is difficult to compare Ghidra to IDA because “IDA has been very instrumental in creating an entire market and enabling security researchers for 15 years.”
“It is great to see that NSA is now contributing to the security community; Rob Joyce handled the released really well,” Suiche said. “I am slightly disappointed it didn’t happen 10 years earlier though, but I understand that the NSA is a big ship and it must have taken a lot of efforts and convincing internally just to get this release.”
Marcus Hutchins, aka MalwareTech, an independent security researcher, said Ghidra should be seen as “an investment in the future generation.”
“By providing the tools and knowledge required to further people’s interest, you improve overall talent,” Hutchins wrote on his blog. “More talent will lead to higher quality job applicants, potentially reducing the NSA’s skill shortage down the line; GCHQ [Government Communications Headquarters, a British intelligence agency] has been using similar techniques for a while now.”