Kara Nance has always been eager to understand how things worked, even before being introduced to software reverse-engineering through her work with The Honeynet Project, a nonprofit security research organization.
Nance, private security consultant and former board member of The Honeynet Project, is co-author of The Ghidra Book: The Definitive Guide.
Ghidra is a software reverse-engineering tool originally developed for internal use by the National Security Agency before being released as open source in early 2019. Since its release, Ghidra has been embraced as a free alternative to expensive reverse-engineering suites, like IDA Pro.
Nance discussed how the release of Ghidra impacted the reverse-engineering of software and how the tool has evolved since its release. The Ghidra Book: The Definitive Guide is meant to “meet students where they are,” regardless of reverse-engineering experience, and guide them as they progress in the field, according to Nance.
Editor’s note: This interview has been edited for length and clarity.
Why was the release of Ghidra exciting for reverse-engineering?
Kara Nance: Ghidra opened a lot of doors for reverse-engineers at all levels. It is free, which is really exciting because it creates opportunity and levels the playing field for both new and experienced reverse-engineers. Inquisitive, tech-savvy individuals who want to investigate the world of reverse-engineering can easily try Ghidra out and begin to explore the world of RE without a significant investment of time or money.
The Ghidra installation includes a starter tutorial to introduce new users to the basic functionality. The integrated decompiler simplifies the introduction by providing a C-like version of the source code to accompany the disassembly provided in the Listing window. This pairing lowers the barrier of entry for new explorers.
How did the reverse-engineering community react to the release of Ghidra?
Nance: Experienced reverse-engineers are adding Ghidra to their toolkits. The no-cost solution is particularly appealing as the expense associated with similar tools can be prohibitive. Using Ghidra provides some leverage for organizations that have not been able to make a significant cash investment in RE tools.
Academic institutions can now organize their reverse-engineering courses around Ghidra and provide their students with a cutting-edge tool suite for reverse-engineering at no cost. In addition, these students gain experience in a tool they are likely to meet again as they begin their professional careers.
I think the comments I hear most frequently from users in professional settings are the advantage and ease of integrating Ghidra into their RE workflows. Workflows can be adjusted to take advantage of Ghidra’s strengths, and Ghidra scripts can be created or customized to automate repetitive workflow tasks. This allows reverse-engineers to focus on the challenging questions and let Ghidra automatically do the busy work. In addition, users can build and add their own extensions to Ghidra, such as new processors.
What are the exciting community aspects of Ghidra?
Nance: Another favorite is the Ghidra Project environment, which allows you to group, organize and share files in a cohesive format that makes sense to you. For many reversing professionals, this is particularly helpful when using Ghidra’s version tracking and binary differencing capabilities to investigate how binaries evolve over time and how they are patched.
Ghidra Server — which is a standard component of the distribution — provides a particularly timely capability for reverse-engineers to conduct collaborative analysis. The ability to use Ghidra as a collaborative tool addresses issues for some tech shops, especially during the current chaotic world, where so many of us are working remotely and can’t call a colleague over to ask, ‘What the heck is going on in this part of the code?’
Ghidra’s Server allows teams to analyze files together, ask questions of each other and work toward a common goal, even when they are not in the same room or country. The advantage is that different people can perform different analysis tasks on the same project at the same time.
How has the tool evolved since its release?
Nance: While many will use the tool suite as provided, customizing and improving Ghidra is surprisingly easy. Part of the beauty of open source projects like this is that users who encounter problems can easily report them, and those with the time and ability can provide fixes and enhancements, which many users are already doing.
Not all Ghidra customizations, extensions and scripts make it back to the repository, but a growing number do. There were seven releases of Ghidra within the first year, each of which addressed multiple issues, including security, bugs [and] improvements, as well as introduced new features.
What’s the most surprising change since its release?
Nance: For me, the most surprising contribution made by individuals is the number of people who have jumped in the deep end to add new processors or extend processor capabilities for Ghidra. Processors extensions are one of the most specialized topics within Ghidra, requiring mastery of a new language that can be challenging to understand. I am amazed and impressed by the many individuals who selected a processor as the first nut to crack.
An obvious use case would be reverse-engineering a binary for which no processor module exists — for example, an executable image pulled from the plethora of IoT devices that are flooding the internet.
Who is this book for?
Nance: I will be thrilled if the book finds its way into the hands of a young girl somewhere in the world and ignites her passion for reverse-engineering. I hope it guides her as she explores and persists, and I look forward to hearing about her journey.