NSA Open Sources Reverse Engineering - Threatwire Crosspost (Patreon)

By Shannon Morse 

Last week at RSA, several amazing talks were presented, but one stood out by the National Security Agency on Tuesday. Rob Joyce, the NSA’s senior cybersecurity adviser, announced the release of Ghidra, which can be used to decompile, reverse engineer, and analyze malware. And infosec twitter had a BALL last week getting their hands on it. Ghidra was a previously classified software reverse engineering app and suite of tools that was developed by the NSA’s Research Directorate, and NSA releasing it to the world for free is kinda a big deal. 

The tool was first revealed to exist by Wikileaks back in 2017 when the site slowly published multiple CIA documents. A few weeks ago the NSA stated that Ghidra would be released. While other tools are available to malware analysis experts, they generally cost quite a bit of money. One is free, but others range between $149 all the way up to $3500. IDA Pro is probably it’s biggest competition, but this that tool is expensive and requires commercial licenses, sometimes demanding personal information from infosec professionals requesting said license, it’s no surprise that Ghidra has been a tool many in the industry have been waiting for with bated breath. 

Ghidra is free AND open source, written in Java, and is now available to anyone who wants to try it out at the NSA’s Ghidra website, ghidra-sre.org, or the NSA’s github page… yes, the NSA has a Github page. Ghidra works on Windows, Mac, and Linux. And the tool itself is fine tuned for analysts. It has many features that are useful, such as a user interface that can be customized, template options (even a dark mode), plugins, and project collaboration for teams. It works with multiple binaries and according to Joyce, its processor modules include X86 architectures, ARM, Z80, and a lot more. It is missing a debugger, which IDA Pro does have, but a community effort may happen to release this feature as well.

All you have to do is unzip a zip archive, and make sure you have Java Development Kit 11 or higher installed. Since it runs with such minimal requirements, you don’t need admin privileges to use it, nor will it need to change anything in the registry - to “uninstall it” simply delete the Ghidra installation directory.

Obviously, the NSA has a motive for releasing it. They hope that security researchers will use it then apply for jobs at the NSA - they even had a “we’re hiring” booth at the trade show, and the tool includes an installation guide, classes and exercises for all levels.

For folks who are looking to get into the industry of malware analysis, this is quite the game changer. It will allow for education and more knowledge on the subject, and will hopefully spur more interested parties to consider it as a career and allow for a more inclusive career choice for up and comers.

Of course, there are a few negatives. Releasing the tool means anyone can use it, not just folks that want to work at the NSA. And it’s also an NSA tool, though according to Joyce, there is no backdoor. “Scouts Honor.”