Application Security , Governance & Risk Management , IT Risk Management

NSA Pitches Free Reverse-Engineering Tool Called Ghidra

'For the Record, There's No Backdoor,' NSA's Rob Joyce Tells RSA Conference
NSA Pitches Free Reverse-Engineering Tool Called Ghidra
Rob Joyce of the National Security Agency unveils Ghidra at RSA Conference 2019 in San Francisco. (Photo: Mathew Schwartz)

Here's free software for reverse-engineering applications - all you have to do is install it on your system.

See Also: Why the Future of Security Is Identity

So went the pitch from the National Security Agency's Rob Joyce (@RGB_Lights) in an RSA Conference 2019 presentation titled "Get Your Free NSA Reverse Engineering Tool."

Joyce is an NSA veteran who served as head of the agency's hacking team, then as White House cyber coordinator before returning to the NSA, where he's now a senior adviser on cybersecurity strategy, and in his spare time pursues a penchant for computerized lighting and swapping cybersecurity stickers.

On March 5, after a requisite amount of buildup via social media, Joyce announced the free, public release of Ghidra, a software reverse-engineering tool built by the NSA, for the NSA.

Running to more than 1.2 million lines of code, Joyce said Ghidra is how the agency takes software apart to see how it works. And now it's free for anyone to use.

If you want an easy laugh, bring a senior intelligence official to a cybersecurity conference and have him tell the audience: "Trust us."

But Joyce came out of the gate promising no tricks. "For the record, there's no backdoor in Ghidra," he said. "This is the last community [to which] you'd want to release something with a backdoor."

"For the record, there's no backdoor in Ghidra," Rob Joyce told attendees. (Photo: Mathew Schwartz)

The Reverse-Engineering Imperative

Intelligence agencies have an obvious need to reverse-engineer many different types of applications.

"We use it across the two main missions of the NSA: cybersecurity and foreign intelligence," Joyce said. The software helps with security validation - ensuring that a box or device does what it says it does, and nothing more - as well as malware analysis, discovering vulnerabilities and simply taking a deep dive into any type of software.

"Doing software reverse-engineering is like working a puzzle - you're given a binary and you're trying to get back to an understanding of what it is and what it does," Joyce said.

Software developers create applications using notes and other signposts for others to follow. But when they run their code through a compiler so that others can take the code and execute it, all of those notes get lost, including the names assigned to different variables.

"When you do that it goes through a compiler process that breaks it down to the zeros and ones that run on that microprocessor," Joyce said.

Ghidra is designed to help reverse engineers literally reverse that process by feeding in an executable and attempting to work backward to the precompiled code base.

"Overall, what we're trying to do is figure out what's in that binary," he said. "Hopefully at the other end of this activity the software reverse-engineering tool gets back" to the point where the code can be recompiled.

Battling Information Overload

It's tedious work, and Joyce said Ghidra is designed to automate and streamline as much of it as possible.

For example, he said one of the best features built into Ghidra is an "undo/redo" feature. "Unless you've really done this yourself, you don't know how much this helps with the engineering pain," he said.

Ghidra: Key features. (Photo: Mathew Schwartz)

Some former NSA employees waxed nostalgic about Ghidra. Charlie "Jeep hacker" Miller, for one, said he was surprised it was still around.

Almost everyone loves a free tool, but Ghidra competes with a number of other tools, including industry heavyweight IDA Pro. Some early reviewers of Ghidra have noted that IDA Pro appears to be quicker at handling certain tasks as well as to sport a more modern interface.

"There are excellent tools in the community," but Ghidra has been built to help "address some things that were important in our workflow," Joyce said.

"We undertook Ghidra really to deal with information overload in the software reverse-engineering field," he said. "The other aspect we focused on was working effectively and efficiently at scale. Another process was for us to work intelligently on new versions of the same code," such as malware, which attackers may rapidly iterate in very small ways.

Reverse-Engineering for the Future

Joyce and the NSA are pitching Ghidra as a free tool - developed with U.S. taxpayer dollars - that it hopes the open source and reverse-engineering community will take and run with. And rapid signs of acceptance have been good.

Joyce also wants students to have access to a tool they can use to learn reverse-engineering, including for capture the flag challenges.

"Doing software reverse-engineering is like working a puzzle."
—Rob Joyce, NSA

"I've watched a lot of capture-the-flag teams out there and they fall into one of three buckets," he said. Namely, either the team has access to the tools it needs legitimately, it has a pirated copy of the tools it needs or it just doesn't have any access.

Joyce said he hopes that the use of Ghidra becomes common at universities, and at the National Centers of Academic Excellence in Cyber Defense sponsored by the NSA. And he hopes it gives the agency more opportunities to bring these students in as interns and later hire them.

"If I go to a school and I see Ghidra, that [will be] a huge measure of success," Joyce said. "I'll be really transparent: That education also helps us."

Reviewers Weigh In

Early reports from the information security community - and reverse engineers in particular - have been positive.

Vicky Ray, a principal threat researcher for the Unit 42 team at Palo Alto Networks, lauded the NSA for releasing a well-documented tool that includes exercises for learning to use it.

As with any application, the NSA-developed code isn't perfect. Within hours of Ghidra's release, Matthew Hickey (@HackerFantastic) spotted a flaw that could be used to remotely execute code on the system of anyone using the software. He also documented an easy way to fix the problem.

Despite finding the flaw, Hickey says he's a fan of the software and plans to use the application to reverse-engineer all types of binary files. "Ghidra is a really nice tool addition for reverse engineering, don't let my observation of an insecure configuration option dissuade you from trying it out," Hickey tweeted.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.