- On Tuesday, the National Security Agency made its Ghidra — its tool for reverse-engineering software — available as open source, which means anyone can use or modify it for free.
- Anybody can use it as a free cybersecurity tool for disassembling suspicious files, analyzing malware, and testing for vulnerabilities.
- Since the Ghidra tool is free, this increases access for people to use it in both professional and educational settings — potentially making for a safer internet, even as it could introduce new people into the profession of cybersecurity, experts say.
- The NSA promises that there are no backdoors or other methods of spying built in to Ghidra, but hackers have gone over the code with a fine-tooth comb to double-check that claim.
It’s been almost a week since the National Security Agency released a free software tool for picking apart suspicious files, and security enthusiasts are already poring over the code to hunt for bugs and backdoors. And once the project’s completely online for people to modify, developers will scramble to make this tool even more powerful, experts say.
On Tuesday, the NSA released an open source project called Ghidra, a software reverse engineering framework developed by NSA’s Research Directorate for NSA’s cybersecurity mission. The secretive spy agency originally developed Ghidra to analyze attacks and cybersecurity risks on government agencies and other organizations. Like individuals and companies, government agencies are also prone to cybersecurity attacks, including ones from other countries.
Right now, the code is only available to download, but the NSA is in the process of putting the project onto code hosting site GitHub. And once that happens, experts expect to see enhancements from amateur and professional security developers roll out soon — making the tool even more robust, and a major reason why the NSA likely chose to release a formerly closed project, experts say. As an open source project, Ghidra can be used or modified by anyone for free.
In the meantime, the release of Ghidra has provoked a frenzy of activity as malware researchers, hobbyists and even the conspiracy-minded dissect the software and put it through its paces, assessing its capabilities and seeking to allay the inevitable suspicions about the spy agency’s gift.
“If you have security concerns about Ghidra, do what I do and install all your research tools inside a Virtual Machine,” suggested MalWare Tech, a verified Twitter user with 141,000 followers.
Making Ghidra open source benefits NSA, experts say. It can be costly to work on improving Ghidra, but as an open source tool where anyone can modify it, an online community of developers can work to improve it much faster. It can also encourage recruitment and community interaction with th NSA, Graham says.
“The significance is that the product can be improved by the community instead of being solely funded by the NSA. Development of such a product is costly, and even the NSA doesn’t have unlimited funds. It’ll be great demonstration of the value of open-sourcing internally developed projects,” Rob Graham, consultant and owner at Errata Security. told Business Insider in a Twitter DM.
What is reverse engineering?
Reverse engineering helps users recover information needed to understand cybersecurity risks. For example, when there’s a suspicious file, it can be hard to find the specific issues with that file. But with reverse engineering, a person can disassemble the file to figure out how it works and what risks it might have — essentially, working backwards.
This is similar to figuring out how a dish is prepared at a restaurant so you can make it at home. With Ghidra, people can inspect suspicious code, analyze malware and test for vulnerabilities.
Ghidra’s technology isn’t anything new as there are currently commercial reverse engineering tools available, but as an open source tool, it increases access for people to work with reverse engineering, says Jon Amato, research director for Gartner’s technical professionals security and risk management strategies team.
“It lowers the bar for entry for people who can do reverse engineering in the industry and are frustrated and priced out for commercial tools,” Amato told Business Insider.
Ghidra is not as sophisticated as some commercially available tools, Amato says, but it’s still a “good first start” for people who want to get their hands dirty with reverse engineering. Plus, right now, commercial tools can cost thousands of dollars a year. Although the NSA has released a set of other open source projects, this is the first open source tool specifically for analyzing malicious code and malware-like viruses.
“This functionality has been in freeware and commercial based tools for years,” Amato said. “The problem was commercial tools were crazy expensive. [Ghidra] competes with more commercial tools in that in can do a bunch of different stuff but it can do it for free.
Amato says that this tool isn’t a general purpose security tool, but rather, a niche tool that would only be used in specialized security jobs. That being said, now that the tool is free, he believes that Ghidra will likely be used as a teaching tool in colleges and universities — giving students access to learning about this specialized type of cybersecurity technology.
“We’ll start to see this used in academic classroom environments because some of the commercial tools can be a little difficult to gain licenses for even for academic environments,” Amato said. “The learning ecosystem is going to be the first and most immediate change we’ll see.”
Still, some users were skeptical about the announcement. Ghidra has already been around for years, and it’s likely that the NSA has replaced its internal tools for reverse engineering, says Jerry Gamblin, principal security engineer at Kenna Security.
“It was known to exist, and because it had lost internal value and it wasn’t a tool that was going to drastically make the Internet safe, it allows them to give something back to the security community,” Gamblin told Business Insider. “It’s good timing for the NSA.”
The fact that it’s from the NSA may also deter some users from using this tool, but otherwise, since Ghidra’s release, the security community has already started sifting through the code to try out the code and to look for bugs.
“There is no backdoor in Ghidra,” Robert Joyce, NSA senior advisor, said at RSA on Tuesday. “This is the last community you want to release something out to with a backdoor installed, to people who hunt for this stuff to tear apart.”
Here’s what people are saying about Ghidra.
1/ So what is a “reverse engineering” tool like Ghidra? Well, I’m going to describe it in a few tweets, with screen shots.
— Robᵉʳᵗ Graham (@ErrataRob) March 6, 2019
I do think ghidra will be nice once the code is finally on github. Someone will upgrade the outdated UI. Will it really be better than IDA? probably not quite, but it’s free and better than most free tools
— Malware Unicorn (@malwareunicorn) March 6, 2019
NSA: let’s release Ghidra to the wider community and everyone benefits.
— packetswitchr (@packetswitchr) March 6, 2019
If you have security concerns about Ghidra, do what I do and install all your research tools inside a Virtual Machine.https://t.co/RByRFkmMrY
— MalwareTech (@MalwareTechBlog) March 6, 2019