This article is more than 1 year old
Did you know?! Ghidra, the NSA's open-sourced decompiler toolkit, is ancient Norse for 'No backdoors, we swear!'
Reverse-engineering suite now available to download... and maybe run in a VM, eh?
RSA The NSA has released its home-grown open-source reverse-engineering suite Ghidra that folks can use to poke around inside applications to hunt down security holes and other bugs.
Spoiler alert: it's Apache 2.0-licensed, available for download here, and requires a Java runtime – and the agency swears it hasn't backdoored the suite.
Speaking at this year's RSA Conference in San Francisco on Tuesday, Rob Joyce, famed Christmas light hacker and cyber security adviser to the NSA director, unveiled the code-analysis software to a packed house. The agency hopes its open-source code will spark a renaissance in secure software research, he said, and reassured attendees that no dirty tricks are involved.
“There is no backdoor in Ghidra,” he announced. “This is the last community you want to release something out to with a backdoor installed, to people who hunt for this stuff to tear apart.”
Although there's little to no chance the NSA would try to sneak a deliberate remotely-accessible vulnerability into a software suite aimed at people who find vulnerabilities over breakfast, suspicions are running high.
Matthew "HackerFantastic" Hickey, cofounder of British security shop Hacker House, told The Register he found something a little odd within the program. When you run it in debug mode, it opens port 18001 to your local network and accepts and executes remote commands from any machine that can connect in. Debug mode is not activated by default, though it is an offered feature.
Don't freak out, though. This issue is more of a bugdoor than a backdoor, and can be neutered by changing the launcher shell script so that the software listens only to debug connections from the host box, rather than any machine via the network. It's just something to be aware of if you intend to improve or bugfix the thing, and start it up with debugging enabled.
Ghidra opens up JDWP in debug mode listening on port 18001, you can use it to execute code remotely 🤦♂️.. to fix change line 150 of support/launch.sh from * to 127.0.0.1 https://t.co/J3E8q5edC7— Hacker Fantastic (@hackerfantastic) March 6, 2019
An NSA spokesperson on the agency's stand on the RSA event floor told us the open port was to allow teams to collaborate and share information and notes with each other at the same time over the network. Hickey, however, said that feature is provided by another network port.
“The shared project uses a different port, 13100, so, no, it's not the same function. They made an error and put * instead of localhost when enabling debug mode for Ghidra,” Hickey told The Reg.
The nitty gritty
In his talk, Joyce said that Ghidra was developed internally by the NSA for tearing down software, including malware, and finding out what exactly was lurking within executable binaries. It's the sort of tool the spies use to find security weaknesses in products and projects to exploit to pwn intelligence targets.
The program’s 1.2 million lines of code are designed to reverse the compiler process, decompiling executable code into assembly listings and finally into approximate C code. It also helps out graph out control flows through functions, inspect symbols and references, identify variables, data, and such information, and more. It'll all be very familiar to you if you're used to similar reverse engineering tools, such as IDA, Hopper, Binary Ninja, Radare, Capstone, Snowman, and so on.
The platform is processor independent, capable of analyzing code targeting x86, Arm, PowerPC, MIPS, Sparc 32/64 and a host of other processors, and can run on Windows, macOS and Linux. While built using Java, the code can also handle Python-based plugins as well as Java-written ones, because, Joyce said, an NSA analyst doesn't like Java so added Python support.
NSA installed '50,000 malware sleeper cells' in world computer networksREAD MORE
You can use it with or without a graphical user interface, and is scriptable. As mentioned above, not only can you annotate code with your own comments, you can bring in notes from other team players via network-based collaborative functions.
For new users, extensive help files are provided, and Joyce said he hoped the community can add more functions and scripts and share them, because the NSA wants to make this a decent widely used tool.
“Ghidra is out but this is not the end,” he promised. “This is a healthy ongoing development in the NSA, it’s our intent to have a GitHub repository out there. The buildable environment will come and we’ll accept contributions.”
Further down the line, Joyce promised, the NSA will release an integrated debugger, a powerful emulator, and improved analysis tools. It’s US taxpayers' dollars at work, he said, and it may help recruit citizens to the NSA once they've got up to speed with these internal tools.
One question is on our mind: why on Earth give this away for free to everyone on the planet? Perhaps the NSA's enemies are assumed to have better or similar tools, and perhaps the agency internally has moved onto more sophisticated suites, leaving Ghidra ripe for public release. ®