The hacker news just published an article covering a new reverse engineering tool from NSA.
The United States’ National Security Agency (NSA) today finally released GHIDRA version 9.0 for free, the agency’s home-grown classified software reverse engineering tool that agency experts have been using internally for over a decade to hunt down security bugs in software and applications.
GHIDRA is a Java-based reverse engineering framework that features a graphical user interface (GUI) and has been designed to run on a variety of platforms including Windows, macOS, and Linux.
Reverse engineering a program or software involves disassembling, i.e. converting binary instructions into assembly code when its source code is unavailable, helping software engineers, especially malware analysts, understand the functionality of the code and actual design and implementation information.
The existence of GHIDRA was first publicly revealed by WikiLeaks in CIA Vault 7 leaks,
but the NSA today publicly released the tool for free at the RSA
conference, making it a great alternative to expensive commercial
reverse engineering tools like IDA-Pro.
“It [GHIDRA] helps analyze malicious code and malware like viruses, and can give cybersecurity professionals a better understanding of potential vulnerabilities in their networks and systems,” NSA official website says while describing GHIDRA.
Download GHIDRA — Software Reverse Engineering Tool
- Github — source code (will be available soon)
- Download GHIDRA 9.0 — software package, slides, and exercises
- Installation Guide — basic usage documentation
- Cheat Sheet — keyboard shortcuts
- Issue Tracker — report bugs
Speaking at RSA Conference, Senior NSA Adviser Robert Joyce assures GHIDRA contains no backdoor, saying “This is the last community you want to release something out to with a backdoor installed, to people who hunt for this stuff to tear apart.”
oyce also said GHIDRA includes all the features expected in high-end
commercial tools, with new and expanded functionality NSA uniquely
developed, and supports a variety of processor instruction sets,
executable format and can be run in both user-interactive and automated
“GHIDRA processor modules: X86 16/32/64, ARM/AARCH64, PowerPC 32/64, VLE, MIPS 16/32/64, micro, 68xxx, Java / DEX bytecode, PA-RISC, PIC 12/16/17/18/24, Sparc 32/64, CR16C, Z80, 6502, 8051, MSP430, AVR8, AVR32, other variants as well,” Joyce tweeted.
First Bug Reported in GHIDRA Reverse Engineering Tool
GHIDRA has received a warm welcome by the infosec community,
Matthew Hickey, who uses online alias “HackerFantastic,” being the first to report a security issue in GHIDRA.
Hickey noticed that the reverse engineering suit opens JDWP debug port 18001 for all interfaces when a user launches GHIDRA in the debug mode, allowing anyone within the network to remotely execute arbitrary code and applications analysts’ system.
Although the debug mode is not activated by default and supposed to work like intended, the software should listen only to debug connections from the localhost, rather than any machine in the network.
The issue can be fixed by just changing a line of code in the software, according to Hickey.