The National Security Agency (NSA) recently released the source code for their reverse-engineering tool, Ghidra, that enables cybersecurity specialists to disassemble and inspect applications from binaries without any code.
Ghidra runs on OpenJDK 11 and supports analysis of machine-level binaries across a range of architectures including servers and embedded systems. Security engineers often perform reverse-engineering activities to understand the behavior of malware or to develop exploits against applications. These skills are part of NSA's cybersecurity excellence curriculum taught at many accredited colleges across the United States, such as Dakota State University. This knowledge also commands a market premium, with the job tracking site Indeed listing the average Software Engineer salary at $108,145 and the average Application Security Engineer salary at $140,090. Developers interested in the software security industry can evaluate "Careers In Cybersecurity" by SecureNinja.
The first release of Ghidra publishes all code within a set of zip files in the application, rather than on its GitHub profile. As a security tool released to security researchers at the RSA security conference, attackers quickly located a Remote Code Execution vulnerability within the Ghidra tool itself. The launch script starts Ghidra with Java remote debugging enabled, giving debuggers the ability to attach and execute commands within the JVM when located on the same network. This same functionality appears to enable remote headless execution of Ghidra on alternate environments.
Ghidra features automated decompilation and control flow analysis, enabling researchers to examine and annotate program execution. The visualization is Java Swing, as well as the jung graph layout library. Researchers can then track memory analysis to determine what happens within the program. Another key feature is version tracking and annotated differences between binaries. Researchers can use this feature to determine ways in which a program has changed, such as analyzing the way that a software patch does or does not remediate any working exploits. Alternately when a vulnerability is unknown, researchers may disassemble patches to learn what was patched and develop working exploits against the older unpatched software. Major software vendors like Microsoft have likely been on the receiving end of this analysis, as the day after "Patch Tuesday" is referred to as "Exploit Wednesday." Ghidra also features a tightly integrated scripting engine so that reverse-engineers can extend any capabilities required to understand specific binaries or attack techniques.
"Reverse engineering helps uncover how programs work, extracting secrets like strings, stored values, and algorithms," explains Erik Cabetas of Include Security, an application security firm that specializes in application security and reverse-engineering. "NSA likely used Ghidra to gain a deep understanding of programs to identify security weaknesses, then developing 0-day exploit capabilities for their Tailored Access Operations team." One example of these exploits could be DOUBLEPULSAR, which was disclosed in 2017.
The future of Ghidra is aimed at building a better career pipeline for NSA, so that incoming analysts are familiar with its toolset. Cabetas adds to this future and its possible improvements, "NSA should pose feature creation and bug fix bounties for Ghirda to jump start its maintenance and development. Other government projects missed this step and didn't get the open source world excited about contributing. With Ghidra being one of the highest profile open source tools releases ever seen in the US federal sector, I'm hoping the project stays active and alive." This idea of funding open-source maintenance matches the goal of Tidelift, which has helped fund open source project maintenance of over $1 million.
Similar toolsets to Ghidra are available, the closest matches being the commercial IDA Pro and open source Radare2. The benefit of Ghidra is that unlike IDA Pro, it is available without cost, and unlike Radare2 it has a featureful GUI.
The types of binaries supported by Ghidra include x86_64, ARM/AARCH64, PA-RISC, Java bytecode and DEX for Android, and many others. Java bytecode represents the intermediate form of compilation rather than the nondeterministic post-JIT machine codes, which require use of the HotSpot Disassembler and its +PrintAssembly flag. The recent improvements in Java's JEP-295 for ahead-of-time compilation (AOT) produce native binaries that can be analyzed.
A demonstration for how to use Ghidra is available on YouTube, by Michael Jenkin. A short version is also available from Ghidra Ninja.