NSA Releases GHIDRA Source Code — Free Reverse Engineering Tool

ghidra reverse engineering tool

Update (4/4/2019) — Great news.

NSA today finally released the complete source code for GHIDRA
version 9.0.2 which is now available on its Github
repository
[1].

GHIDRA is agency’s home-grown classified software
reverse engineering tool that agency experts have been using
internally for over a decade to hunt down security bugs in software
and applications.

GHIDRA is a Java-based reverse engineering framework that
features a graphical user interface (GUI) and has been designed to
run on a variety of platforms including Windows, macOS, and
Linux.

Reverse engineering a program or software involves
disassembling, i.e. converting binary instructions into assembly
code when its source code is unavailable, helping software
engineers, especially malware analysts, understand the
functionality of the code and actual design and implementation
information.

The existence of GHIDRA was first publicly revealed by WikiLeaks in CIA Vault 7
leaks
, but the NSA today publicly released the tool for free at
the RSA conference, making it a great alternative to expensive
commercial reverse engineering tools like IDA-Pro.

“It [GHIDRA] helps analyze malicious code and malware like viruses,
and can give cybersecurity professionals a better understanding of
potential vulnerabilities in their networks and systems,” NSA
official website says[4] while describing GHIDRA.

Download GHIDRA — Software Reverse Engineering Tool

Speaking at RSA Conference, Senior NSA Adviser Robert Joyce
assures GHIDRA contains no backdoor, saying “This is the last
community you want to release something out to with a backdoor
installed, to people who hunt for this stuff to tear
apart.”

Joyce also said GHIDRA includes all the features expected in
high-end commercial tools, with new and expanded functionality NSA
uniquely developed, and supports a variety of processor instruction
sets, executable format and can be run in both user-interactive and
automated modes.

“GHIDRA processor modules: X86 16/32/64, ARM/AARCH64, PowerPC
32/64, VLE, MIPS 16/32/64, micro, 68xxx, Java / DEX bytecode,
PA-RISC, PIC 12/16/17/18/24, Sparc 32/64, CR16C, Z80, 6502, 8051,
MSP430, AVR8, AVR32, other variants as well,” Joyce tweeted[5].

First Bug Reported in GHIDRA Reverse Engineering Tool

GHIDRA has received a warm welcome by the infosec community, and
researchers and developers have already started contributing to the
project by reporting bugs and
security holes on its Github issue tracker.
Matthew Hickey, who uses online alias “HackerFantastic,” being the
first to report a security issue in
GHIDRA
. The bug has now been patched in the latest version of
the software.

Hickey noticed that the reverse engineering suit opens JDWP
debug port 18001 for all interfaces when a user launches GHIDRA in
the debug mode, allowing anyone within the network to remotely
execute arbitrary code on the analysts’ system.

Although the debug mode is not activated by default and supposed
to work like intended, the software should listen only to debug
connections from the localhost, rather than any machine in the
network.

[2][3][6][7]

References

  1. ^
    Github repository
    (github.com)
  2. ^
    WikiLeaks
    (wikileaks.org)
  3. ^
    CIA Vault 7 leaks
    (thehackernews.com)
  4. ^
    says
    (www.nsa.gov)
  5. ^
    tweeted
    (twitter.com)
  6. ^
    reporting bugs
    (github.com)
  7. ^
    security issue in GHIDRA
    (static.hacker.house)

Read more

Leave a Reply