The NSA presents Ghidra, a powerful tool for reverse engineering

(To Enrico Secci )
13/03/19

If one day we had to find ourselves analyzing an alien technological artifact, to understand its operating principle, replicate its technology and acquire that new knowledge, we will have to carry out a process of reverse engineering, or starting from a finished product, "taking it apart" to understand what it is, what it does and how it does it.

During the RSA Conference of San Francisco (held on March 5, 2019), an international conference on cyber security, the National Security Agency, the United States government body responsible for defending the country from attacks of any kind, presented Ghidra, a tool open source for IT security developed by the Agency.

The tool written in Java, is not used to violate but for the processes of reverse engineering. In this case, it allows you to decompile (decompile) a program to reveal the codes, allowing you to trace or guess what the analyzed software is really capable of doing.

Software Reverse Engineering (SREs) perform an essential process for analysts at malware because, thanks to them, it is possible to "edit" the code lines of the programs, thus obtaining the code authors, from which the attack could come, valuable and vital information, real or potential functions. This allows the necessary actions (countermeasures) to be implemented in order to negate it or reduce its impact.

Ghidra is one of many tools open source issued by the NSA. Rob Joyce, chief of NSA Cyber ​​operations stressed how the agency is working on Ghidra for several years (to be honest it has been in use for about a dozen, as it appears on WikiLeaks Vault7, CIA Hacking Tools) and how this is a very powerful and particularly versatile tool. The program has an interactive graphical interface (GUI) and is compatible with Windows, Mac OS and Linux, it also has a cancel / restore mechanism that will allow users to test theories on the possible operation of the analyzed code.

Joyce, has defined Ghidra as a "contribution to the nation's cyber security community" but nature open source of the powerful NSA software makes it, in fact, an attractive tool even for all other nations.

This news had a great impact and made the community very excited and worried at the same time. It was thought about the presence of a backdoor in the software itself (and some users say they found it a few hours after release, suspected connection to the 18001 port when the software is started in mode debugging) or, some suspicions were born on the possibility that this release to the whole world is actually a consequence of a shift, by the Agency, towards a much more sophisticated suite of SREs.

The release would therefore aim to give the illusion to the world of the cyber community that "the state of the art" of this type of cyber security software is that achieved by Ghidra, so that if a program, with a new structure and not covered by the outdated tool, would be analyzed it would be seen only as an ET, strange, not entirely understood, simply a funny and not dangerous "alien".

- https://www.wired.com/story/nsa-ghidra-open-source-tool/ 
- https://www.wired.it/internet/web/2019/03/07/nsa-ghidra-malware/
- https://itsfoss.com/nsa-ghidra-open-source/
- https://systemscue.it/ghidra-la-svolta-opensource-della-nsa/14730/
- https://www.securityinfo.it/2019/03/06/ghidra-il-tool-di-reverse-enginee...
https://www.nsa.gov/resources/everyone/ghidra/