Image: NSA

At the RSA security conference today, the National Security Agency, released Ghidra, a free software reverse engineering tool that the agency had been using internally for well over a decade.

The tool is ideal for software engineers, but will be especially useful for malware analysts first and foremost.

The NSA's general plan was to release Ghidra so security researchers can get used to working with it before applying for positions at the NSA or other government intelligence agencies with which the NSA has previously shared Ghidra in private.

Ghidra is currently available for download only through its official website, but the NSA also plans to release its source code under an open source license on GitHub in the coming future.

News that the NSA was going to release Ghidra first broke at the start of the year, and the tool has been on everybody's mind for the past two months.

The reason is that Ghidra is a free alternative to IDA Pro, a similar reverse engineering tool that's only available under a very expensive commercial license, priced in the range of thousands of US dollars per year.

Being offered for free, most experts expect Ghidra to snap up a big portion of the reverse engineering tools market share within weeks, especially since early user reviews are almost all entirely positive.

Image: ZDNet

Image: ZDNet

As for its technical features, Ghidra is coded in Java, has a graphical user interface (GUI), and works on Windows, Mac, and Linux.

According to Rob Joyce, Senior Advisor at the National Security Agency and the NSA official who announced the tool's release today at the RSA conference, Ghidra can analyze binaries written for a wide variety of architectures, and can be easily extended with more, if ever needed.

Ghidra processor modules: X86 16/32/64, ARM/AARCH64, PowerPC 32/64, VLE, MIPS 16/32/64,micro, 68xxx, Java / DEX bytecode, PA-RISC, PIC 12/16/17/18/24, Sparc 32/64, CR16C, Z80, 6502, 8051, MSP430, AVR8, AVR32, Others+ variants as well. Power users can expand by defining new ones — Rob Joyce (@RGB_Lights) March 5, 2019

Installing Ghidra is as simple as unpacking a ZIP archive. The only requirement is a version of the Java Development Kit 11 or later that's needed to run the app's GUI. More on the tool's installation routine from the tool's official docs:

Ghidra does not use a traditional installer program. Instead, the Ghidra distribution file is simply extracted in-place on the filesystem. This approach has advantages and disadvantages. On the up side, administrative privilege is not required to install Ghidra for personal use. Also, because installing Ghidra does not update any OS configurations such as the registry on Windows, removing Ghidra is as simple as deleting the Ghidra installation directory.

Besides an installation guide, Ghidra's docs also come with classes and exercises for beginners, intermediates, and advanced levels that will help users get used to the tool's GUI, which is very different from any similar tools.

You're a IDA Pro power user? No problem, there's a guide for that too.

lol - Ghidra has tools to help convert users from IDA: pic.twitter.com/A649uIHmtj — Silas Cutler (@silascutler) March 6, 2019

Need a keyboard shortcut cheatsheet? No problem, there's one hosted online, here.

Don't like the bright GUI? No problem, there's a dark mode included in Ghidra's settings section.

Image: ZDNet

At the time of this article --an hour after the tool's release-- the reaction from the infosec (information security) community has been almost entirely positive, with glowing reviews from some of the biggest names in the cyber-security industry.

Ghidra's out and we've got those ARM proc modules, the UNDO button, and the ability to collaborate on analysis...for FREE! https://t.co/CAkwg9WWcK pic.twitter.com/Lq6I9fXAYx — Maddie Stone (@maddiestone) March 6, 2019

The good things:



- The decompiler is fucking awesome.

- The decompiler supports anything that you can disassemble.

- Everything is fully integrated.

- Multi-binaries projects with version control.

- Undo! — Joxean Koret (@matalaz) March 6, 2019

Yes, I'm going to start using it for all new projects. So far, it looks like it can replace enough of my workflow in IDA that I can switch, phew! — Tavis Ormandy (@taviso) March 6, 2019

Ghidra may not be the IDA Pro killer most experts expected, since IDA Pro still offers a debugger component not present in Ghidra, but things are looking up.

Because Ghidra's code will be open-sourced, this also means it will be open to community contributions, and many expect it to receive a debugger in the coming future and allow malware analysts to jump ship and stop paying a fortune for IDA licenses.

And the infosec community has already started contributing back to Ghidra, even if the tool's source code hasn't been published on GitHub just yet.

Just minutes after the tool's release, Matthew Hickey, co-founder and director of UK-based cyber-security firm Hacker House, reported the first security issue in the NSA's tool, which apprently runs a server component that listens to commands it receives from the internet. Fixing it should be a one-line change, though, according to Hickey, and the issue only affects users when they run Ghidra in its "debug mode," rather than its normal mode.

Ghidra opens up JDWP in debug mode listening on port 18001, you can use it to execute code remotely 🤦‍♂️.. to fix change line 150 of support/launch.sh from * to 127.0.0.1 https://t.co/J3E8q5edC7 — Hacker Fantastic (@hackerfantastic) March 6, 2019

"By open-sourcing GHIDRA, the NSA will benefit from a diverse user base whose feedback will make the tool even more effective," Patrick Miller, security researcher at Raytheon Intelligence, Information and Services told ZDNet via email.

"For underprivileged cyber teams grappling with a lack of personnel or resources, the free tool is a game changer to easing the barrier of entry into the cyber workforce and raising the proficiency of these teams. As a user of this tool for years, I cannot wait to see how it improves in the hands of my peers," Miller said.

ZDNet readers looking for additional information on the tool, please refer to its official website, GitHub repo, or the included documentation.

The news of the NSA open-sourcing one of its internal tools should not be a surprise anymore. The NSA has open-sourced all sorts of tools over the past few years, with the most successful of them being Apache NiFi, a project for automating large data transfers between web apps, and which has become a favorite on the cloud computing scene.

In total, the NSA has open-sourced 32 projects as part of its Technology Transfer Program (TTP) so far and has most recently even opened an official GitHub account.

Below is a video of security researcher Marcus "MalwareTech" Hutchins taking a first look at Ghidra and its features. Also, within an hour of it's release, Ghidra has already been made available as a package for Arch Linux, an operating system preferred by most white, gray, and black-hat hackers.

Related cyber-security coverage: