Sergey Nivens - Fotolia
The National Security Agency will be releasing an open source version of its GHIDRA reverse engineering software during the RSA Conference, and one insider said the toolkit could be a game-changer.
GHIDRA will be demoed by Rob Joyce, senior advisor at the NSA, at RSAC on March 5 and released as open source soon after.
GHIDRA is a modular reverse engineering toolkit that can run on Windows, Mac or Linux and be used for disassembling executables into code so security researchers can study programs such as malware. According to the RSA Conference session description, "the GHIDRA platform includes all the features expected in high-end commercial tools, with new and expanded functionality NSA uniquely developed."
Although official descriptions of GHIDRA end there, more is known because the existence of the toolkit was detailed as part of the Vault 7 leaks in March 2017. According to the Vault 7 files, the CIA had access to the toolkit, as did other U.S. government agencies.
GHIDRA was developed in the early 2000s and written in Java. It can be used to reverse engineer software for Windows, Mac, Linux, iOS or Android. According to a source intimately familiar with the toolkit, in most cases GHIDRA "exceeds the capabilities of IDA Pro," the current market leader for reverse engineering.
The source said the NSA releasing GHIDRA "will change the game overnight."
"The reason releasing it is so important is that until there's a version of it available outside the Agency, nobody comes in knowing it. Everyone who does any reversing has some experience with IDA Pro," the source said. "The cost savings for replacing IDA government-wide with GHIDRA is incalculable."
Impact on IDA
However, other experts were less bullish about the impact GHIDRA will have on the reverse engineering community as a whole. Bas Alberts, CTO of threat management and analytics at Cyxtera, said one issue is that "often these tools fit a specific cultural workflow."
"It won't impact the community or other reverse engineering tools much. In 2019 reverse engineering toolchains are a dime a dozen and once someone is accustomed to a certain toolchain they very rarely jump to a different platform," Alberts said. "The fact that this one is sourced by the NSA might make it an attractive option for U.S.-based researchers that don't want to use a foreign-based offering such as IDA Pro, but for that audience you also have Binary Ninja, which is developed by former Raytheon employees."
The insider said a shift in the U.S. government from IDA Pro to GHIDRA would "immediately impact the sales of IDA Pro" and suggested it could lead to a shift in the licensing strategy for IDA Pro.
"I think GHIDRA's release might change how IDA is licensed and force them back to the older licensing model," the source said. "Lots of people are already pissed with how the Named License option is working starting with version 7 and makes licensing much more restrictive. This could be the issue that forces a shift back."
Support of GHIDRA
Independent security researcher and reverse engineer Joxean Koret was also skeptical of the impact GHIDRA would have on IDA usage.
Yes, Ghidra looks awesome. But I don't think IDA will be heavily affected for one very important reason: support. Also, the support they give is awesome.— Joxean Koret (@matalaz) January 4, 2019
According to the insider source, it's in the NSA's best interest to actively support GHIDRA once it has been made open source because it wouldn't want to lose control of the toolkit.
"The problem with open sourcing the whole project is that it invites forks. If a fork becomes more popular than NSA's branch, NSA no longer controls the development," the source said. "As interfaces to the modules change, they lose capabilities (or are no longer feature parity with the main branch). It's a tough balance to achieve."
It is unclear why the NSA has decided to release GHIDRA now, but the source said discussions about making the toolkit open source began close to 10 years ago.
"When the code base was built, most code wasn't portion marked and was told it would take a 'monumental effort' to figure out what was and wasn't classified. Obviously GHIDRA is far more than what is being released at RSA," the source said."GHIDRA is 100% modular. There's no question the classified modules will be held back."