
NSA to Release Their Reverse Engineering Framework GHIDRA to Public at RSA - rishabhd
https://www.rsaconference.com/events/us19/agenda/sessions/16608-Come-Get-Your-Free-NSA-Reverse-Engineering-Tool
======
web007
Useful commentary from /u/hash_define on /r/ReverseEngineering:

[https://www.reddit.com/r/ReverseEngineering/comments/ace2m3/...](https://www.reddit.com/r/ReverseEngineering/comments/ace2m3/come_get_your_free_nsa_reverse_engineering_tool/ed7vbld/)

~~~
uasm
> "Useful commentary from /u/hash_define on /r/ReverseEngineering:"

I would say that a lot of the GH/IDA differences probably come down to UI and
usability. Most of the tooling in the RE world today is lacking in those
spaces. The software simply isn't "comfortable" or intuitive enough to work
with. Be it IDA/olly/windbg/radare, they're all desperately lacking a proper,
solid UI. The good news is, most of them support a plugin/extension
architecture - so in theory, most of the features GH provides could've ended
up as an IDA plugin - so that the researchers receive the best of both worlds.

~~~
chaosite
Um, I'd expect IDA to have a better UI, being a paid commercial tool as
opposed to an internal tool for the intelligence community.

Not that I know anything about Ghidra yet.

------
rdtsc
CIA bothered to get it from NSA it must be good for something, or has extra
features not available in IDA Pro.

Maybe they simply don't want to pay IDA Pro licenses $3k a pop. Getting an
enterprise organization or the government to pay for stuff like that is not
trivial sometimes.

CIA also made this a standard part of a developer's setup:

[https://wikileaks.org/ciav7p1/cms/page_34308123.html](https://wikileaks.org/ciav7p1/cms/page_34308123.html)

Install XCode, setup SSH, IRC, and install Ghidra ...

~~~
JumpCrisscross
> _Maybe they simply don 't want to pay IDA Pro licenses $3k a pop_

What prevents three-letter agencies from using software without paying for it?
Tendering a bid usually requires surrendering source code. One's odds of
finding out about unauthorized use is slim. And even if you do, legal
discovery can be blocked on national security grounds.

~~~
da_chicken
> What prevents three-letter agencies from using software without paying for
> it?

The law, same as anyone else.

Having worked in the public sector, there's a _lot_ more law than there is
compared to the private sector. That's because anything that the legislature
does or doesn't want your organization to do has to be coded in law. That's
the legislatures only means of direction. Further, executive directives
related to your organization also carry the force of law. What that means is
you can't not follow it. You can't chose to ignore the law or executive
directives. You don't get to ask for clarifications or exceptions. The former
come from a judge and the latter do not exist until the legislature creates
them. It doesn't matter that there's no direct penalty for it; you're not
allowed to chose to not follow it. This is one of the worst parts about the
public sector: there is often much less wiggle room, especially for broad
issues.

I'm sure that the TLAs negotiate with IDA for site licenses, or bind them to
confidentiality contracts, but I have no doubt at all that they legitimately
pay for the COTS products they use.

~~~
A2017U1
Spare us the lecture please, the rampant systemic law breaking over the last
50 years by government agencies is a known fact. Keyword: Systemic

Who has been punished for the numerous constitutional breaches by the TLA's?
At last glance absolutely no one and that's not going to change.

Meanwhile the whistleblower who spoke up about illegal government activities
is in exile and can likely never travel anywhere on Earth for the rest of his
life.

~~~
madez
The breaches of law you mentioned are of a specific kind, and I wager that the
agencies did not agree in every case that they breached the law.

On the other hand, blatantly stealing their tools instead of buying them is
not the same kind of breaching the law, and it is obvious to everbody that it
is illegal.

Also, even more so than persons, institutions can behave contradictivly when
viewed from the outside. From within it may seem consistent and sound to
surveil everybody and legally buying the tools they use for it. The evil is
banal.

~~~
burfog
They surely don't believe they have breached the law. For example:

The fact that the phone spying case was even accepted by the Supreme Court
should be enough to confirm that the law wasn't clear. Had the law been clear,
the NSA would have lost in a lower court and the Supreme Court would have
refused to consider the case.

~~~
sfifs
>> The fact that the phone spying case was even accepted by the Supreme Court
should be enough to confirm that the law wasn't clear.

That's not actually the way legality works. If the law is unclear, the justice
department will provide their interpretation (which will typically give more
power to the government). If you disagree with the interpretation and are
affected by it, you are free to challenge it in a court of law which will
clarify. Or you can lobby lawmakers to change the law.

This is different from how for instance organizational guidelines work in
private industry - in case of ambiguity, you will ask for a clarification from
the author. That option is basically not available because laws are made by
the legislature which is a body distinct from the executive.

------
Varcht
Some good resources to brush up on before it is released.

[https://www.eff.org/issues/coders/reverse-engineering-
faq](https://www.eff.org/issues/coders/reverse-engineering-faq)

[https://en.wikibooks.org/wiki/Reverse_Engineering/Legal_Aspe...](https://en.wikibooks.org/wiki/Reverse_Engineering/Legal_Aspects)

------
MrXOR
It was in CIA Vault 7 documents[1]: Its purty cool ---> Q: Is it a serious
competitor for IDA Pro?

[1]
[https://wikileaks.org/ciav7p1/cms/page_51183656.html](https://wikileaks.org/ciav7p1/cms/page_51183656.html)

~~~
Thaxll
Most likely not. Since everyone uses IDA I don't think there is anything
better. ( also NSA probably also use IDA )

~~~
burfog
GHIDRA is good. In some ways it beats IDA Pro.

People didn't choose IDA Pro just for quality. GHIDRA was highly restricted.
Even the people with access to GHIDRA were hesitant, because they didn't want
to learn a tool that they couldn't take to another employer.

The other players in this market, binja (Binary Ninja) and Hopper
Disassembler, are much newer. Inertia keeps them back. Imagine introducing a
new editor, like vi or emacs, but with everything just a bit different. It
could even be a slightly better editor. Uptake will be slow. People don't want
to relearn or repurchase.

Until recently, normal people could only choose IDA Pro. You paid, or you had
to suffer with awful substitutes like Radare2 and objdump.

------
JoshTriplett
Here's hoping it's actually Open Source, and not just a no-cost download of a
binary-only tool.

~~~
burfog
Open Source has been the plan for many years. It has been a long process,
starting with determining which parts can be declassified. The current deal is
some sort of FOUO, with government contractors able to run copies on non-
networked computers but without all the extra high-security stuff.

This will be some interesting competition for IDA Pro, Binary Ninja (binja),
and Hopper Disassembler. People with access to GHIDRA have been avoiding it
because they prefer to develop skills with software that can be used at all
employers, but soon that thinking will favor GHIDRA. IDA Pro is a few thousand
dollars, and the other choices are a few hundred dollars.

~~~
domenukk
Throwing r2 Cutter in the mix..

~~~
guipsp
Radare as a project has some issues that may prevent it from having a large
contributor base.

~~~
ChickeNES
Oh, what issues?

~~~
guipsp
The existence of this repository, for example
[https://github.com/radare/r2hate](https://github.com/radare/r2hate)

------
MrXOR
Charlie Miller (Apple Mac hacker and former NSA employee): This tool was
already there when I left 13 years ago!

~~~
appleflaxen
the nsa would never release cutting edge tools that had functionality
unavailable in other forms.

~~~
MrXOR
Certainly, Maybe revealed of CIA Vault7 is the reason!

------
xvilka
I don't get an excitement. There is already IDA Pro and Binary Ninja,
developing at a big pace and with actual support. Moreover, there is FOSS
radare2[1] and Cutter[2], that also being developed at crazy speed. We have
even work in progress decompiler radeco[3][4], though there is still a lot to
be done. If people would contribute - there is a lot of time until March (time
of GHIDRA release).

[1] [https://github.com/radare/radare2](https://github.com/radare/radare2)

[2] [https://github.com/radareorg/cutter](https://github.com/radareorg/cutter)

[3] [https://github.com/radareorg/radeco](https://github.com/radareorg/radeco)

[4] [https://github.com/radareorg/radeco-
lib](https://github.com/radareorg/radeco-lib)

~~~
fortenforge
Surely you can see how something that combines the best of both worlds (FOSS
like r2 and feature-rich / has a working decompiler like IDA / binja) would be
of interest to people right?

~~~
xvilka
RSA talk description never said anything about open sourcing it. Only about
"free". And from WikiLeaks Vault7 documents it appears to be buggy.

------
faitswulff
Someone please tell me this is a Godzilla reference:
[https://en.wikipedia.org/wiki/King_Ghidorah](https://en.wikipedia.org/wiki/King_Ghidorah)

~~~
Godel_unicode
Close, final fantasy:

[http://finalfantasy.wikia.com/wiki/Ghidra](http://finalfantasy.wikia.com/wiki/Ghidra)

~~~
abledon
I think final fantasy ripped it from Godzilla (see the etymology section):

""" Ghidra, also known as "King Ghidorah," is an enemy monster in the Godzilla
series. Typically, Ghidra is Godzilla's fiercest opponent, and it usually
fights against humanity. """"

------
MrXOR
Robert Joyce (NSA): The GHIDRA platform includes all the features expected in
high-end commercial tools, with new and expanded functionality NSA uniquely
developed

------
jancsika
Would this be useful for reverse engineering proprietary graphics driver and
wifi driver blobs?

~~~
burfog
Yes, it would be an excellent tool for that.

------
based2
Will it benefit to Radare2 and Frida?

[https://github.com/dukebarman/awesome-
radare2](https://github.com/dukebarman/awesome-radare2)

[https://github.com/dweinstein/awesome-
frida](https://github.com/dweinstein/awesome-frida)

~~~
burfog
No. It will make Radare2 completely obsolete.

------
johnhenry
Please forgive my ignorance -- is this some sort of decomplier? Something
more?

~~~
gen3
That's pretty much what it is. Its an interactive, disassembler. Its goal is
to help you reverse engineer a compiled binary. From what I read, its similar
to the commercial IDA Pro( [https://www.hex-
rays.com/products/ida/index.shtml](https://www.hex-
rays.com/products/ida/index.shtml) ) There are a few photos on the site, to
give you an idea of how everything is laid out.

------
sgc
What is their motivation to release this? It's not like SELinux where
improving general security can be seen as a national security objective.

~~~
FakeComments
Having a more robust reverse engineering community seems like it would be a
national security objective, in a broad sense.

This tool lowers the bar for security researchers to analyze malware, and
seems to be part of a broader effort by the NSA to share their tools and
foster public-private partnerships.

------
djmips
What is their motivation for releasing this now?

~~~
linkregister
It's been in the works for at least 5 years.

------
m00dy
Fingers crossed

