Hacker News new | past | comments | ask | show | jobs | submit login
NSA to Release Their Reverse Engineering Framework GHIDRA to Public at RSA (rsaconference.com)
371 points by rishabhd on Jan 4, 2019 | hide | past | favorite | 90 comments

Useful commentary from /u/hash_define on /r/ReverseEngineering:


> "Useful commentary from /u/hash_define on /r/ReverseEngineering:"

I would say that a lot of the GH/IDA differences probably come down to UI and usability. Most of the tooling in the RE world today is lacking in those spaces. The software simply isn't "comfortable" or intuitive enough to work with. Be it IDA/olly/windbg/radare, they're all desperately lacking a proper, solid UI. The good news is, most of them support a plugin/extension architecture - so in theory, most of the features GH provides could've ended up as an IDA plugin - so that the researchers receive the best of both worlds.

Um, I'd expect IDA to have a better UI, being a paid commercial tool as opposed to an internal tool for the intelligence community.

Not that I know anything about Ghidra yet.

Wow, having better typing support is a really big deal. A lot of data layout is just put ad hoc into IDA comments because their struct labeling is trash.

Note, this comment could really use the context option: https://www.reddit.com/r/ReverseEngineering/comments/ace2m3/...

CIA bothered to get it from NSA it must be good for something, or has extra features not available in IDA Pro.

Maybe they simply don't want to pay IDA Pro licenses $3k a pop. Getting an enterprise organization or the government to pay for stuff like that is not trivial sometimes.

CIA also made this a standard part of a developer's setup:


Install XCode, setup SSH, IRC, and install Ghidra ...

> Maybe they simply don't want to pay IDA Pro licenses $3k a pop

What prevents three-letter agencies from using software without paying for it? Tendering a bid usually requires surrendering source code. One's odds of finding out about unauthorized use is slim. And even if you do, legal discovery can be blocked on national security grounds.

> What prevents three-letter agencies from using software without paying for it?

The law, same as anyone else.

Having worked in the public sector, there's a lot more law than there is compared to the private sector. That's because anything that the legislature does or doesn't want your organization to do has to be coded in law. That's the legislatures only means of direction. Further, executive directives related to your organization also carry the force of law. What that means is you can't not follow it. You can't chose to ignore the law or executive directives. You don't get to ask for clarifications or exceptions. The former come from a judge and the latter do not exist until the legislature creates them. It doesn't matter that there's no direct penalty for it; you're not allowed to chose to not follow it. This is one of the worst parts about the public sector: there is often much less wiggle room, especially for broad issues.

I'm sure that the TLAs negotiate with IDA for site licenses, or bind them to confidentiality contracts, but I have no doubt at all that they legitimately pay for the COTS products they use.

Spare us the lecture please, the rampant systemic law breaking over the last 50 years by government agencies is a known fact. Keyword: Systemic

Who has been punished for the numerous constitutional breaches by the TLA's? At last glance absolutely no one and that's not going to change.

Meanwhile the whistleblower who spoke up about illegal government activities is in exile and can likely never travel anywhere on Earth for the rest of his life.

The breaches of law you mentioned are of a specific kind, and I wager that the agencies did not agree in every case that they breached the law.

On the other hand, blatantly stealing their tools instead of buying them is not the same kind of breaching the law, and it is obvious to everbody that it is illegal.

Also, even more so than persons, institutions can behave contradictivly when viewed from the outside. From within it may seem consistent and sound to surveil everybody and legally buying the tools they use for it. The evil is banal.

They surely don't believe they have breached the law. For example:

The fact that the phone spying case was even accepted by the Supreme Court should be enough to confirm that the law wasn't clear. Had the law been clear, the NSA would have lost in a lower court and the Supreme Court would have refused to consider the case.

>> The fact that the phone spying case was even accepted by the Supreme Court should be enough to confirm that the law wasn't clear.

That's not actually the way legality works. If the law is unclear, the justice department will provide their interpretation (which will typically give more power to the government). If you disagree with the interpretation and are affected by it, you are free to challenge it in a court of law which will clarify. Or you can lobby lawmakers to change the law.

This is different from how for instance organizational guidelines work in private industry - in case of ambiguity, you will ask for a clarification from the author. That option is basically not available because laws are made by the legislature which is a body distinct from the executive.


You truly say that with a straight face? Tempted to name 50 blatant programs off the top of my head but I'll start with one because the pathetic excuses that usually follow sum it up succinctly.


Tell me what you think of that government taxpayer funded program. I'm all ears.

They're very specific, you seem to be rather disingenuous in this line of argument. It's very easy: human-rights violations with thin legal justification, sure - routine low-level stuff like petty theft and copyright infringement, probably not. The decision makers there are biased towards exactly the kind of person that would murder for a perceived greater good but wouldn't park out of bounds.

1. Edward Snowden may return to the United States whenever he wants. He will face great legal risk. That is not the same as exile, no more than Roman Polanski is exiled.

2. Congresspeople, who answer primarily to their campaign donors (and secondarily to vocal radicals), do not abide the U.S. government breaching contracts with companies. Any government agency seeking to exploit IP from a U.S. company won't last long.

3. The NSA doesn't need to pinch pennies when it comes to IDA Pro site licenses. It declares those expenses in its budget. Government employees don't break the law to save money. They break it to accomplish their mission, handed to them by decision makers in Executive Branch and Congress. Moreover, government lawyers interpret the law in a manner that the individual employee isn't technically breaking the law (though many actions are immoral!)

Your overall sentiment is correct, that the U.S. government perpetrates wrongdoing. Your mental model needs to incorporate a legalistic framework around that, however.

The U.S. government is full of Lawful Good, Lawful Neutral, and Lawful Evil components. The Chaotic Good and Chaotic Evil actors are the ones getting indictments.

> Edward Snowden may return to the United States whenever he wants. He will face great legal risk. That is not the same as exile,

Ah yes, the “I’m swinging my arms and if you get too close and I punch you it’s your own fault” big brother defense.

I do not think he was lecturing anybody. He just voiced his opinion.

The more law, rules and regulations, the less likely is it that individuals will ever bother looking them up. :)

> What prevents three-letter agencies from using software without paying for it?

Nothing, but they'd have to rationalize it. As an organization they need to tell themselves why they are doing it, if it is going to happen officially. So someone has to write "disable licensing..." in the setup instructions. And while killing and other things can be rationalized ("War on Terror, etc...") some petty stuff in comparison like breaking IDA Pro's licensing paradoxically might be harder.

Another thing is that on the surface at least, people who are hired have to pass polygraph tests and have to reveal if they committed crimes or stole things etc. It used to be that NSA would reject people who admitted to pirating software or music in the past. So they'd have to solve that "inconsistency".

Another reason is well, they that could get sued. The military and other government offices have been sued by software makers in the past so it's not outrageous as it seems:


Despite what some folks claim, the three letter agencies don't break the law. They have lawyers and general council, and bend over backwards not to do anything illegal. This is not to say that the law is always sensible, moral, or interpreted the way an average individual might interpret the law.

I'd like to see the US law that states that it's legal for US citizens to kidnap people abroad and torture them for months in secret prisons.

Broadly, the law doesn't work by allowing things.

Imagine if the police could walk up to you in any situation and demand that you prove the legality of any part of whatever it is that you are (or are not) doing.

The government insists on paying full price for everything they use. They would of course make an exception for national security if needed, but "don't want to pay $3k a pop" isn't going to qualify.

My experience has been they insist on paying their GSA schedule price, which generally is below list.

It’s below list, but every procurer on earth knows that, so it’s above the price private companies pay.

When I was in product management, GSA price lists were my trick to learn what competitors charged.

Isn't it an easy way to get blacklisted if you sell to private companies below the GSA price? At least that seems to be the predominant assumption most scientific equipment companies operate under.

I don't know, maybe that is a thing, and maybe things have changed, but when I was doing product pricing, our assumption was that the GSA price was going to be somewhat higher than the "discounted" price most customers would pay.

The common trick to change the product, such that it is different is some non-fundamental way. Then it isn't the "same" product.

The law and personal morality, the same thing that stops almost all immoral actions in society.

The revealed track record of the various three-letter-agencies in the past decade does not vote in their favor in this case.

I don’t think their track record shows them caring enough about money that they’d break the law to do it. Sure they’ll happily break civil liberties laws or laws regarding assassinating foreign politicians and the like, but that is because those can’t be solved by simply spending more.

Track record of software piracy?

I don't think it's quite "the law and personal morality" as much as it is "not my money to pay for the licenses, whereas I might get fired, pay a fine, or go to jail if I give the direction to steal the software."

In the same way, it's not my personal morality or the law that prevents me from stealing the supplies my company needs in order to help my employer cut costs or burning down the buildings of our rivals. Those things wouldn't help me personally but they expose me to lots of risk. That the law and morality agree with self interest is a happy coincidence.

That's not how it works. Big people get away with breaking big rules, but little people do not get away with breaking little rules.

If you're willing to go this far with your reasoning: Intellectual property and copyright only exist because governments choose to recognize them.

Licenses are only as good as the frameworks in which they're constructed. :-)

IDA isn't written by a company in US jurisdiction, for starters -- using it would be an exploitable liability.

What would the motivation be to not pay for it? Nobody gets rewarded in government for not spending money.

> What prevents three-letter agencies from using software without paying for it?

I would argue because the three-letter agencies want that the software continues to be maintained. And perhaps anything illegal that an agency does yields bad PR if it comes out. So they try to do only illegal things that they believe are worth the PR risk. Illegal copies of software probably is not.

It's likely the same reason that most businesses are willing to pay for software: service and support, as well as many vendors likely being willing to implement custom features.

On top of that, none of those agencies are likely to be willing to download some pirated crack for whatever piece of software they need, so that means if they want it for free they have to crack it themselves. Which requires them to divert people who could otherwise be doing things that are actually relevant to their missions. There is plenty of funding in these agencies to buy software and there's little to be gained from stealing it.

Most US government agencies audit software installed to verify that they have the appropriate licenses. I don’t know about intel agencies but I have to assume it’s the same. Also installing software illegally or that hasn’t been approved is a pretty serious security violation in government and in any enterprise that takes security seriously.

Absolutely nothing, and in many cases they prefer it.

State sponsored malware will often do an inventory of the system they are running on, and send details back to help identify the machines that are being used to analyze the samples. NSA steals things like IDA when they come across them (in the same way they target companies to steal things like code signing certificates) so the analysis environment is completely non-attributable.

It could also be a trust issue. Ilfak Guilfanov and Hex-Rays are known to be picky about their clients. They also aren't under US jurisdiction.

> Ilfak Guilfanov and Hex-Rays are known to be picky about their clients.

This was mostly to combat piracy, as far as I was aware–I doubt that there is any nationalistic or moral reasons behind it. So I don't see this being a major issue in this case.

Sure thing, but who can guarantee they won't come with their own reason not to sell it next time, other than a background check? The mere fact they differentiate between clients and are non-domestic could probably be enough for a national intelligence service to view them as unreliable, and to develop their own alternative to a vital tool.

Did that ever work? Even after finally buying a license I would pirate it when I couldn't find my license info and I don't think I've ever had trouble finding the latest version.

No idea; it's possible that Ilfak has kept you on a list internally and is waiting for you to annoy him sufficiently for him to activate a remote kill-switch ;)

Honestly, I'm semi-confident that he does this just because he can…

Unlikely. More like the truly paranoid security types probably don't trust IDA Pro not to have a back door.

A home grown NSA tool is unlikely to have an intentional backdoor in the version they give to the CIA.

SSH and IRC are the core at which hackerdom is achieved.

It was in CIA Vault 7 documents[1]: Its purty cool ---> Q: Is it a serious competitor for IDA Pro?

[1] https://wikileaks.org/ciav7p1/cms/page_51183656.html

Most likely not. Since everyone uses IDA I don't think there is anything better. ( also NSA probably also use IDA )

GHIDRA is good. In some ways it beats IDA Pro.

People didn't choose IDA Pro just for quality. GHIDRA was highly restricted. Even the people with access to GHIDRA were hesitant, because they didn't want to learn a tool that they couldn't take to another employer.

The other players in this market, binja (Binary Ninja) and Hopper Disassembler, are much newer. Inertia keeps them back. Imagine introducing a new editor, like vi or emacs, but with everything just a bit different. It could even be a slightly better editor. Uptake will be slow. People don't want to relearn or repurchase.

Until recently, normal people could only choose IDA Pro. You paid, or you had to suffer with awful substitutes like Radare2 and objdump.

That's one of the more blatant ad populum fallacies I've seen in a long time.

Yes, right now I see that even CIA loves IDA[1]. ida is unique.

[1] https://wikileaks.org/ciav7p1/cms/page_3375335.html

>IDA Pro

I think you meant hex-rays decompiler (which is a separate product).

Hex-Rays decompiler is an extension for IDA disassembler

Here's hoping it's actually Open Source, and not just a no-cost download of a binary-only tool.

Open Source has been the plan for many years. It has been a long process, starting with determining which parts can be declassified. The current deal is some sort of FOUO, with government contractors able to run copies on non-networked computers but without all the extra high-security stuff.

This will be some interesting competition for IDA Pro, Binary Ninja (binja), and Hopper Disassembler. People with access to GHIDRA have been avoiding it because they prefer to develop skills with software that can be used at all employers, but soon that thinking will favor GHIDRA. IDA Pro is a few thousand dollars, and the other choices are a few hundred dollars.

Throwing r2 Cutter in the mix..

Radare as a project has some issues that may prevent it from having a large contributor base.

Oh, what issues?

The existence of this repository, for example https://github.com/radare/r2hate

In general, in the USA, anything that the US federal government makes is public domain copyright wise. For the NSA, there are obvious laws on secrecy for most of what it's doing, but they are different to copyright. Also, sometimes the US government is letting contractors write the software and if they license it, it obviously won't be public domain but the specific contractor will hold copyright.

This question has been explained a bit in a blog post by the pentagon [1]:

> While all of the work done by Federal employees remains in the public domain with no restrictions, public contributors enjoy the protections of widely adopted free and open source licenses. As projects mature, the aggregate work — with all the patches, bug fixes, and additional features — will fall under the license associated with the project.

[1]: https://medium.com/@DefenseDigitalService/code-mil-an-open-s...

Which I'd immediately use to reverse-engineer itself to see if there were any back doors. Of course they'd be expecting that, so I wouldn't find any.

My first 2 thoughts as well:) I suppose you'd need to RE it using a tool you trust. Might need to do that one, too. It's like a compiler trusting trust problem, but in reverse:)

It is a Java-based framework and most probably OSS. Coming soon on https://code.nsa.gov and github

Oh, if for nothing other than the irony of having to reverse engineer a tool for reverse engineering provided only in binary.

Charlie Miller (Apple Mac hacker and former NSA employee): This tool was already there when I left 13 years ago!

the nsa would never release cutting edge tools that had functionality unavailable in other forms.

Certainly, Maybe revealed of CIA Vault7 is the reason!

I don't get an excitement. There is already IDA Pro and Binary Ninja, developing at a big pace and with actual support. Moreover, there is FOSS radare2[1] and Cutter[2], that also being developed at crazy speed. We have even work in progress decompiler radeco[3][4], though there is still a lot to be done. If people would contribute - there is a lot of time until March (time of GHIDRA release).

[1] https://github.com/radare/radare2

[2] https://github.com/radareorg/cutter

[3] https://github.com/radareorg/radeco

[4] https://github.com/radareorg/radeco-lib

Surely you can see how something that combines the best of both worlds (FOSS like r2 and feature-rich / has a working decompiler like IDA / binja) would be of interest to people right?

RSA talk description never said anything about open sourcing it. Only about "free". And from WikiLeaks Vault7 documents it appears to be buggy.

I've used r2 extensively. It's an extremely valuable tool set. Thank you and everyone else for the amazing work! I am very excited for its future.

Someone please tell me this is a Godzilla reference: https://en.wikipedia.org/wiki/King_Ghidorah

I think final fantasy ripped it from Godzilla (see the etymology section):

""" Ghidra, also known as "King Ghidorah," is an enemy monster in the Godzilla series. Typically, Ghidra is Godzilla's fiercest opponent, and it usually fights against humanity. """"

Robert Joyce (NSA): The GHIDRA platform includes all the features expected in high-end commercial tools, with new and expanded functionality NSA uniquely developed

Would this be useful for reverse engineering proprietary graphics driver and wifi driver blobs?

Yes, it would be an excellent tool for that.

I can imagine this being released is a way of covering up the spyware in those blobs.

(Note to the insufficiently paranoid: "I can imagine" does the work you need it to.)

No. It will make Radare2 completely obsolete.

Please forgive my ignorance -- is this some sort of decomplier? Something more?

That's pretty much what it is. Its an interactive, disassembler. Its goal is to help you reverse engineer a compiled binary. From what I read, its similar to the commercial IDA Pro( https://www.hex-rays.com/products/ida/index.shtml ) There are a few photos on the site, to give you an idea of how everything is laid out.

What is their motivation to release this? It's not like SELinux where improving general security can be seen as a national security objective.

Having a more robust reverse engineering community seems like it would be a national security objective, in a broad sense.

This tool lowers the bar for security researchers to analyze malware, and seems to be part of a broader effort by the NSA to share their tools and foster public-private partnerships.

What is their motivation for releasing this now?

It's been in the works for at least 5 years.

Fingers crossed

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact