Hacker News new | past | comments | ask | show | jobs | submit login
[dupe] Ghidra (nsa.gov)
103 points by jakobdabo 30 days ago | hide | past | web | favorite | 59 comments

There was a thread on HN when they first announced a public release at RSA[0]. A lot of reverse engineers I know are excited for it.

0: https://news.ycombinator.com/item?id=18828083

Since that was less than two months ago, the current submission counts as a dupe. When it's open-sourced, that will be significant new information, which makes for a new story. It will certainly be discussed by HN then.


My brother is into reverse engineering, he is literally counting the days to the open source release of this.

He said there isn't anything quite like it as it can actually stand toe-to-toe with IDA Pro, the commercial software that apparently nothing yet can really beat.

Yup. IDA Pro is the gold standard, and was basically the only choice for a long time. It's also stupidly expensive and priced for defense contractor funny money, with an individual license nearly $3000 [0]. Most freelancers just use a cracked copy or the freeware version.

Recently Hopper and BinaryNinja have been rising in use, with much more affordable pricing plans, but they're still second-rate as far as I know.

(There's also radare2, which for all it's mentioned occasionally I don't actually know anyone that uses it)

0: https://www.hex-rays.com/cgi-bin/quote.cgi

I've always wondered this - there's a real "pay for your useful tools" philosophy on here at least, for things like Sublime Text. Often quoted is the cost per hour of use, etc. which justify the price (which is admittedly low compared to Ida).

Does the same not apply to Ida where you would make the money back fast enough to justify the pricetag? Or is it that there are more hobbyists and less people making actual money from using Ida?

Lots of people make serious money with Ida, it's a license to print money similar to knowing Cisco was a few years ago (although even more so I'm hoping).

The problem is barrier to entry. Many RE blogs and free resources start with "open up Ida", which means that in order to learn how to use the tool to make that money, you first have to buy the tool. Yes, there's the community edition, but it always seems to be missing that one feature you really need...

I'm really curious what the prevalence of tools like this is going to do to the salaries for reverse engineers.

This is basically how a monopoly works. And the defense industry behaves like a monopoly even if its made up of a bunch of different companies.

I disagree, I think there's an important difference between a monopoly and a company that happens to have no competition at the moment. I think that active anti-competitive actions are one of the defining characteristics of a monopoly, and so far we haven't seen that behavior from hex-rays.

They had a significant barrier to entry protecting them, in that making a decompiler (the hex rays decompiler is the expensive part of "Ida") is hard, and the market is (was?) small.

Consider the difference between Standard Oil and Adobe. Photoshop was the only game in town not because Adobe lost money on it to drive out rivals but because it's hard to make software that does what Photoshop does.

> I think there's an important difference between a monopoly and a company that happens to have no competition at the moment. I think that active anti-competitive actions are one of the defining characteristics of a monopoly

You are of course free to think so, but be aware that does not align with the common use of the term monopoly.

Both Photoshop and IDA Pro treat their customers pretty poorly, but they work well so everyone uses it. Hence why people are excited to see competitors in the space.

I don't understand why you think 3000$ per seat is asking too much. If there's a market for cheaper products just build it. After putting in the work, you might actually think 3000$ is cheap.

I have never used IDA Pro but maybe the licensing comes with some sort of support agreement?

Yes, the support is excellent. Sometimes they will even email you a new version with your requested bug fix.

Note that $3000 lacks the decompilers, of which there are 5 available. The total price with all of those is about $15,000.

I see. Thank you. I am sure for some that $15K is an investment.

Yeah, IDA is simultaneously the worst piece of software I have used from a usability standpoint but also the best reverse engineering tool out there. The author basically does whatever he likes because most reverse engineers use it :(

As someone who learned to program by reverse engineering, I also cannot wait to see this being released.

Nothing really beat the combination of SoftICE and IDA Pro, although some of the newer entrants like radare2 & good ol’ OllyDBG are pretty good, but nothing beats IDA Pro.

I hope the scripting language are real programming language like Lua or Python and some custom DSL.

Is IDA so superior to OllyDBG? What are the differences? I was into reversing in 2009/2010, was just a hobbist trying to crack some programs and making bots to some games.

They aren't really comparable. While IDA has some debugging features, it's all about static analysis. It has features for browsing and annotating code - you can view the code as a control flow graph, add your own names and comments to functions and variables once you've made sense of them, define structures and their members so you don't have to memorize what each offset to a common type means, jump around in the call graph, find other usages of global variables...

OllyDbg never really stepped out of the 32-bit world; the author's progress reports of the x64 version end in 2014: http://www.ollydbg.de/odbg64.html

I'd like to know if someone is using x64dbg, however, which looks similar in appearance: https://x64dbg.com/

Uhh, what's this about? https://i.imgur.com/e3kNYTH.png

I haven't worked at US government so I am not 100% sure of the details, but this is my understanding:

HTTPS (tls, really) allows clients to present a certificate, just like the server does. This is commonly used, eg, for microservices authenticating to each other in a backend.

It is less commonly used for people to authenticate to servers.

In particular, the "Common Access Card" is the ID badge used by the DoD, various parts of the armed forces, and in particular the NSA (whose website this is). Those access cards have a key and certificate usable for this.

So your keyboard (or laptop) has a smartcard reader in it, and you can insert your ID badge (maybe with a PIN? not sure if usa gov't does that) to log into any website.

Browser UX for this isn't great. Unlike the newer Webauthn specs where javascript (and thus site-specific instructions) can ask you to log in, the browser has to prompt you in a very generic way to present your certificate.

I actually prefer the browser UX for client cert authentication; since it's presented by the browser it's harder to do nefarious things with JavaScript to confuse the user as to what site is requesting authentication.

Edit: for what it's worth, the executive agencies are all required to use PIV (essentially civilian CAC) to authenticate, and those PIVs are required to have significant physical controls including requiring a PIN for access. It's a pretty robust way of enforcing 2fa.

Client certificate PKI is common in this space. Even if it's just a local cert on the user's profile, it works really well as SSO.

Thanks for the info, I had no idea this was possible. I'm tempted to give it a go on my site.

Link, in case someone wants to dig further. https://nsa.dod.afpims.mil/

403'd for me...was forced from https to http for some reason (on mobile with JS disabled - maybe a factor?).

I get:

> You cannot visit nsa.dod.afpims.mil at the moment because the website sent scrambled credentials that Google Chrome cannot process. Network errors and attacks are usually temporary, so this page will probably work later.

On a sidenote, looking at their Github, they publish a lot of names / emails in the git logs (~100). Some are encoded / anonymous, but most are real looking names and plausible email addresses.

an open source competitor to IDA pro is very welcome, never thought it would come from NSA. have they said anything about their motivation to open-source it?

Probably to crowd source maintenance like nearly every other closed to open transition. And ghidra has been leaked a few times (they give it out like candy to contractors) so they're not really losing much.

any reports on if it's better than IDA?

I've heard that it's about equal in power, but different. Ghidra has a bigger emphasis on working with the decompiled output; you spend nearly all your time in the decompiler whereas in IDA you flip back and for decompiler (if you have it) and disassembler.

NSA releasing an open-source tool? My first thought is, better subject it to serious, in-depth security review before installing it locally. Even then, build it from source.

It would also make me want to consider Ken Thompson's compiler trojan, and whether there is any similar vulnerability that could be inserted into an RE tool.


Do RE tools commonly output binaries?

Note that unless your compiler is already bugged (or you’re using a bugged binary), community review of the source should turn out any possible issues... unless there’s a significant competence gap between the NSA and the security community — which may be possible, but I don’t think security professionals are worried about it.

Sure, many can patch binaries.

Apache NiFi was also released by the NSA & has seen commercial success in the enterprise.

Not to mention SELinux, which was partly developed by the NSA. Red Hat is much more involved in that, though.

Right, but it’s probably been reviewed and we’re not using NSA binaries.

Wans't Tor initially developed by NSA/CIA as well?

> "The core principle of Tor, "onion routing", was developed in the mid-1990s by United States Naval Research Laboratory employees, mathematician Paul Syverson, and computer scientists Michael G. Reed and David Goldschlag, with the purpose of protecting U.S. intelligence communications online. Onion routing was further developed by DARPA in 1997."


And Accumulo.

Can't wait to try it and read articles comparing its features with IDA, Binary Ninja, radare2 or Hopper. Sounds really interesting!

Good to see NSA has got on board that removing the attack surface of US software is a top priority.

I wonder what the NSA does with the analytics on a page like this.

I'm still trying to figure out, in this day and age, especially after the Snowden disclosures, why anyone would trust software released by this organization.

you do realize their primary goal is intelligence gathering?

It's a reverse engineering tool. The community is going to have plenty of ability to do network analysis on it. Also, it's trivial to sandbox it, even if it weren't going to be open-sourced.

Sandboxing things is rarely trivial ;)

Air gapped RE machines (recall you're probably looking at malware anyway). One way transfer of samples. Print reports and OCR. Done.

Is printing and OCRing actually a thing? I'd think you would at least just point the camera (aka scanner) at a screen...

It depends how paranoid the security person you're trying to appease is, honestly. There are definitely better options, but that one will always "sound secure".

in particular tools that are designed to reverse engineer things :)

I am familiar with the concept. However, I would recommend hesitating to anyone who thinks any software from the organization, open source or no, is entirely harmless to the user...

It's going to be an open source release so depending on your paranoia levels you could just build it yourself.

You'd have to audit the source code first, though, which is not a trivial thing to do.

But you can bet there will be plenty of people looking at it, and that group of people will also likely include security professionals looking to use it. I'm not sure I can honestly think of a stupider move in this area than to include nefarious code in an open source security auditing tool aimed at the highest and most complex levels of security auditing and used by professionals whose job it is to find and announce these things.

That doesn't mean assume nothing's wrong, but I'm pretty sure this thing will have some pretty talented people looking at it fairly early just for kicks, so of things to worry about, this isn't high on my list.

Given the audience I feel like the source code will be audited by the community in record time.

I don't get the criticism here, you're right on the money. What's the one group of people absolutely guaranteed to

a) audit a tool like this and

b) have the chops to perform that audit

Reverse engineers. If you're nervous, just wait 2 months and follow Twitter.

exactly my point. When they released SELinux this was the argument and how many lines of code does an OS have?

Lines of code is not a great metric to equate to the effort of auditing the code.

Harder to meter: how understandable is the code? More verbose, but more easily understandable code will be far easier to audit.

Personally, I'd rather a million lines of code that are clear and obvious than 500k that are obtuse, terse and/or obfuscated.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact