NSA cyber tool comes out of the shadows

The U.S. government releases a free tool to help analyze malware

The National Security Agency is one of the nation's most secretive intelligence agencies.

But there's at least one secret it wanted everyone to know about. During the March 2019 RSA Security Conference in San Francisco, the NSA released a declassified, free version of its reverse-engineering tool Ghidra, which is used to analyze computer viruses and malware.

“Ghidra is made up of more than 1.2 million lines of code… we use it to solve hard mission problems,” said Rob Joyce, NSA’s senior cybersecurity adviser, during a briefing at the RSA conference..

The tool is a familiar piece of software to Raytheon Technologies cyber experts.

“We have worked with the (NSA) team that developed Ghidra and have been using the tool for years,” said Patrick Miller, a security researcher for Raytheon Intelligence & Space, a Raytheon Technologies business.

In technical terms, Ghidra is a disassembler; software that breaks down executable files into assembly code that can then be analyzed. It helps deconstruct malicious code and malware like viruses, and can give cybersecurity professionals a better understanding of potential vulnerabilities in their networks and systems.

"It converts 1s and 0s into human, readable language,” Miller said.

During the briefing, Joyce laid out some key features of the tool:

  • Ghidra is coded in Java
  • It supports scripting in via Java or Python
  • It works on Windows, Mac, and Linux
  • Ghidra can analyze binaries for all major operating systems, such as Windows, Mac, Linux, Android, and iOS
  • It has a graphical user interface, better known as a GUI

Ghidra “is built and intended to bring independent and collaborative work together,” said Joyce, stressing the tool’s automation and collaborative features.

It has a lot of emphasis on working the way people want to work,” he said.

One particular feature that received high praise from Joyce was the ability to “undo/redo.”

"If you’ve done software reverse engineering, what you’ve found out is, it’s both art and science. There’s not a hard path from the beginning to the end,” Joyce said.

Reverse engineering is an essential step in understanding a system or program, or how a piece of code works, what it does, and if it has any hidden functionality, according to Miller.

“Basically it helps us figure out how something was built without having the instruction manual, source code, design documents, or original developers to reference,” he said.

Malware represents one of the greatest threats organizations face today – the 2019 Crowdstrike Global Threat Report found that 60 percent of all cyberattacks involved a form of malware.

When malware is discovered within a network, the first step security teams take is to mitigate the risk. Once the threat has been contained, they look into how the intrusion occurred, what data may have been compromised and whether the threat has infiltrated into any other parts of the organization.

"Answers to these questions can be tough to find, but reverse engineering helps to uncover the missing pieces," said Miller. “It helps us paint the picture; to figure out what we are up against and how we can defend against it.”

The NSA released the tool as a contribution to the cybersecurity community, according to Joyce. “We hope that the community will start sharing scripts and plug-ins to enhance this,” he said.

In discussing what success of the release looks like, Joyce discussed the effect it will have on helping to nurture cyber talent. Students trained on Ghidra will be able to raise their proficiency.

“Getting people trained to use Ghidra will not only help cyber companies who need more experienced workers, but will help the NSA in its hiring efforts as well,” Miller said.

As for future releases, Joyce says they have plans to release an integrated debugger, improved analysis and an emulator.

“They just aren’t as solid as we would want for a public release,” he said. “We are polishing those up and will be coming soon.”

Ghidra is currently available for download through its official website, but the NSA has plans to release its source code under an open source license on GitHub in the future.