THE NATIONAL SECURITY Agency develops advanced hacking tools in-house for both offense and defense—which you could probably guess even if some notable examples hadn’t leaked in recent years. But on Tuesday at the RSA security conference in San Francisco, the agency demonstrated Ghidra, a refined internal tool that it has chosen to open source. And while NSA cybersecurity adviser Rob Joyce called the tool a “contribution to the nation’s cybersecurity community” in announcing it at RSA, it will no doubt be used far beyond the United States.
You can’t use Ghidra to hack devices; it’s instead a reverse-engineering platform used to take “compiled,” deployed software and “decompile” it. In other words, it transforms the ones and zeros that computers understand back into a human-readable structure, logic, and set of commands that reveal what the software you churn through it does. Reverse engineering is a crucial process for malware analysts and threat intelligence researchers, because it allows them to work backward from software they discover in the wild—like malware being used to carry out attacks—to understand how it works, what its capabilities are, and who wrote it or where it came from. Reverse engineering is also an important way for defenders to check their own code for weaknesses and confirm that it works as intended.”
If you’ve done software reverse engineering, what you’ve found out is it’s both art and science; there’s not a hard path from the beginning to the end,” Joyce said. “Ghidra is a software reverse-engineering tool built for our internal use at NSA. We’re not claiming that this is the one that’s going to be replacing everything out there—it’s not. But it helped us address some things in our workflow.”