NSA confirms plans to unveil malware analysis tool at RSA Conference

Mixed reaction to release of early 2000s vintage utility, outed by WikiLeaks in 2017

The US National Security Agency (NSA) has confirmed plans to make a US government developed reverse engineering tool, GHIDRA, freely available in March.

The official release of GHIDRA will coincide with a presentation by senior NSA adviser Robert Joyce at the RSA security conference in San Francisco on March 5, featuring the first public demonstration of the tool.

GHIDRA is a disassembler that presents executable files as instructions in assembly code, so that the functions of suspicious software samples can be analysed by security researchers or corporate blue teams.

The framework was initially developed at the beginning of the century by the NSA before, more recently, the intel agency began sharing the tool with other US government agencies.

The existence of the tool was publicly exposed two years ago, in March 2017, when WikiLeaks released Vault7, a collection of internal CIA files.

The leaked documents showed that the CIA was among the agencies that had access to the reverse engineering framework. WikiLeaks summarised the capabilities of the tool without actually releasing the GHIDRA software itself.

GHIDRA reportedly comes as a Java-based framework, front-ended by a graphical user interface (GUI) and designed to run on a variety of operating system platforms, with support for a variety of processor instruction sets.

It can be used to analyze executable files designed to run on Windows, macOS, Android, and iOS.

Commercial reverse engineering tools already exist in the shape of IDA-Pro and OllyDbg, among others.

Useful tool, or vintage utility?

Reaction to the upcoming release of GHIDRA has been mixed, with some experts dismissing it as well past its sell by date, while others are far more enthusiastic.

Former NSA analyst Charlie Miller was underwhelmed: “GHIDRA still exists at NSA? That tool was already there when I left 13 years ago!”

One Mexico-based techie was similarly dismissive: “Ghidra is basically IDA with a loader and plugins. Don’t get excited!”

Security developer Charles Smith added: “GHIDRA was stolen & released… they just made it official.”

Basque hacker Joxean Koret was far more upbeat. “Ghidra looks awesome. But I don’t think IDA [Pro] will be heavily affected for one very important reason: support. Also, the support they give is awesome,” she said in an update on Twitter.

It’s as yet unclear whether or not the NSA will open-source GHIDRA. The NSA’s code repository on GitHub already features 31 projects, so there’s precedent for the agency to release the blueprints for tools to the open source community.

Whether or not this will happen in the case of GHIDRA seems likely, but it remains unconfirmed.

“The GHIDRA announcement is interesting,” said infosec luminary Halvar Flake. “Rumors about open-sourcing it have been swirling for years; shows how difficult such a release process is.”