‘For the Record, There’s No Backdoor,’ NSA’s Rob Joyce Tells RSA Conference
Here’s free software for reverse-engineering applications – all you have to do is install it on your system.
Joyce is an NSA veteran who served as head of the agency’s hacking team, then as White House cyber coordinator before returning to the NSA, where he’s now a senior adviser on cybersecurity strategy, and in his spare time pursues a penchant for computerized lighting and swapping cybersecurity stickers.
Who’s ready for RSA? This guy! pic.twitter.com/g7QzjxDAQQ
— Rob Joyce (@RGB_Lights) March 2, 2019
On March 5, after a requisite amount of buildup via social media, Joyce announced the free, public release of Ghidra, a software reverse-engineering tool built by the NSA, for the NSA.
Running to more than 1.2 million lines of code, Joyce said Ghidra is how the agency takes software apart to see how it works. And now it’s free for anyone to use.
— NSA/CSS (@NSAGov) March 6, 2019
If you want an easy laugh, bring a senior intelligence official to a cybersecurity conference and have him tell the audience: “Trust us.”
But Joyce came out of the gate promising no tricks. “For the record, there’s no backdoor in Ghidra,” he said. “This is the last community [to which] you’d want to release something with a backdoor.”
The Reverse-Engineering Imperative
Intelligence agencies have an obvious need to reverse-engineer many different types of applications.
“We use it across the two main missions of the NSA: cybersecurity and foreign intelligence,” Joyce said. The software helps with security validation – ensuring that a box or device does what it says it does, and nothing more – as well as malware analysis, discovering vulnerabilities and simply taking a deep dive into any type of software.
“Doing software reverse-engineering is like working a puzzle – you’re given a binary and you’re trying to get back to an understanding of what it is and what it does,” Joyce said.
Software developers create applications using notes and other signposts for others to follow. But when they run their code through a compiler so that others can take the code and execute it, all of those notes get lost, including the names assigned to different variables.
“When you do that it goes through a compiler process that breaks it down to the zeros and ones that run on that microprocessor,” Joyce said.
Ghidra is designed to help reverse engineers literally reverse that process by feeding in an executable and attempting to work backward to the precompiled code base.
“Overall, what we’re trying to do is figure out what’s in that binary,” he said. “Hopefully at the other end of this activity the software reverse-engineering tool gets back” to the point where the code can be recompiled.
Battling Information Overload
It’s tedious work, and Joyce said Ghidra is designed to automate and streamline as much of it as possible.
For example, he said one of the best features built into Ghidra is an “undo/redo” feature. “Unless you’ve really done this yourself, you don’t know how much this helps with the engineering pain,” he said.
Some former NSA employees waxed nostalgic about Ghidra. Charlie “Jeep hacker” Miller, for one, said he was surprised it was in use.
Damn GHIDRA still exists at NSA? That tool was already there when I left 13 years ago! https://t.co/6z2eLRW6pZ
— Charlie Miller (@0xcharlie) January 3, 2019
Almost everyone loves a free tool, but Ghidra competes with a number of other tools, including industry heavyweight IDA Pro. Some early reviewers of Ghidra have noted that IDA Pro appears to be quicker at handling certain tasks as well as to sport a more modern interface.
“There are excellent tools in the community,” but Ghidra has been built to help “address some things that were important in our workflow,” Joyce said.
“We undertook Ghidra really to deal with information overload in the software reverse-engineering field,” he said. “The other aspect we focused on was working effectively and efficiently at scale. Another process was for us to work intelligently on new versions of the same code,” such as malware, which attackers may rapidly iterate in very small ways.
Reverse-Engineering for the Future
Joyce and the NSA are pitching Ghidra as a free tool – developed with U.S. taxpayer dollars – that it hopes the open source and reverse-engineering community will take and run with.
NSA: let’s release Ghidra to the wider community and everyone benefits.
— packetswitchr (@packetswitchr) March 6, 2019
Joyce also wants students to have access to a tool they can use to learn reverse-engineering, including for capture the flag challenges.
“Doing software reverse-engineering is like working a puzzle.”
—Rob Joyce, NSA
“I’ve watched a lot of capture-the-flag teams out there and they fall into one of three buckets,” he said. Namely, either the team has access to the tools it needs legitimately, it has a pirated copy of the tools it needs or it just doesn’t have any access.
Joyce said he hopes that the use of Ghidra becomes common at universities, and at the National Centers of Academic Excellence in Cyber Defense sponsored by the NSA. And he hopes it gives the agency more opportunities to bring these students in as interns and later hire them.
“If I go to a school and I see Ghidra, that [will be] a huge measure of success,” Joyce said. “I’ll be really transparent: That education also helps us.”
Reviewers Weigh In
Early reports from the information security community – and reverse engineers in particular – have been good.
Vicky Ray, a principal threat researcher for the Unit 42 team at Palo Alto Networks, lauded the NSA for releasing a well-documented tool that includes exercises for learning to use it.
#Ghidra comes with some great documentation, slides & exercises as well for beginner, intermediate and advanced users. Thanks @RGB_Lights and the entire team behind Ghidra @NSAGov. Really nice work!
ghidra_9.0 > docs > GhidraClass pic.twitter.com/1vYNHEZ4QA
— Vicky Ray (@0xVK) March 6, 2019
As with any application, the NSA-developed code isn’t perfect. Within hours of Ghidra’s release, Matthew Hickey (@HackerFantastic) spotted a flaw that could be used to remotely execute code on the system of anyone using the software. He also documented an easy way to fix the problem.
Why is #Ghidra important? IDA’s license fees are high, unless your business is full-time reverse engineering it’s a difficult license cost to swallow. I’ve personally “made do” with r2 (brilliant but buggy) and Hopper (limited). Ghidra opens up more possibilities to explore bins.
— Hacker Fantastic (@hackerfantastic) March 8, 2019
Despite finding the flaw, Hickey says he’s a fan of the software and plans to use the application to reverse-engineer all types of binary files. “Ghidra is a really nice tool addition for reverse engineering, don’t let my observation of an insecure configuration option dissuade you from trying it out,” Hickey tweeted.