NSA releases Ghidra open source reverse-engineering tool

The National Security Agency launched its highly anticipated reverse-engineering tool, Ghidra. The free software offers features found in high-end commercial products.

SAN FRANCISCO -- The National Security Agency released an open source version of its reverse-engineering toolkit for malware, providing security professionals with free software that offers features only found in high-end, expensive commercial products.

The U.S. intelligence agency launched the Ghidra modular toolkit at the RSA Conference here on Tuesday. The highly anticipated release demonstrated a continued willingness on the part of the NSA to build better relations with the IT security community.

For David Mattson, a self-described "open source junkie," Ghidra would bring a dramatic improvement to the noncommercial tools he has employed.

"It's leaps and bounds ahead of what I'm using," said Mattson, a security professional with health insurance company Centene Corp., based in St. Louis. "It's like bringing a tank to a musket fight."

Robert Joyce, a senior adviser for the NSA, explained to a packed house the standout features in Ghidra, which the NSA uses to disassemble executables into code. The process of reverse-engineering is useful in learning more about the capabilities of malware and its creator.

Ghidra for enterprise security

It's leaps and bounds ahead of what I'm using. It's like bringing a tank to a musket fight.
David Mattsona security professional with health insurance company Centene Corp.

Ghidra, which the NSA developed in the early 2000s, can reverse-engineer software for Windows, Mac, Linux, iOS or Android. Users can run the Java-based toolkit on Windows, Mac or Linux.

The software is modular, which means security pros can remove or add modules depending on their preference. The modularity of Ghidra lets the NSA share the software, while holding onto modules the agency wants to keep in-house.

"This is still a healthy, ongoing development within NSA," Joyce said.

Users can employ JavaScript or Python to extend a module's capabilities. They also can take advantage of a shared repository and version control when collaborating with colleagues and a file system for viewing, extracting and importing nested malware functions.

Ghidra has an undo-redo feature that is useful when applying different analytics while disassembling an executable, a process Joyce described as "both art and science."

Joyce acknowledged releasing Ghidra to the open source community would lead to improvements in the toolkit that would benefit the NSA. Also, universities could use the software as a teaching tool, which would help prepare students interested in working for the agency.

In 2013, the NSA was thrust into the public spotlight after intelligence contractor Edward Snowden disclosed the agency had been collecting and analyzing logs of Americans' domestic calls and texts. Former President George W. Bush started the program to hunt for conspirators following the Sept. 11, 2001, terrorist attacks.

The New York Times reported this week the NSA had quietly shut down the program and hadn't used it in months.

In light of the previous revelations, Joyce assured RSA attendees Ghidra was safe to use.

"For the record, there's no backdoor in Ghidra," he said. "Scout's honor."

Dig Deeper on Application and platform security