NSA To Release a Free Reverse Engineering Tool (zdnet.com)

← Back to Stories (view on slashdot.org)

NSA To Release a Free Reverse Engineering Tool (zdnet.com)

Posted by msmash on Sunday January 6, 2019 @08:33AM from the how-about-that dept.

The US National Security Agency will release a free reverse engineering tool at the upcoming RSA security conference that will be held at the start of March, in San Francisco. From a report: The software's name is GHIDRA and in technical terms, is a disassembler, a piece of software that breaks down executable files into assembly code that can then be analyzed by humans. The NSA developed GHIDRA at the start of the 2000s, and for the past few years, it's been sharing it with other US government agencies that have cyber teams who need to look at the inner workings of malware strains or suspicious software. GHIDRA's existence was never a state secret, but the rest of the world learned about it in March 2017 when WikiLeaks published Vault7, a collection of internal documentation files that were allegedly stolen from the CIA's internal network. Those documents showed that the CIA was one of the agencies that had access to the tool.

61 comments

Min score:

Reason:

Sort:

IDA has a sister by Anonymous Coward · 2019-01-06 08:40 · Score: 0

Who knew?
1. Re:IDA has a sister by Anonymous Coward · 2019-01-06 08:55 · Score: 0
  
  Everyone involved knew. Fuck off.
Nice try, NSA... by Anonymous Coward · 2019-01-06 08:40 · Score: 0

...so you want to monitor who will download it, isn't it ?!?
1. Re:Nice try, NSA... by Anonymous Coward · 2019-01-06 09:02 · Score: 0
  
  Stop being stupid, they already monitor everything regardless.
2. Re:Nice try, NSA... by AHuxley · 2019-01-06 10:37 · Score: 1
  
  Its nice to read the CIA Marble Framework results when the code shows what foreign language text the CIA wanted to be found.
  
  --
  Domestic spying is now "Benign Information Gathering"
3. Re:Nice try, NSA... by Anonymous Coward · 2019-01-06 10:46 · Score: 0
  
  No need for you to be a fool, but you sure sound like one, talking that way.
4. Re:Nice try, NSA... by AlwinBarni · 2019-01-07 02:55 · Score: 1
  
  ...so you want to monitor who will download it, isn't it ?!?
  Sorry, no mod points - well deserved here :-)
  I would guess that it's not only download monitoring - how many people will use this tool to analyze the very tool itself?
Nice but not unique by Alain+Williams · 2019-01-06 09:10 · Score: 2

Eg Ndisasm
1. Re:Nice but not unique by mike.mondy · 2019-01-06 09:57 · Score: 4, Informative
  
  Eg Ndisasm
  There are also a few tools that try to convert to high level languages:
  Snowman
  REC Decompiler
2. Re:Nice but not unique by Anonymous Coward · 2019-01-06 10:14 · Score: 0
  
  Nice but not unique
  I wouldn't take that bet.
  My money would be on the NASM decompiler not being back doored and trojaned to hell to deliver and report back to the NSA what it is you are peeking into.
3. Re: Nice but not unique by Anonymous Coward · 2019-01-06 14:54 · Score: 0
  
  That would be trivial to find out.
4. Re: Nice but not unique by Anonymous Coward · 2019-01-06 16:13 · Score: 0
  
  My tool of choice, but I spend a lot of disassembling, examining, and disassembling again from different offsets. I also use windbg quite a bit.
5. Re: Nice but not unique by lsllll · 2019-01-06 16:28 · Score: 1
  
  That would be trivial to find out.
  Stuxnet much?
  
  --
  Is that a roll of dimes in your pocket or are you happy to see me?
6. Re: Nice but not unique by Anonymous Coward · 2019-01-06 19:11 · Score: 0
  
  run it off an airgapped machine. done.
Who hasn't used one? by Anonymous Coward · 2019-01-06 09:21 · Score: 1

Taking assembly at university in the early '90's I used a decompiler in the process.
How is this "a disaster"? What is unique about this one other than the maker?
what do I know? by AndyKron · 2019-01-06 09:30 · Score: 2

I thought it was illegal to reverse engineer software?
1. Re:what do I know? by ShanghaiBill · 2019-01-06 09:39 · Score: 5, Informative
  
  I thought it was illegal to reverse engineer software?
  No. Disassembling software is not, and has never been, illegal in America.
  It may be illegal to use the result of the disassembly, especially to bypass security, but also by incorporating copyrighted or patented code into your own products, or accessing functionality that you are not licensed to use. But the disassembly itself is not illegal.
  Some products have terms in their license that forbid disassembly, but those are untested by the courts, are only binding if you are a party to the contract, and violation is a civil tort, not a crime.
2. Re:what do I know? by Gabest · 2019-01-06 09:44 · Score: 2
  
  It's just a hex viewer, you can already see the instructions if you know their code number.
3. Re:what do I know? by eneville · 2019-01-06 09:52 · Score: 0
  
  Does that go for JavaScript? What about bytecode? Doesn't a computer reverse enginer every time it executes? Would reading punch cards count as reverse engineering too? Genuinely curious.
  
  --
  Why UNIX?
4. Re:what do I know? by lsllll · 2019-01-06 10:11 · Score: 1
  
  It's just a hex viewer, you can already see the instructions if you know their code number.
  Reminds me of the The Story of Mel
  
  --
  Is that a roll of dimes in your pocket or are you happy to see me?
5. Re:what do I know? by Anonymous Coward · 2019-01-06 11:29 · Score: 0
  
  lol.... nothing is illegal for the NSA
6. Re: what do I know? by Anonymous Coward · 2019-01-06 16:15 · Score: 0
  
  Their "code number?" Do you need a decoder wheel as well? Or maybe just The ISA docs and a very basic understanding of machine language / byte code.
7. Re: what do I know? by Anonymous Coward · 2019-01-06 16:22 · Score: 1
  
  A computer does not reverse engineer the code when it executes. A computer executes compiled binary code. Compiled Binaries are at one end, Javascript is at the other end.
  This is a decompiler, it takes a binary executable and turns it into something more readable. Not quite as readable as non-obfuscated Javascript though, but something like an old version of Javascript.
8. Re: what do I know? by Anonymous Coward · 2019-01-06 16:25 · Score: 0
  
  Would reading punch cards be reverse engineering? That sounds like a fair assessment to me. Particularly if those were punch cards for a modern program.
  Imagine writing a complex javascript, and then having it be compiled into "punch cards" to feed into the computer. Then you hand those punch cards to somebody else to figure out what you originally wrote in javascript.
9. Re:what do I know? by Anonymous Coward · 2019-01-07 01:26 · Score: 0
  
  I don't know why people get so confused by ToS and usage agreements. If they actually read them they would realize how fucking absurd nearly all of them are and how they are already in violation of them and still haven't had the cops kick in their door.
  All that you have stated is pretty much true....And to add to that, we also paid for GHIDRA so why not let us enjoy all those toys our government buys with our dollars.
10. Re:what do I know? by Anonymous Coward · 2019-01-07 02:34 · Score: 0
  
  I thought it was illegal to reverse engineer software?
  Against the license agreement, probably yes. Against the law in general, no.
  (depending on your juristiction, of course)
11. Re:what do I know? by zwarte+piet · 2019-01-07 03:29 · Score: 1
  
  Alto violin, actually.
Holy Shit no by Anonymous Coward · 2019-01-06 09:44 · Score: 4, Insightful

Have you seen what the Obfuscated C project can do? I wouldn't trust NSA source code beyond 'print "Hello World";' and even that is iffy. God help anyone who touches it if this release is binary only.
1. Re:Holy Shit no by Anonymous Coward · 2019-01-06 11:32 · Score: 0
  
  By that logic all open source software is potentially back-doored. Oh wait, it probably is...
2. Re:Holy Shit no by Anonymous Coward · 2019-01-06 12:00 · Score: 0
  
  Assuming its released as FOSS, the only "safe" and honest approach would be to do a full audit, and then make a new tool, copying the useful parts, little by little, rechecking everything, always disclosing that it came from them.
3. Re: Holy Shit no by Anonymous Coward · 2019-01-06 12:36 · Score: 0
  
  Im sure you would have no problem if china released it
4. Re: Holy Shit no by Anonymous Coward · 2019-01-06 13:13 · Score: 0
  
  found the spook
5. Re:Holy Shit no by SCVonSteroids · 2019-01-07 00:06 · Score: 1
  
  It's not an unreasonable assumption to have.
  There are some things, if I can't compile it myself, I'd rather just not have.
  
  --
  I tend to rant.
NSA? More like NIH (Not Invented Here) by Anonymous Coward · 2019-01-06 10:02 · Score: 0

How is this different from any other disassembler?
GHIDRA? Monster Zero... apk by Anonymous Coward · 2019-01-06 10:02 · Score: 0

GHIDRA? Monster Zero - somebody @ the NSA's watched a LOT of old "Godzilla" flicks...
APK
P.S.=> Three-headed monster from Mars iirc that tosses lightning bolts out of it's mouth no less ... apk
Why GHIDRA? by Anonymous Coward · 2019-01-06 10:07 · Score: 0

GHIDRA does not appear in the web https://code.nsa.gov/ .
What is the difference between below?
https://github.com/nsacyber
https://github.com/nationalsec...
Which either above is the oficial page for releasing GHIDRA?
Can GHIDRA support RISC-V? And Intel/AMD/ARM?
1. Re:Why GHIDRA? by Martin+Blank · 2019-01-06 17:16 · Score: 1
  
  GHIDRA is supposed to be released at RSA. They have a talk scheduled about it. I've seen some people eager (setting aside backdoor risks) for a strong competitor to IDA Pro and its ridiculously high prices.
  
  --
  You can never go home again... but I guess you can shop there.
2. Re: Why GHIDRA? by Anonymous Coward · 2019-01-07 00:28 · Score: 0
  
  Radare2 is very good and frer
lol by lsllll · 2019-01-06 10:07 · Score: 3, Insightful

Does it come with a free thumbdrive? If not, I won't be interested.

--
Is that a roll of dimes in your pocket or are you happy to see me?
Binary into assembly? by OneHundredAndTen · 2019-01-06 10:58 · Score: 1

That's kind of trivial. Tedious and laborious, but trivial - you do not need the NSA to tell you how to do that. If the tool were able to spit out code in some high-level language (even something as low-level as C) that is not unintelligible spaghetti code, that would be something.
1. Re: Binary into assembly? by Anonymous Coward · 2019-01-06 16:19 · Score: 0
  
  Converting to C is also trivial, but you'd need to emulate a target loader to unwind relocs and make sense of linked shared objects.
2. Re:Binary into assembly? by Anonymous Coward · 2019-01-07 05:56 · Score: 0
  
  https://retdec.com/ ?
Just download and install on your computer by Anonymous Coward · 2019-01-06 11:12 · Score: 0

Trust us....
"allegedly"????? by Anonymous Coward · 2019-01-06 11:55 · Score: 0

When Wikileaks says, it is. Spooks might not like them, but nothing they published so far was wrong.
Also, their reaction to the leaks publication was pretty clear.
Why are people using this kind of language to talk about their leaks? What is the agenda here?
Am I missing something? by Anonymous Coward · 2019-01-06 13:16 · Score: 0

Other than the word violation, there appears to be NOTHING in the original message remotely like "viola" or "voilà".
Most Excellent timing by hAckz0r · 2019-01-06 14:11 · Score: 3, Interesting

I have been a long time supporter of IDA Pro, for better than 15 years. Every year I would dig down deep into my pockets and hand over about $600 for my maintenance contract renewal, for my own personal use. My "named" license allowed me to install the product on any machine where I need to analyze something down to the assembly level, and chase the rabbit down the hole. I could code in IDAPython, to script up some magic to analyze things in ways you just could not do with any other tool. Except of course the infamous GHIDRA, which although people I knew at work all used it, I had no direct access to the tool. They said it was better than IDA Pro. Still, there were reasons for them to keep IDA Pro on their tool shelf because no one tool fits every problem.
Well in 2018 HexRays changed the licensing, and removed the "named" licenses from their offerings. For twice the price I could own a single license for one single machine, that was of course not going to be the one I needed to analyze. My desktop machine is essentially a Xen virtualizing service with lots of smaller task-oriented virtual machines. Which single virtual machine do I now choose to run IDA Pro in? Whichever one I choose there will be some other place I need to debug something. The new IDA Pro licensing sucks, and I can not justify that kind of money for software that I can not even run where I need it.
Now I can not wait to get my hands on GHIDRA.
1. Re:Most Excellent timing by Bite+The+Pillow · 2019-01-06 15:05 · Score: 2
  
  I'm skeptical that a tool can be as good as ida. I use the free noncommercial version, so it's not even the latest and greatest.
  Ida and SoftIce/WinIce are hard to beat. I hope to contribute some fixes because ida has become less keyboard friendly. That shit needs to stop.
2. Re: Most Excellent timing by Anonymous Coward · 2019-01-06 16:23 · Score: 0
  
  Anonymous and cowardly props to Compuware for giving me a free copy of SoftICE after it went EOL. Miss the days of reasonable access to a company's back catalog. Everyone is now obsessed with hoarding IP and never sharing it just to prevent someone from doing something useful with it.
3. Re:Most Excellent timing by DigitAl56K · 2019-01-07 09:13 · Score: 1
  
  IDA's pricing scheme is ridiculous.
  I would like to educate myself with IDA for non-commercial use, but Starter is nearly $1000 and doesn't even handle 64-bit binaries. That is ridiculous.
  Hex-Rays deprived themselves of corporate licensing last year when, having been unable to familiarize myself with anything but the old free 5.0 edition due to the cost, I could not confidently tell the person who approves the PO that yes, I am fairly confident I can use this tool to solve our problem.
  I am very glad to see this competitor come along even if only for the fact it might make someone at Hex Rays re-evaluate their model.
4. Re:Most Excellent timing by hAckz0r · 2019-01-07 09:33 · Score: 1
  
  The free version has been updated as of version 7.0, so I would first try that. It's still x86 only while the paid version does something like 96 different CPU architectures, and even java/android support. I believe the new freebe should do 64 bit, which the older 5.0 version definitely can not.
  I have not used the free version since I still have my old license for 7.1 that will never expire. I'll stick with that until I find something better.
Malware anyone? by Anonymous Coward · 2019-01-06 14:48 · Score: 0

Yeah. Just what I always wanted. Software from the NSA. No need for security updates.
1. Re: Malware anyone? by Anonymous Coward · 2019-01-06 15:25 · Score: 0
  
  If you are running SE Linux, that's a product of the NSA.
  They've contributed to the crypto you use all day.
2. Re: Malware anyone? by Anonymous Coward · 2019-01-06 19:06 · Score: 0
  
  SELinux is not crypto...
3. Re: Malware anyone? by Anonymous Coward · 2019-01-06 23:34 · Score: 0
  
  Contributed weaknesses, bad suggestions, and steered people away from stronger implementations. Likely withheld any true criticism of value.
  No thank you.
King? Ghidra? by Anonymous Coward · 2019-01-06 15:18 · Score: 0

Let the Godzilla jokes begin!
Nothing here by Anonymous Coward · 2019-01-07 02:14 · Score: 0

This is not much of a tool. All it has to do is convert the hex instructions into the instruction code representations. If it singles out groups of code, such as I/O routines, then it would be useful, but I doubt it does that.
The main point is being missed by Anonymous Coward · 2019-01-07 02:32 · Score: 0

You can't disassemble what you cant see.
EEPROMS and CPU's now have locked areas - and you cant even get a checksum and inventory to know if something changed. So there will be no effective national security until visibility is improved. I suspect the 5G wrangle is because the Chinese write their own specs and may not have law enforcement flaws built in.
Found the dumbass!! by Anonymous Coward · 2019-01-07 06:16 · Score: 0

Found the dumbass who can't read the source and point out the flaws.
Learning is better than ignorance. by jbn-o · 2019-01-07 12:29 · Score: 1

Have you seen what the Obfuscated C project can do?
Yes, obfuscated programming contests can serve as important learning tools for those who want to liberate themselves from continued ignorance driven by fear of the unknown.

I wouldn't trust NSA source code beyond 'print "Hello World";' and even that is iffy.
I think it's safe to say you won't be doing anything with the program (as far as you know) but programmers simply can't afford the luxury of being ignorant and non-programmers are not well served by inculcating fear. The result of your suggestion is to maintain a small group of elites who ought to be blindly trusted rather than kept in check through software freedom.

God help anyone who touches it if this release is binary only.
I'm not sure what constitutes 'touching' in this context but disassembling the binary and examining how that works (even running the code once understood on a spare computer or VM, perhaps one that isn't networked) should be encouraged particularly for the purposes of providing a free software replacement. Running the program temporarily might be necessary to provide a free software replacement. One hopes that any release comes with complete corresponding source code and build instructions. But really, there's no more reason to trust the proprietary software people run every day than there is to trust any code from the NSA. Proprietary software is often malware. We have no good reason to trust the NSA nor software proprietors; in fact, the proprietors sometimes work with the NSA (like when Microsoft specifically changed Skype to make it easier to spy upon).

--
Digital Citizen
disassemblers are provided by any sane toolchain by obsrwr · 2019-01-07 20:44 · Score: 1

objdump -D ....