A SOPHISTICATED TOOL WITH FAR-REACHING IMPLICATIONS
By Dr. Wesley McGrew, Director of Cyber Operations, HORNE Cyber
On March 5, the National Security Agency (NSA) officially released Ghidra, a software suite that the NSA hopes will help cybersecurity professionals “make the cybersecurity of our great nation BETTER.” While the release of this software is both significant and high-profile, the use of it is specialized, so there are far more people asking questions about it than those who have answers.
Let’s start with the simplest question: What is Ghidra? Ghidra (GHEE-druh) is a framework for software reverse engineering. Consider a (very) simplified development process:
Requirements > Design > Implementation > Distribution
With software, the “implementation” step involves developers writing code made up of instructions that accomplish the goals of the program. Whether it’s a word processor formatting text or a web browser retrieving it from a site, every action a software program takes requires hundreds of programmed instructions that (hopefully) reflect the design and requirements. The code that developers write contains names, structure and free-form comments that help those developers express the ways they are implementing the design.
Before software makes its way to end-users, a distributable version of the program must be built. The build process involves translating the code the developers wrote into a form that can be interpreted and executed by a computer. This final form is more difficult for human developers to read. The development process results in a program that (again, hopefully) meets its requirements, implements a design and is distributed in such a way that the end-user does not have an easy way to inspect or understand that design, even though they can run the program.
The software reverse engineering process involves examining a distributed program and trying to answer questions about its implementation and design. Ghidra takes computer-readable code and helps an analyst translate it back into something human-readable. Without the original developer’s notes, comments, design documents or even the names of functions, it is a puzzle to figure out the purpose of certain blocks of code and areas of memory. Ghidra acts as a user interface for an analyst to read, manipulate and add in comments and names as the analyst figures them out.
When a malicious program is discovered in a breach, the first step is to determine what it does. Unlike a word processor, computer viruses and ransomware aren’t installed knowingly and willingly. The software reverse engineering process must be applied to determine the malware’s full set of capabilities. Once a breach is discovered, an analyst will seek to answer questions such as how does this malware encrypt my data and how can I reliably detect the presence of this malware on other systems? Software reverse engineering is also used by vulnerability analysts to read the code, identify flaws in the design and implementation of software and determine the security implications of these flaws.
There is no major feature of Ghidra that does not already exist in current software reverse engineering tools. The biggest difference is that Ghidra, and its source code, is free for everyone to use, extend and modify. The nearest competitor to Ghidra costs thousands of dollars in licensing fees. While there have been other low-cost and free options, Ghidra has the most complete set of features and best user interface in the market. Ghidra also has the potential to be used by a wider audience as a starting point for more automation in code analysis, due to its permissive licensing.
But that doesn’t mean everyone should jump in with two feet. Software reverse engineering is a specialized skill. If you think there is a skill shortage in deep-technical cybersecurity, then reverse engineering is an even more specialized form of expertise that requires a sophisticated understanding of programming and computer architecture.
Many security professionals will be able to make use of Ghidra in a wide range of services. At HORNE Cyber, for example, our analysts identify vulnerabilities in software products, use software reverse engineering to develop new tools to assess network security and monitor the presence of malicious code on client networks and provide recommendations on proactive measures.
For most companies, it is impractical and even cost-prohibitive to keep a full-time professional with reverse engineering skills on staff. It is far more likely that the application of Ghidra will trickle down in security service engagements with some providers having that capability at the “edge” and most analysts being able to perform basic reverse engineering of code. While it is not necessarily important to determine what framework—Ghidra or otherwise—a security service provider is using, you may want to ask your provider about their capability, capacity, and structure in reverse engineering and how it might apply to the services you are acquiring.
Ghidra is a specialized tool for a specialized area of practice, but its release is very impactful. It has the potential to increase not only the size but the depth of the talent pool in technical security, which can result in better services and improved cybersecurity.
About the Author
Dr. Wesley McGrew serves as director of cyber operations for HORNE Cyber. Known for his work in offense-oriented network security, Wesley specializes in penetration testing, vulnerability analysis, reverse engineering of malicious software and network traffic analysis. Wesley is the author of penetration testing and forensic tools used by many practitioners. He is a frequent presenter at DEF CON and Black Hat USA. At the National Forensics Training Center, he provided digital forensics training to law enforcement and wounded veterans. As an adjunct professor he designed a course he teaches on reverse engineering to students at Mississippi State University, using real-world, high-profile malware samples. This effort was undertaken as part of earning National Security Agency CAE Cyber Ops certification for the university. He has presented his work on critical infrastructure security to the DHS joint working group on industrial control systems. Wesley earned his Ph.D. in computer science at Mississippi State University for his research in vulnerability analysis of SCADA HMI systems used in national critical infrastructure. Wesley can be found at @McGrewSecurity and at our company website https://hornecyber.com/.