NSA’s reverse-engineering malware tool, Ghidra, to get new features to save time, boost accuracy

The spy agency says it has listened to feedback from users and is integrating some of those ideas into the software.
NSA National Security Agency
(CyberScoop / Chris Bing)

Just five months ago at the RSA conference, the NSA released Ghidra, a piece of open source software for reverse-engineering malware. It was an unusual move for the spy agency, and it’s sticking to its plan for regular updates — including some based on requests from the public.

In the coming months, Ghidra will get support for Android binaries, according to Brian Knighton, a senior researcher for the NSA, and Chris Delikat, a cyber team lead in its Research Directorate, who previewed details of the upcoming release with CyberScoop. Knighton and Delikat are discussing their plans at a session of the Black Hat security conference in Las Vegas Thursday.

Before the Android support arrives, a version 9.1 will include new features intended to save time for users and boost accuracy in reverse-engineering malware — enhancements that will come from features such as processor modules, new support for system calls and the ability to conduct additional editing, known as sleigh editing, in the Eclipse development environment.

In the months since the NSA released Ghidra to the public, the NSA has received 150 proposals on its GitHub page to tweak the code. Knighton and Delikat told CyberScoop they have rejected some of the suggestions, known as pull requests, after assessing that they would have slowed down Ghidra or impacted it in a negative way. In all, they have added about 110 suggestions from the open source community into the Ghidra code itself.


Overall, the total download tally for Ghidra is just over 500,000. The instructional video on how to use the framework has been viewed more than 760,000 times, the NSA told CyberScoop.

Knighton said he initially had underestimated how much interest there would be.

“Chris and I and a few others were at the RSA conference on the floor during the release, [asking] ‘how many downloads do you think we’ll get in the first week?’ My guess was way off,” Knighton said.

Knighton said he had guessed about 5,000.

“I’m blown away by the magnitude of the numbers,” he said.


Android gets an update

In a separate rollout from version 9.1, Ghidra will be able to work for the newer versions of Android, Knighton and Delikat said. Ghidra currently is able to look at previous versions of Android executable files or malware that use dalvik executable formats (DEX). But the format of executable files has shifted in newer versions. After the Android 5.0 operating system, the devices use a Linux binary format, a natively compiled executable format (ELF), that is more difficult to analyze in the current version of Ghidra.

“We now have support to be able to analyze those binaries and digest those binaries — executables — into Ghidra,” Knighton said.

There will also be a debugger coming soon for Ghidra, which will allow users to expand the kind of information they can learn about malware they’re reverse-engineering. Specifically, it will allow them to dynamically analyze malware, meaning they will be able to run the malicious code in an environment to see its real-time effects. Most of what people can use Ghidra for now is limited to static analysis, meaning it is not necessarily tested in a live environment.

“The debugger is going to enable somebody to dynamically analyze the binary,” Delikat said. “The bulk Ghidra does is considered static: where you take a binary and you’re just looking at the bits and bytes. But the debugger is going to allow someone to attach … Ghidra, look at it while it runs, and essentially look at the bits and the bytes, and watch the change while the program runs.”


Putting out the debugger is intended to elicit feedback from the community to continue the cycle of improving Ghidra.

“The whole reason of putting out the alpha [debugger] is so that the community can look at it, and give us feedback,” Delikat said.

The entire open source process has taken the team some getting used to, Knighton and Delikat said.

“For us that was a new way to work,” Delikat said. “Where do we put the code … what’s the process for accepting code, just kind of figuring out the left and right bounds of that was sort of…out of our normal work flow.”

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts