After years lurking in the shadows, the National Security Agency’s tool for reverse-engineering malware is now out in the open. The software framework has moved from classified status into use by military analysts and contractors in sensitive-but-unclassified settings, and now it’s available to anyone with an internet connection.
In a bid to help private and public-sector analysts track how malicious code evolves and morphs, the agency announced the release of the tool at the RSA Conference in San Francisco on Tuesday.
“As we open-source it, I think the creative folks on the outside are going to build modules and capabilities and they’re going to be able to collaborate with us on improving it even further,” Rob Joyce, senior cybersecurity adviser at NSA, said at an interview.
The gist of the software framework, called Ghidra, is that it allows analysts to compare different versions of malicious code to understand what each is doing differently, including how it might be trying to hide on networks, Joyce told CyberScoop. Ghidra can be applied to common platforms like Linux, Mac OS and Windows.
With more than 1.2 million lines of code in its database, Ghidra will give analysts a rich set to work with, according to Joyce. The agency is releasing a lot of source code for Ghidra on Tuesday, along with its executable file and, in the coming weeks, more information about the design and configuration of the software. There will also be an open-source repository for Ghidra’s code on GitHub.
NSA officials hope Ghidra will highlight the agency’s defensive cybersecurity mission, which is perhaps less known to the public than its foreign intelligence collection. The agency, of course, does plenty of its own hacking of foreign networks, but also helps other U.S. agencies secure their own.
“We absolutely want people to understand the defensive mission, that we’re making a contribution, that we have some pretty cool technology,” Joyce told CyberScoop.
An ‘arrow in the quiver’
Joyce gave a speech last week to industry executives outlining how the U.S. government would do more to disrupt and deter foreign hacking. Asked if Ghidra was part of that approach of publicizing foreign malicious activity, he called it “one of the arrows in the quiver.”
“It is a piece of technology that supports that broad effort we have to do to understand the threats, figure out where the threats are coming from, how they’re evolving,” said Joyce, who has spent more than two decades of his career at the NSA.
“Is it a game-changer in that?” Joyce said. “No. Like I said, there are other reversing tools…But this one lets us do our mission in a very effective way.”
One measure of Ghidra’s adoption outside of the agency’s base at Fort Meade will be with young people. Joyce said he has seen college students competing in “capture the flag” hacking contests using pirated software because authentic reverse-engineering tools can be expensive.
“If I go to the next capture-the-flag contest and I see some college students using Ghidra, I will be really excited,” he said.