What made it so popular was who was giving it away – the National Security Agency's Senior Advisor for Cybersecurity Strategy Rob Joyce, who also held the position of Cybersecurity Coordinator in the Trump White House, as well as that of Chief of the NSA’s offensive division, the Tailored Access Operations Unit.
Joyce began by setting Ghidra in the context of other open-source software projects that have been developed and released by NSA over the years, including security enhancements for Linux and Android.
He drew laughs when he jokingly pointed out that many Android phone users are carrying around a “little bit of NSA” in their pockets, before adopting a more serious tone to aver that no such backdoors were baked into that, or any of NSA’s other free software, Ghidra included.
Moving on to address the next elephant in the room, Joyce declared that Ghidra was not meant to compete with, or supplant, what is widely regarded to be the most popular reverse engineering tool on the market, Hex-Ray’s IDA.
Nevertheless, it was hard not to notice that Ghidra was designed to address some common shortcomings in IDA, including the lack of an “Undo/Redo” feature, and the ability to work collaboratively on the same binary.
Ghidra also supports annotated difference comparisons and version tracking – both features which were highly desirable in NSA’s environment, but which also promise to make joint analysis by researchers in the private sector much easier.
Speaking of private sector researchers, for this edition of Around the Watercooler, we reached out to a number of our own reverse engineers for some initial impressions on the tool’s release.
The responses we received ran the gamut from highly detailed comparisons of Ghidra and IDA to concerns about application security, and even included comments on Ghidra’s look and feel.
One pair of researchers had this to say about Ghidra’s positives:
“Some features I find interesting and helpful in Ghidra:
And they had this to say about Ghidra’s shortcomings:
“Some things to consider:
Another researcher expressed concerns about potential security vulnerabilities in the application itself, saying:
“In debugging mode, it opens a port on 0.0.0.0 which allows for remote code execution! Scary stuff. I hear they plan to patch it in the next release.”
On the whole, our reverse engineers felt as though IDA and Ghidra could best be used in tandem, and they did not expect one to replace the other:
“I think Ghidra will appeal currently to two specific use cases: 1) strong Java programmers who can easily extend it using the extensive SDK and documentation and 2) non-standard architectures where it has a built in decompiler. For mainstream Intel and ARM architectures, IDA and Hex-Rays remain a superior option, but for all other architectures Ghidra will either be the better option or at least a compelling alternative.”
All in all, it looks like Ghidra will find a soft landing among the reverse engineers at BlackBerry Cylance, particularly once the open-source community has a chance to thoroughly review, comment on, and improve it.
In the meantime we can, at the very least, share an appreciation for one aspect of Ghidra that the NSA developers seem to have nailed right from the start – one which immediately caught the eye of our former Director of Threat Intelligence, Jon Gross, whose sole reaction to news of the Ghidra release was: