On March 5, 2019 the long-awaited Reverse Engineering Tool of the US Secret Service NSA was presented at the RSA Conference. Our Head of Product Management Dr. Yvonne Bernard was there live at the event and shares her impressions in the following.
Ghidra! – Even our Security Lab is curious to see what the tool, which the NSA will publish as “Open Source Software”, has to offer. Reverse engineering tools are rare and expensive – but essential for security researchers and malware analysts to get to the bottom of suspicious files. The rush to the lecture by Rob Joyce, Senior Advisor for Cybersecurity (NSA), was therefore enormous, so that the lecture room had to be enlarged. Rob Joyce started his lecture with a touch of humor, because he realized that half of the audience was only present because “NSA” appeared in the title. Straightaway, he clarified that the tool has no backdoor; if there is a community where you can’t permit it, it’s this community. If applicable, different from open operating systems – “Each of your Android phones has a little bit of NSA in it”. However, some rumors in the web disprove the statement about missing backdoors at Ghidra – the Java debug port is currently under discussion.
Ghidra offers a wide range of useful features for security researchers and has been designed for collaborative use: Analysts can collaborate on a project basis and share information easily and globally. This is one of the purposes which the secret service set itself with the release. Due to the simple extensibility, researchers can add their own tools and integrate their own small applications, e.g. in Java or Python. A generic processor model (Sleigh) in the background makes it possible to observe the effects of changes of single parts in the binary in all levels directly and thus to understand foreign software better. In addition to the interactive user interface, Batch processing is also possible to perform large quantities of analyses simultaneously.
Another important feature is the Undo/Redo function, which can be applied to undo certain actions without understanding the complete analysis results. It can also be used to transfer actions to other samples. The first impression of the tool is very promising, but Hornetsecurity only tests the software in isolated secure environments for data examples that are suitable for this purpose – because some skepticism remains.

Some impressions of the Ghidra-Presentation