A Ghidra Explainer

Apr 4, 2019 10:00:00 AM |

Wesley McGrew

Social Share:

Ghidra ImageOn March 5th, the National Security Agency officially released Ghidra, a software suite that the NSA hopes will help cybersecurity professionals “make the cybersecurity of our great nation BETTER”. With the attention this drew at the RSA Conference, it caught the attention of technology news outlets and a broad range of individuals and organizations interested in security. While the release of this software is high-profile, the use of it is specialized, so there are far more people asking questions about it right now than those that have answers. The purpose of this post is to provide IT security stakeholders with an “explainer” on Ghidra and the implications of this release.

How do I pronounce it?

There’s a surprising number of wrong ways to pronounce “Ghidra”, and I’m sure you’re thinking of one right now. Ghidra is pronounced with two syllables, like “ghee druh”: with a hard “g”, a long “e” sound, and emphasis on the first syllable. Congratulations, now you at least sound like an ex-intelligence community analyst, and not like the rest of your colleagues that just heard about Ghidra in the news last week.

Now that the important part is out of the way…

What does it do?

Ghidra is a framework for software reverse engineering. Think about a (very) simplified development process:

Requirements > Design > Implementation > Distribution

With software, the “Implementation” step involves developers writing code in programming languages. The code is made up of instructions that accomplish the goals of the program. Whether it’s my word processor formatting the text I’m writing, or your web browser retrieving it from the HORNE Cyber site, every action a software program takes requires hundreds of programmed instructions that (hopefully) reflect the design and requirements that were put together for the software. The code that developers write contains names, structure, and free-form comments that help those developers follow their own code and express the ways they are implementing the design.

When software is distributed to end-users, the arrow in our diagram above between “Implementation” and “Distribution” involves building a distributable version of the program. The “build” process involves translating the code the developers wrote into a form that can be interpreted and executed by a computer. This final form is more difficult for human developers to read, but is an efficient way for a computer to run code.

The development process results in a program that (again, hopefully) meets its requirements, implements a design, but is distributed in such a way that the end user does not have an easy way to inspect or understand that design, even though they can run it! As I type this article into Microsoft Word, it’s very easy for me to use the Home bar to change my font, but it’s very difficult for me to simply read the installed “WINWORD.EXE” program to figure out how a font change is implemented by Word’s programmers. This loss of information in each stage is a performance optimization, with the added benefit of providing some protection of the design and implementation details.

The software reverse engineering process involves examining a distributed program and trying to answer questions about its implementation and design. Given the computer-readable distributed code, what can we determine about the code written to implement it? What is its design? What can we speculate about its requirements?

Ghidra takes computer-readable code and helps an analyst translate it back into something human-readable. Without the original developers notes, comments, design documents, or even the names of functions, it’s a puzzle to figure out the purpose of certain blocks of code and areas of memory. Ghidra acts as a user interface for an analyst to read, manipulate, and add in comments and names for things as the analyst figures them out.

Why is this useful for cybersecurity?

When a malicious program is discovered in a breach, the first question is “what does this thing do?”. Unlike a web browser or word processor, computer viruses and ransomware aren’t installed knowingly and willingly. They don’t come with even the smallest description of what they’re designed to do. The software reverse engineering process must be applied to determine the malware’s full set of capabilities. For example:

  • Does this software exfiltrate data to the attacker?
  • How does this malware encrypt my data?
  • What did it do with the key?
  • How can I reliably detect the presence of this malware on other systems?

Software reverse engineering is also used by vulnerability analysts to read code, identify flaws in the design and implementation of software, and determine the security implications of those flaws. In some cases, these “flaws” can be intentional: “backdoors” in otherwise mundane software. These backdoors, inserted at some point in the development process or “supply chain” of software are not documented, for obvious reasons. Software reverse engineering provides analysts with the ability to work at identifying backdoors in software.

Does Ghidra represent new capability?

There is no major feature or functionality of Ghidra that does not already exist in current software reverse engineering tools. The biggest difference is that Ghidra, and its source code, is being released for free for everyone to use, extend, and modify. The nearest competitor to Ghidra in functionality costs thousands of dollars per-seat in license fees. There have been other low-cost and free options prior to the release of Ghidra, but without as complete of a feature set or as nice of a user interface. Ghidra also has the potential to be used by more people as a starting point for more automation in code analysis, due to its permissive licensing.

Who would use Ghidra?

Software reverse engineering is a specialized skill. If you think there’s a skill shortage in deep-technical cybersecurity, then reverse engineering is an even more specialized form of that. It requires a thorough understanding of programming and computer architecture. I teach a course in software reverse engineering to 4th-year and graduate computer science students at Mississippi State University. By that point in time of their computer science education, they’ve had courses in software development, microprocessors, and the design of operating systems. I developed the course as part of the process of Mississippi State gaining the Center of Academic Excellence in Cyber Operations designation from the NSA, and now that Ghidra has been released, I have a much better framework to teach it with than the other free options.

Many security professionals will be able to make use of Ghidra in a wide range of services. In our application security assessment services, our analysts identify vulnerabilities in software products. In the scope of network penetration testing, our operators make use of software reverse engineering to develop the tools and implants we use, especially when it comes to evading detection by host-based security products. Our cybersecurity operations center analysts identify the presence of malicious code on client networks and provide intelligence on how it got there, and what it can do.

Conclusions

For most of the IT stakeholders reading this, it is impractical to expect to keep a full-time professional with reverse engineering skills on staff. It’s far more likely that the application of Ghidra will “trickle down” to you in the course of security service engagements that you procure. While it’s not necessarily important to determine what framework, Ghidra or otherwise, they are using, you may want to ask your provider about their capability, capacity, and structure in reverse engineering, and how it might apply to the services you are acquiring.

Some providers may have that capability at the “edge”, with most operators and analysts being able to perform basic reverse engineering of code, and escalate to more experienced analysts when needed (this should become more common, with the ease-of-use of Ghidra and its lack of license fees). Others may centralize this capability away with a small core staff of experienced software reverse engineers. Having this conversation with your security service provider can help give you a feel for the provider’s experience, maturity, and quality of service, even on engagements that don’t require a lot of reverse engineering in practice.

Ghidra is a specialized tool for a specialized area of practice, but within software reverse engineering its release is very impactful. It has the potential to increase not only the size, but the depth of the talent pool in technical areas of cybersecurity, which can result in better services provided to you as a stakeholder.

COMMENTS

THIS POST WAS WRITTEN BY Wesley McGrew

Wesley serves as the director of cyber operations for HORNE Cyber. Known for his work in offensive information security and cyber operations, Wesley specializes in penetration testing, network vulnerability analysis, exploit development, reverse engineering of malicious software and network traffic analysis.

Find me on: