NSA releases its Ghidra reverse-engineering tool open source

Ghidra is a 'great addition' to 'net defenders' toolbox', claims NSA

The US National Security Agency (NSA) has released to open source Ghidra, one of the tools it uses for reverse engineering potential malware.

Ghidra - "the software reverse engineering tool you've been waiting for", according to the NSA - is designed to help users reverse engineer compiled and deployed code and then decompile it into logic that IT security pros can analyse - to find out how it works, and to identify threats.

In addition to providing security pros with a new tool, free of charge, the NSA hopes it will also help with recruitment - with potential hires more likely to be familiar with Ghidra before they come through the door.

The tool was formally released at the RSA Conference in San Francisco, California this week.

Ghidra provides a straightforward user interface and features that have thus far been well received by the security community. And with the open source community behind it, Ghidra could be packaged into other security software to build upon its capabilities.

"One of Ghidra's most noteworthy features is a processor modelling language called Sleigh that specifies how machine language instructions are dissembled and transformed into the tool's intermediate representation called P-code. Other significant functions are an undo/redo feature, multi-user collaboration repository, and scripting," claimed the NSA.

It continued: "We're doing this because we firmly believe Ghidra is a great addition to a net defender's toolbox. It will make the software reverse engineering process more efficient. It will help to level the playing field for cybersecurity professionals, especially those that are just starting out.

"We expect the tool will enhance cybersecurity education from capture-the-flag competitions, to school curriculums and cybersecurity training. Releasing Ghidra also benefits NSA because we will be able to hire folks who know the tool. When they're coming through our doors, they'll be able to be impactful faster."

Ghidra was first publicly released by WikiLeaks in its Vault 7 series of leaks of CIA hacking tools. The name "Ghidra", meanwhile, comes from a recurring enemy in the Final Fantasy series of computer games.