US National Security Agency opens access to CIA Cybersecurity tool
By Lily Hay Newman
THE NATIONAL SECURITY Agency develops advanced hacking tools in-house for both offense and defense—which you could probably guess even if some notable examples hadn’t leaked in recent years. But on Tuesday at the RSA security conference in San Francisco, the agency demonstrated Ghidra, a refined internal tool that it has chosen to open source. And while NSA cybersecurity adviser Rob Joyce called the tool a “contribution to the nation’s cybersecurity community” in announcing it at RSA, it will no doubt be used far beyond the United States.
You can’t use Ghidra to hack devices; it’s instead a reverse-engineering platform used to take “compiled,” deployed software and “decompile” it. In other words, it transforms the ones and zeros that computers understand back into a human-readable structure, logic, and set of commands that reveal what the software you churn through it does. Reverse engineering is a crucial process for malware analysts and threat intelligence researchers, because it allows them to work backward from software they discover in the wild—like malware being used to carry out attacks—to understand how it works, what its capabilities are, and who wrote it or where it came from. Reverse engineering is also an important way for defenders to check their own code for weaknesses and confirm that it works as intended.
“If you’ve done software reverse engineering, what you’ve found out is it’s both art and science; there’s not a hard path from the beginning to the end,” Joyce said. “Ghidra is a software reverse-engineering tool built for our internal use at NSA. We’re not claiming that this is the one that’s going to be replacing everything out there—it’s not. But it helped us address some things in our workflow.”
Similar reverse-engineering products exist on the market, including a popular disassembler and debugger called IDA. But Joyce emphasized that the NSA has been developing Ghidra for years, with its own real-world priorities and needs in mind, which makes it a powerful and particularly usable tool. Products like IDA also cost money, whereas making Ghidra open source marks the first time that a tool of its caliber will be available for free—a major contribution in training the next generation of cybersecurity defenders. (Like other open source code, though, expect it to have some bugs.) Joyce also noted that the NSA views the release of Ghidra as a sort of recruiting strategy, making it easier for new hires to enter the NSA at a higher level or for cleared contractors to lend their expertise without needing to first come up to speed on the tool.
The NSA announced Joyce’s RSA talk, and Ghidra’s imminent release, in early January. But knowledge of the tool was already public thanks to WikiLeaks’ March 2017 “Vault 7” disclosure, which discussed a number of hacking tools used by the CIA and repeatedly referenced Ghidra as a reverse-engineering tool created by the NSA. The actual code hadn’t seen the light of day, though, until Tuesday—all 1.2 million lines of it. Ghidra runs on Windows, MacOS, and Linux and has all the components security researchers would expect. But Joyce emphasized the tool’s customizability. It is also designed to facilitate collaborative work among multiple people on the same reversing project—a concept that isn’t as much of a priority in other platforms.
Ghidra also has user-interface touches and features meant to make reversing as easy as possible, given how tedious and generally challenging it can be. Joyce’s personal favorite? An undo/redo mechanism that allows users to try out theories about how the code they are analyzing may work, with an easy way to go back a few steps if the idea doesn’t pan out.
The NSA has made other code open source over the years, like its Security-Enhanced Linux and Security-Enhanced Android initiatives. But Ghidra seems to speak more directly to the discourse and tension at the heart of cybersecurity right now. By being free and readily available, it will likely proliferate and could inform both defense and offense in unforeseen ways. If it seems like releasing the tool could give malicious hackers an advantage in figuring out how to evade the NSA, though Dave Aitel, a former NSA researcher who is now chief security technology officer at the secure infrastructure firm Cyxtera, said that that isn’t a concern.
“Malware authors already know how to make it annoying to reverse their code,” Aitel said. “There’s really no downside” to releasing Ghidra.
No matter what comes next for the NSA’s powerful reversing tool, Joyce emphasized on Tuesday that it is an earnest contribution to the community of cybersecurity defenders—and that conspiracy theorists can rest easy. “There’s no backdoor in Ghidra,” he said. “Come on, no backdoor. On the record. Scout’s honor.”
Understanding the RSA conference
Wikipedia, the free encyclopedia provides some interesting history about the Origins of the RSA conference. According to Wikipedia, the name RSA refers to the public-key encryption technology developed by RSA Data Security, Inc., which was founded in 1982. The abbreviation stands for Rivest, Shamir, and Adleman, the inventors of the technique. The idea for the first RSA conference was conceived in 1991 in a phone call between then RSA Security CEO Jim Bidzos and the Executive Director of the Electronic Privacy Information Center. The first conference had just one panel, called “DES and DSS: Standards of Choice.” It focused on why attendees should not adopt DSS, a standard that was expected to challenge RSA Security’s status as the de facto standard for digital signatures.
The event steadily grew and in 1993 it attracted more than 200 attendees. Known for many years as the RSA Data Security Conference, it eventually became just the RSA Conference. Over time the conference grew more business-oriented with an older demographic and more vendors, which led to competitive issues for a time in the 1990s; European competitors to RSA Security sometimes could not get a booth, so they hired people to pass out flyers at the RSA conference encouraging attendees to visit them at hotels nearby. In 1995 the conference criticized the Clipper Chip. If implemented, the chip would have given the U.S. government direct access to evidence on telecommunications devices with the chip installed. The conference put up posters with “Sink Clipper” in big letters. By 1997 the conference had grown to 2,500 attendees. The first European RSA Conference took place in 2000 and started with just 5 tracks.
According to Network World the conference’s focus expanded from cryptography into a broader IT security conference with larger attendance in 2005, when Microsoft CEO Bill Gates did the keynote presentation. According to Bidzos, the purpose of the conference became “for all kinds of things: drive standards, organize some opposition to government policies, promote the RSA name, [and] give all of our customers an opportunity”. By 2008 the conference had 17,000 attendees and 375 participating IT security vendors. It had 18 tracks and 230 sessions.
At the 2010 RSA conference, the Obama administration publicly revealed the Comprehensive National Cybersecurity Initiative (CNCI), which was created in 2008 and formerly kept a secret. In 2011, a California-based IT security company, HBGary, withdrew from speaking and exhibiting at the RSA conference, citing safety concerns. The company announced plans to reveal the identities of some members of the hacktivist group Anonymous and received retaliatory threats and hacks. In 2014, 8 speakers boycotted the RSA conference after its sponsor, RSA Security, was accused of adding a backdoor to its products, so the National Security Agency could monitor users of RSA Security technology. The boycott began with then F-Secure Chief Technology Officer Mikko Hyppönen. He wanted RSA Security to apologize, whereas the company’s statement was that the allegations were not true. Some noted that the RSA conference and RSA Security company are only loosely connected. Discussion at that year’s conference was focused heavily on leaks by Edward Snowden and NSA involvement with American technology companies.