Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

7/3/2019
09:00 AM
Alex Wawro, Special to Dark Reading
Alex Wawro, Special to Dark Reading
News
50%
50%

Black Hat Q&A: Understanding NSAs Quest to Open Source Ghidra

National Security Agency researcher Brian Knighton offers a preview of his August Black Hat USA talk on the evolution of Ghidra.

The National Security Agency (NSA) made a splash in the cybersecurity industry this year when it released its Ghidra software reverse-engineering framework as open source for the community to use. Now that the tool is in the public’s hands, NSA senior researcher Brian Knighton and his colleague Chris Delikat, will be presenting a talk at Black Hat USA about how Ghidra was designed, and the process of rendering it open source.

We recently sat down with Brian to learn more about Ghidra and his Black Hat Briefing.

Alex Wawro: Can you tell us a bit about who you are and your recent work?

Brian Knighton: I’ve worked at NSA for about 20 years. The past 18 years I’ve been a member of the GHIDRA team, developing various aspects of the framework and features. My focus these days is applied research, utilizing Ghidra for cybersecurity and vulnerability research of Internet of Things (IoT) devices from smartphones to autonomous and connected vehicles.

My educational background includes a BS in Computer Science from University of Maryland and an MS in Computer Science from Johns Hopkins University.

Alex: What are you planning to speak about at Black Hat, and why now?

Brian: I’m going to use this opportunity to discuss some implementation details, design decisions, and the evolution of Ghidra from version 1.0 to version 9.0, and of course open source.

Alex: Why do you feel this is important? What are you hoping Black Hat attendees will learn from your presentation?

Brian: It’s important to describe how Ghidra came about, why certain things are implemented the way they are, why we selected Java, and why it’s called a framework. In the end, I hope it will allow the community to better utilize Ghidra for cyber-related research.

Alex: What's been the most interesting side effect, so far, of taking Ghidra from internal tool to open-source offering?

Brian: The entire team is amazed and humbled by the overwhelming interest and acceptance of Ghidra. I knew it would be well received, but I’m surprised by how much. I feel honored to have been a part of it. For me personally, two specific things jump out.

The first was being on the floor at RSA and experiencing the energy, the excitement, and the positive interactions with so many folks during the three-day conference. The second was delivering a Ghidra lecture at a local university. One of the many reasons for releasing Ghidra was to get it into the hands of students and ultimately help advance cyber proficiency, and now I was actually doing it first-hand.

For more information about this Briefing check out the Black Hat USA Briefings page, which is regularly updated with new content as we get closer to the event! Black Hat USA returns to the Mandalay Bay in Las Vegas August 3-8, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/5/2019 | 9:20:01 PM
It sounds like the walls are finally dropping and we are working together.
Initially, when NSA finds an exploit on the Internet or from their research, they keep that exploit to themselves and did not report it because they found something that could used as a cyber-weapon (reverse-engineering).

This is good that they are finally opening up their lines of communication to help address this cyber-security delimna (we are all on the same team). I will keep my fingers crossed and hope they do the right thing, but they have a track record of violating the public's trust - ThinThread, Trailblazer, Prism, Immersion, XKeyScore, Boundless Informant, Fascia, Dishfire, etc.
Initially referred to as EternalBluescreen because of the tendency to crash computers, EternalBlue was once a powerful weapon for counterterrorism and gathering intelligence for the NSA. Anonymous reports from former NSA operators suggest that analysts spent nearly a year working to find flaws in Microsoft's software and write code to target it, but never really considered warning Microsoft about it. However, the leak of EternalBlue to cybercriminals forced the NSA to admit it had known about the vulnerabilities. - Reference NSA involved in CyberAttacks

This was written in March 2019, another reason why the groups should be skeptical of NSA's history, as stated before, remain cautiously optimistic

Todd
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13096
PUBLISHED: 2019-07-22
TronLink Wallet 2.2.0 stores user wallet keystore in plaintext and places them in insecure storage. An attacker can read and reuse the user keystore of a valid user via /data/data/com.tronlink.wallet/shared_prefs/<wallet-name>.xml to gain unauthorized access.
CVE-2019-13097
PUBLISHED: 2019-07-22
The application API of Cat Runner Decorate Home version 2.8.0 for Android does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. Attackers can manipulate users' score parameters exchanged between client and server.
CVE-2019-10102
PUBLISHED: 2019-07-22
OFFIS.de DCMTK 3.6.3 and below is affected by: Buffer Overflow. The impact is: Possible code execution and confirmed Denial of Service. The component is: DcmRLEDecoder::decompress() (file dcrledec.h, line 122). The attack vector is: Many scenarios of DICOM file processing (e.g. DICOM to image conver...
CVE-2019-12326
PUBLISHED: 2019-07-22
Missing file and path validation in the ringtone upload function of the Akuvox R50P VoIP phone 50.0.6.156 allows an attacker to upload a manipulated ringtone file, with an executable payload (shell commands within the file) and trigger code execution.
CVE-2019-13100
PUBLISHED: 2019-07-22
The Send Anywhere application 9.4.18 for Android stores confidential information insecurely on the system (i.e., in cleartext), which allows a non-root user to find out the username/password of a valid user via /data/data/com.estmob.android.sendanywhere/shared_prefs/sendanywhere_device.xml.