
would it be sensible/prudent to run Ghidra on itself. Cos, you know....
The NSA has released its home-grown open-source reverse-engineering suite Ghidra that folks can use to poke around inside applications to hunt down security holes and other bugs. Spoiler alert: it's Apache 2.0-licensed, available for download here, and requires a Java runtime – and the agency swears it hasn't backdoored the …
Nobody missed the open source part, it is just extremely interesting to compare that open source with the results of the decompilation. For real fun, also use another decompiler that isn't built to hide some of the more questionable routines.
Since we are talking about NSA, there is no such thing as excessive paranoia.
... wouldn't prove anything. Read Ken Thompson's ACM Turing Award lecture "Reflections on Trusting Trust". It's a good read for anybody interested in this kind of thing.
One of the worst parts of working for the oxymoronically named "Intelligence Community" is that if you succeed in doing something cool, it has to be kept utterly secret - if the "bad guys" know (how) they've been pwned, they fix it. It's why sources and methods are the real secrets, though most things that are classified are simply done to hide some misfeasance.
On the other hand, if you screw up and it gets out, it's on the front page of every paper on earth.
This makes job satisfaction - and talent retention, as well as acquisition, much more difficult.
All smart nerds like props when they do something cool. No matter their politics.
So you're partly right.
Two things....
-- The toolset is probably last year's model so its safe to release from a national security perspective
-- The NSA is a publicly funded entity and so all of its work belongs to the public.
This latter provision has proved very useful in the past, more so than many people realize. It could be said that its where the notion of open source came from.
"It could be said that its where the notion of open source came from."
I would say the inverse could be true...
"The private entity is a privately funded entity and so all of its work belongs to the private entity."
... now disagree with that by inversion. Of course today, companies are trying to invert the inversion by making open source private.
Strangely enough, we used to get the source code to virtually every bit of code that we ran on corporate computers. It wasn't until Redmond and Cupertino started jealously guarding their source code that it became de rigueur in corporations world wide.
> [ ... ] we used to get the source code to virtually every bit of code that we ran on corporate computers.
No, you didn't.
Microsoft's shit has never, ever, been open source. Neither has Oracle, or Sybase, or Informix, or any of the so-called proprietary UNIX-es. Neither was Apple.
Apple put out a fake open source project by the name of Darwin in the early 2000's. Nothing ever came of it, because it was designed to fail from the outset.
AT&T spent a lot of money in the '90's trying to destroy the BSD's, by suing them, simply because they were open source.
So no, the idea that corporate computing has always been open source is pure bullshit.
I wasn't talking about those later-day corporations. Re-read mine. The time-frame I was referring to was pre mid 1970s, or thereabouts. Look up Bill Gates "Open Letter to Hobbyists", should give you a rough idea of when the notion that all source should be proprietary started. Apple resisted this at first, but was soon sucked in ...
Before Microsoft and the ilk, IBM source code was held by nearly everyone, and control blocks of course. IBM part relied on others to fix their code, and often sent smart ones free gifts or bottles.
Pretty sure ICL, Fujitsu, and DEC/PDP gave out source code. Too young to remember CRAY and CDC. Bottom line was that there were no 'memory leaks' and orphaned junk, and one off errors when real SE's could hunt them down.
Then IBM started covering up control blocks and VSAM, and making source code available to SE's where locked up - just in case the OS went into a deadly embrace /loop that could be fixed on the spot - rather than 2-3 days of no ATM's.
Rolling on - the Atari, TRS80, and AppleII had very tight and efficient code, with chess programs under 1K! Now Microsoft is bloatware riddled with poor coding, unchecked parameters, unchecked recursion, and unreviewed code. If it is done inhouse, you have to wonder from the company that retitled machine attendants to 'systems engineers' .
Yes. I remember working on a minicomputer back in the 80s. For business continuity reasons, the company that developed the software was contractually obliged to give us the source code, so they did.
But not the compiler. The source would only compile with their specially tweaked compiler.
Once you have pwned the compilers and other elements of the toolchains that build the toolchains that build the toolchains that ....
To get a clean from start you would have to wire up the processor from transistors, design and build your chip fabricators, code your compilers and bootstrap yourself into the modern age.
Not many people or organisations have the patience, ability or resources to go through such a process.
One iteration of Linux from Scratch was enough for me.
There is no way to fully trust that any technology today has not been pwned to some degree or another.
The only defense is to get as many different individuals and groups investigating and testing in as many different ways as possible.
It is probable that the NSA's largess is not something that is a significant threat to the NSA itself.
It will be though, something that can increase the exposure of their counterpart's efforts along with those of non-state threat sources.
"To get a clean from start you would have to wire up the processor from transistors, design and build your chip fabricators, code your compilers and bootstrap yourself into the modern age."
Not true, if you use multiple sources for the entities at each level and compare their results.
At least, assuming that the same enemy hasn't nobbled *every* supplier at a given level. Choose your suppliers carefully, though, and the probability of that must surely sink to a level that anyone can live with.
"Choose your suppliers carefully..."
I agree, but when a government chooses your suppliers? I think the notion of being too small for radar does exist like you think, but once you're on the radar? We already know the government has hush orders, but even without that, the government still has its "standards" to be met. Even if the FCC or whichever entity is _not_ involved, you still have government approved suppliers. This isn't coming out right like it is in my head, but maybe you can see it, you definitely see it with your foil hat on.
Of course it could all be worse than that, maybe as implied above, all popular architectures are exploited. And as also mentioned above, good luck financing your own. Even if we're not to that point yet, how long?
See Intels pre-execution pipeline hack (Not bug, because they knew and picked good-enough).
Made its way into Intel chips, AMD, ARM and IBM chips. Just two makers of modem chips, both with onboard processors. Rather than correct the hardware, secret inefficient software semi-fixes are being chunked out. Only Linux people have fessed up into saying software remediation is slower than microcode hobbling). Rather than a fix, Intel is directing resources to encrypted code execution extensions that will make viruses undetectable..
I think that, in most cases, the problem getting old code to run on something newer is all the old libraries it thinks it should be using that don't work the same, or exist, as they did so long ago. This wouldn't be able to help with that. It might be able to do some things, like taking a binary and making it run on a different architecture, but it's probably a lot more limited than we'd like.
The github repository is a placeholder and I can't find much in the way of documentation --- anyone see a definitive list of which architectures it supports? I recently spent a tonne of time reverse engineering a piece of gnarly Z80 code, and would love some tool assistance for the next time this happens.
<pre>
foo@t410:/tmp$ jar tf ghidra_9.0_PUBLIC_20190228.zip | grep -P '/Processors/[^/]+/$'
ghidra_9.0/Ghidra/Processors/Toy/
ghidra_9.0/Ghidra/Processors/TI_MSP430/
ghidra_9.0/Ghidra/Processors/PA-RISC/
ghidra_9.0/Ghidra/Processors/6502/
ghidra_9.0/Ghidra/Processors/PowerPC/
ghidra_9.0/Ghidra/Processors/Z80/
ghidra_9.0/Ghidra/Processors/8085/
ghidra_9.0/Ghidra/Processors/CR16/
ghidra_9.0/Ghidra/Processors/JVM/
ghidra_9.0/Ghidra/Processors/6805/
ghidra_9.0/Ghidra/Processors/MIPS/
ghidra_9.0/Ghidra/Processors/PIC/
ghidra_9.0/Ghidra/Processors/x86/
ghidra_9.0/Ghidra/Processors/8051/
ghidra_9.0/Ghidra/Processors/68000/
ghidra_9.0/Ghidra/Processors/ARM/
ghidra_9.0/Ghidra/Processors/DATA/
ghidra_9.0/Ghidra/Processors/AARCH64/
ghidra_9.0/Ghidra/Processors/Sparc/
ghidra_9.0/Ghidra/Processors/Atmel/
</pre>
I can imagine it will be attacked. For example, commercial software houses wanting to find out if you've decompiled their software in contravention of a license. Replace a copyright text in the executable with a routine that sends them chapter and verse of your transgression. I guess this suggestion is so naive as to be laughable, but <replace with something that might work in 2019>. Might have something to do with repeated forking. Must be lunch time. Mine's the one with the dictaphone in the borscht and the runcible spoon.
Not needed.
What is missing is a hardware grab tool, where all memory can be discovered and dumped, and bootloaders detected and some automation to unpack compressed or obscured blobs.
That is a big hurdle.
So everyone can unlock bootloaders and replace compromised certificates, when the vendors abandon product. The choices seem heavy for CPU's, and light for microprocessors such as in graphic cards and disk drives.
With other options out there, this is harmless, and not increasing ease of discovery.
Because, as Clifford Stoll pointed out in "The Cuckoo's Egg", there are 2 parts to the NSA: the one that is paid to try and keep the world secure and unhackable, and the other bit that tries to intercept everyone's communications. And yes, it's a little bit of doublethink going on there, I'm sure.
But I suspect the main reason is that this is useful enough in general, and not just for spying, that they think it should be widely available and further developed. To which I say, more power to Ghidra then...
UK Plod to cite finding Ghidra on someone's computer as evidence they are some cyber criminal kingpin, who likely had xxxxx (CSE images, extreme pron, bombmaking plans etc) on their system but we couldn't find it so they must have used some clever technical tricks to remove it m'lud, why else would they have this nefarious hacking software on their computer, they claim it came from the NSA, a laughable claim, why would an esteemed agency release something like this