Ghidra is one of the many open source software projects developed within the National security agency (NSA) of the United States of America (USA). It should be noted that, in June 2017 lthe NSA has provided a list of tools that it has developed that are now publicly available through Open Source as part of its Technology Transfer Program (TTP).
Ghidra is a reverse engineering framework developed by the NSA Research Division for the NSA Cybersecurity Mission. It facilitates the analysis of malicious code and malware, such as viruses and allows professionals to better understand the possible vulnerabilities of their networks and systems.
Characteristics Ghidra
Among the key features of Ghidra, we find
- A tool that comes with a suite of software analysis tools to analyze compiled code on various platforms, including Windows, macOS, and Linux.
- A framework whose capabilities include disassembling, assembling, decompiling, graphing and scripting, and hundreds of other features
- A tool that supports a wide variety of processor instruction sets and executable formats and can be run in interactive and automated mode.
- The ability for users to develop their own Ghidra components and / or scripts using the exposed API.
The program includes a wide range of patented technologies in multiple technological areas, of which the following can be highlighted.
Apache Accumulate
Provides robust and scalable data storage and retrieval. It adds cell-based access control and a server-side scheduling mechanism that can modify key / value pairs at different points in the data management process.
CASA (Certificate Authority Situational Awareness)
Reveals invalid certificates from trusted certificate authorities on Windows systems. CASA is available as a Splunk app.
JAVA PATHFINDER HANDLE (JPF-HANDLE)
Static code analysis tool based on formal methods. It is part of NASA's Ames Java PathFinder project to verify Java executable binaries (bytecode).
NIFI APACHE
Automate the flow of data between systems. NiFi implements flow-based programming concepts and solves common data flow problems faced by businesses.
Some of Apache NiFi's high-level capabilities and goals include:
- a web-based user interface that provides a seamless experience between design, control, feedback and follow-up
- Highly configurable software: for example, dynamic priority can be applied or flow modified at runtime
- The source of the data: the tool offers the possibility to follow the data flow from beginning to end
- Designed for expansion: with this tool you can create your own processors and more
- Security: send SSL, SSH, HTTPS, encrypted content, and so on. It also has multi-tenant authorization as well as internal authorization / policy management.
OPEN ASSESSMENT
Verify the integrity of the system by establishing a basic measure of the Trusted Platform Module (TPM) of a system and monitoring changes in that measure. Initially, based on NSA Host Integrity software on startup (HIS).
The main features include:
- Support for major Linux host operating systems
- PCR-based reporting schemes and policy rules.
- RESTful-based query API
- The implementation of the web portal / graphical reference interface.
- Comparison of historical PCR data;
- Whitelist management
- flexible access control to attestation server
- Tomcat 2-way SSL / TLS supports query APIs
- SAML reports.
How to have Ghidra on Linux?
Ghidra has an official website where you can find helps available for developers who want to use it, you will know more about how to install it, use it, etc.
The NSA also went to the trouble to provide an FAQ that will be improved based on questions that developers may ask in the community.
The link where you can check this and download this framework is this.