Monday, March 11, 2019

Ghidra: A meta changer?

The NSA recently released Ghidra (quick overview), which is best described as a binary decompilation tool that competes with IDA and Binary Ninja and R2. However, it has some crucial differences, and like everyone in the business I have a VM loaded with it and I'm going through it feature by feature.

The decompilation window on the right is the obvious game changer. But there are many others hidden within.

Analyzing meta changes in realtime is what a strategist does that differentiates you from a historian. But in order to do this, you need to get your hands dirty with the tool itself. You do, at some level, have to be a computer scientist, and beyond that, a specialist in this technology landscape.

At RSAC 2019 one thing you noticed was everyone had the exact same technology and the exact same business plan. It looks like this:

It is the Cambrian era, and we have invented multi-cellular creatures although basically everything is a Trilobite.
What this tells you is that the whole business model is a race to the price floor, wherever that is. But this also gives you insight into where something like Ghidra might fit into any of these automated pipelines, since one of the bizarre weaknesses of the entire model is they like to pass around IoCs, such as hashes or bad IP addresses, which are silly. With Ghidra, you can look under the covers of any binary a lot easier, and it's free, so everyone will do it at scale.

From a purely business perspective this is also good news for Binary Ninja and IDA, since once people realize this is the new baseline, they will want to embed other analysis engines into their product lineups for various proprietary advantages.

But this leaves us with two questions:

  1. How does commoditized binary analysis at scale change the meta?
    1. What bug classes are now going to be found at scale by the community?
    2. What are people going to build off this technology?
  2. What does a more actively engaged NSA mean for the community? 
------
Update: Silvio pumping everything through Ghidra's decompiler.





Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)