应对新病毒的很大一部分是弄清楚它们是如何工作的。为此,您需要对其进行逆向工程。国家安全局(National Security Agency)( NSA ) 显然必须做很多此类工作,因此他们创建了自己的工具,称为Ghidra来帮助他们完成这项工作。
顺便说一句,它的发音是Ghee-dra。它于2019年3 月 5(March 5)日在旧金山的(San Francisco)RSA 会议(RSA Conference)上免费向公众发布并作为开源。您甚至可以查看美国国家安全局(National Security Agency)( NSA )高级顾问(Senior Advisor)Robert Joyce的Ghidra 演示文稿(view the Ghidra presentation notes from Robert Joyce)。
要真正理解为什么发布Ghidra很重要,我们需要了解逆向工程是什么以及它的用途。
什么是逆向工程(Engineering),为什么要使用它?
通常,逆向工程(RE)是指将某物拆开以弄清楚它是如何制造的过程。您可能已经在家中使用小型设备自己完成了此操作,只是想弄清楚如何自己修复它。但我们谈论的是 RE 一个程序。这只是代码,对吧?为什么我们不看看它背后的代码呢?
当您使用 C 或Java之类的语言编写程序时,在编写程序和能够在计算机上使用它之间有一个步骤。您正在编程的语言对您来说是可读的,但计算机不一定是可读的。它必须被翻译成计算机可以使用的东西。这个过程称为编译。
一旦程序被编译,它就不再被人类阅读。
如果你想弄清楚这个程序是如何工作的,你需要把它拆开到你可以看到里面有什么的程度。你需要一个工具包,就像你需要一个螺丝刀和扳手工具包来拿一个小家电或发动机一样。
这就是Ghidra发挥作用的地方。它是一个工具箱,用于将软件拆开,看看它是如何运行的。已经有其他类似的工具,如IDA、Radare和Binary Ninja。
NSA使用Ghidra来处理可能对国家安全构成威胁的病毒、恶意软件和其他程序。然后,根据他们的发现,他们制定了应对威胁的行动计划。随着最近新闻中国家赞助的黑客事件的数量,您知道这是一件大事。
任何人都可以使用 Ghidra 吗?
不完全是。你至少需要对编程有一定的了解。你不需要成为一名软件工程师,但如果你已经完成了一些大学编程课程,你就可以进入Ghidra并自学如何使用它。
此外,Ghidra官方网站还提供安装指南、快速参考、wiki 和问题跟踪器。提供所有这些的目的是让每个人都可以学习,并共同使世界免受恶意黑客的攻击。
NSA这样做是为了“……改进网络安全工具……”,以及“……建立一个社区……”,由精通Ghidra并为其发展做出贡献的研究人员组成,正如 Robert Joyce 的演讲中所写的那样。
那么,为什么 Ghidra 很重要?
它来自美国国家安全局(NSA)。哪家公司拥有美国联邦机构所拥有的资源?与负责保护地球上最强大国家安全的机构相比,即使是最好的安保公司也能获得什么样的体验?
所以,是的,它是一个非常强大的工具。安全(Security)研究员Joxen Coret 在(Joxen Coret)推特上写道: “So, Ghidra s**ts all over any other RE tool out there with the only exception of IDA.”
然后是免费的方面。通过免费获得可以说是最强大的 RE 工具,进入安全研究的门槛已经降低到只需拥有一台电脑并可以访问互联网(Internet)。
这也是美国国家安全局(NSA)发布它的部分原因。他们希望新一代的研究人员能够精通它,并考虑在NSA工作。
然后是开源方面。安全机构并不以让人们有充分理由看到幕后而闻名。如果您知道他们是如何做的,那么挫败他们就会变得更容易。然而,Ghidra的整个源代码正在公开,因此任何人都可以梳理它并确切了解它是如何工作的。
而且,不,没有关于政府后门的报道。罗恩·乔伊斯(Ron Joyce)(Ron Joyce)迅速解决了这个问题,他说,安全研究社区,“......是你想通过安装后门发布某些东西的最后一个社区,给那些寻找这些东西以撕裂的人。”
从教育的角度来看,Ghidra还允许崭露头角的软件工程师拆开程序,看看它们是如何工作的,然后学习如何在自己的项目中做类似的事情。查看他人的代码长期以来一直是程序员和开发人员成为更好的程序员的公认做法。当然,如果该代码是公开共享的。
也许最大的交易是Ghidra被设计为协作使用。您可以与您的同事或朋友共享一个存储库,这样您就可以同时处理一个项目。这大大加快了分析过程。
现在怎么办?
美国联邦政府已承诺发布越来越多的安全相关软件。其中一些在本质上是非常技术性的,例如Ghidra,而其中一些将更加用户友好,例如Android 的安全增强版本(security-enhanced version of Android)。
这一切都预示着政府和民间合作的独特时期,以确保我们的数据基础设施尽可能安全。
美国特勤局 – https://www.secretservice.gov/data/press/reports/USSS_FY2013AR.pdf
https://media.defense.gov/2012/Apr/27/2000157039/-1/-1/0/120417-F-JM997-405.JPG
What is Ghidra and Why is it Important?
A large part of tackling new viruseѕ is figuring out how they work. To do that, you need to reverse-engineer іt. The National Security Agency (NSA) obviously must do this sort of work a lot, so they created their own tool, called Ghidra to help them do this.
By the way, it’s pronounced Ghee-dra. It was released to the public for free and as open source on March 5th, 2019, at the RSA Conference in San Francisco. You can even view the Ghidra presentation notes from Robert Joyce, Senior Advisor to the National Security Agency (NSA).
To really understand why
releasing Ghidra was important, we need to understand what reverse-engineering
is and what it’s used for.
What is Reverse Engineering and Why is it Used?
Generally, reverse-engineering (RE) refers to the process of
taking something apart to figure out how it was made. You may have done this
yourself with a small appliance at home, just trying to figure out how to fix
it yourself. But we’re talking about RE a program. It’s just code, right? Why
don’t we just look at the code behind it?
When you write a program in a language like C or Java,
there’s a step between writing it and being able to use it on a computer. The
language you’re programming in is readable to you, but not necessarily readable
by the computer. It must be translated into something that the computer can
work with. This process is called compiling.
Once a program is compiled, it’s no longer readable by
humans.
If you want to figure out how that program works, you need
to take it apart to the level where you can see what’s in it. You need a
toolkit for that, just like you need a toolkit of screwdrivers and wrenches to
take about a small appliance or engine.
That’s where Ghidra comes in to play. It’s a toolbox for
taking software apart to see how it ticks. There are already other similar
tools like IDA, Radare, and Binary Ninja.
The NSA uses Ghidra to take about viruses, malware, and
other programs that may pose a threat to national security. Then, based on what
they find, they develop a plan of action to deal with the threat. With the
number of state-sponsored hacking events in the news recently, you know this is
a big deal.
Can Anyone Use Ghidra?
Not exactly. You do need to have some proficiency with
programming at the very least. You don’t need to be a software engineer, but if
you’ve done a few college courses in programming you can get into Ghidra and
teach yourself how to use it.
Plus, the official Ghidra website also has an installation guide, quick references, a wiki, and an issue tracker. The point of providing all that is so that everyone can learn, and together make the world safer from malicious hackers.
The NSA is doing this to, “…improve cybersecurity tools…”, and, “…build a community…” of researchers proficient with Ghidra and contributing to its growth, as written in Robert Joyce’s presentation.
So Why is Ghidra a Big Deal?
It’s from the NSA. What company has the kind of resources that a US federal agency has? What kind of experience could even the best security company have compared to an agency tasked with the safety of the most powerful nation on Earth?
So, yes, it’s a very powerful tool. Security researcher Joxen Coret tweeted “So, Ghidra s**ts all over any other RE tool out there with the only exception of IDA.”
Then there’s the free aspect. By being able to get what is arguably the most powerful RE tool for free, the entry bar into security research has just been lowered to simply owning a computer and having Internet access.
This is part of the reason why the NSA released it. They hope that a new generation of researchers will become proficient with it and consider careers with the NSA.
Then there’s the open source aspect. Security agencies aren’t known for letting people look behind the curtain for a good reason. If you know how they do what they do, it becomes easier to thwart them. Yet, the entire source code for Ghidra is being made public so anyone can comb through it and see exactly how it works.
And, no, there are no reports of government backdoors being in it. Ron Joyce addressed that quickly, saying, the security research community, “…is the last community you want to release something out to with a backdoor installed, to people who hunt for this stuff to tear apart.”
From an education standpoint, Ghidra also allows budding
software engineers to take apart programs to see how they work and then learn
how to do something similar with their own projects. Looking at another
person’s code has long been an accepted practice among programmers and
developers to become better programmers. If that code was openly shared, of
course.
Perhaps the biggest deal is that Ghidra was designed to be
used collaboratively. You can have a shared repository with your co-workers or
friends so you can all work on a project at once. That speeds up the analysis
process dramatically.
What Now?
The U.S. federal government has pledged to release more and more security related software. Some of it will be very technical in nature, like Ghidra, and some of it will more user-friendly, like a security-enhanced version of Android.
It all heralds a unique time of government and civilian collaboration towards keeping our data infrastructure as safe as possible.
U.S. Secret Service – https://www.secretservice.gov/data/press/reports/USSS_FY2013AR.pdf
https://media.defense.gov/2012/Apr/27/2000157039/-1/-1/0/120417-F-JM997-405.JPG
