Jonathan Crussell (Sandia National Laboratories)

Malware analysis relies on evolving tools that undergo continuous improvement and refinement. One such tool is Ghidra, released as open-source in 2019, which has seen 39 public releases and 13,000 commits as of October 2024. In this paper, we examine the impact of these updates on code similarity analysis for the same set of input files. Additionally, we measure how the underlying version of Ghidra affects simple metrics such as analysis time, error counts, and the number of functions identified. Our case studies reveal that Ghidra’s effectiveness varies depending on the specific file analyzed, highlighting the importance of context in evaluating tool performance.
We do not yet have an answer to the question posed in the title of this paper. In general, Ghidra has certainly improved in the years since it was released. Developers have fixed countless bugs, added substantial new features, and supported several new program formats. However, we observe that better is highly nuanced. We encourage the community to approach version upgrades with caution, as the latest release may not always provide superior results for every use case. By fostering a nuanced understanding of Ghidra’s advancements, we aim to contribute to more informed decision-making regarding tool adoption and usage in malware analysis and other binary analysis domains.

View More Papers

Speak Up, I’m Listening: Extracting Speech from Zero-Permission VR...

Derin Cayir (Florida International University), Reham Mohamed Aburas (American University of Sharjah), Riccardo Lazzeretti (Sapienza University of Rome), Marco Angelini (Link Campus University of Rome), Abbas Acar (Florida International University), Mauro Conti (University of Padua), Z. Berkay Celik (Purdue University), Selcuk Uluagac (Florida International University)

Read More

SketchFeature: High-Quality Per-Flow Feature Extractor Towards Security-Aware Data Plane

Sian Kim (Ewha Womans University), Seyed Mohammad Mehdi Mirnajafizadeh (Wayne State University), Bara Kim (Korea University), Rhongho Jang (Wayne State University), DaeHun Nyang (Ewha Womans University)

Read More

Rediscovering Method Confusion in Proposed Security Fixes for Bluetooth

Maximilian von Tschirschnitz (Technical University of Munich), Ludwig Peuckert (Technical University of Munich), Moritz Buhl (Technical University of Munich), Jens Grossklags (Technical University of Munich)

Read More

A Formal Approach to Multi-Layered Privileges for Enclaves

Ganxiang Yang (Shanghai Jiao Tong University), Chenyang Liu (Shanghai Jiao Tong University), Zhen Huang (Shanghai Jiao Tong University), Guoxing Chen (Shanghai Jiao Tong University), Hongfei Fu (Shanghai Jiao Tong University), Yuanyuan Zhang (Shanghai Jiao Tong University), Haojin Zhu (Shanghai Jiao Tong University)

Read More