(no title)

1. The risk and threats are published

2. The audits I've seen don't evaluate the threats

3. Link me to the audits if you want to convince me

I. The risks - airgapping is not enough

1. If the software has zeroday beacons in it, it can communicate with zeroday beacon repeaters embedded in VM, OS, or hardware (see: cache side channels: https://dl.acm.org/doi/abs/10.1145/3133956.3136064 )

2. The beacons wouldn't have to look like exploit code, they could just be timing bugs sprinkled into the codebase at random. There are plenty of random little warnings and defects in the code that nobody is ever going to check or fix, see this audit: https://github.com/NationalSecurityAgency/ghidra/issues/382

3. Airgaps may be broken by ultrasound side channels; communication to compromised devices like smartphones is possible (see: speaker-to-gyroscope communication https://ieeexplore.ieee.org/abstract/document/9647842/ ; speaker-to-speaker communication https://arxiv.org/pdf/1803.03422.pdf)

4. Low bitrate data leaks, like "ghidra is running in this org, decompiling files named....." may be accumulated by the NSA

This is just zero-day warehousing and passive signals collection with embedded zerodays. It would be hard for security researchers to detect this. I'd happily change my mind if you showed me an audit that looks for beacons and other side channels.

II. The audits

Here is the one audit I could find

https://github.com/NationalSecurityAgency/ghidra/issues/382

This audit tells us that the code is janky, but doesn't tell us if it's secure. It's just a dump of thousands upon thousands of static analysis errors.

There's no threat anaylsis in this audit. But it does suggest the code has so many defects that a serious audit would be very expensive.

III. Change my mind with evidence

Please link me to the heavy audits of the code. If you can.

tldr;; I think the code is less heavily audited than you can support