Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Linux

Huawei Denies Involvement in Buggy Linux Kernel Patch Proposal (zdnet.com) 109

Huawei denied on Monday having any official involvement in an insecure patch submitted to the Linux kernel project over the weekend; patch that introduced a "trivially exploitable" vulnerability. From a report: The buggy patch was submitted to the official Linux kernel project via its mailing list on Sunday. Named HKSP (Huawei Kernel Self Protection), the patch allegedly introduced a series of security-hardening options to the Linux kernel. Big tech companies that heavily use Linux in their data centers and online services, often submit patches to the Linux kernel. Companies like Google, Microsoft, Amazon, and others have been known to have contributed code. On Sunday, the HKSP submission sparked interest in the Linux community as could signal Huawei's wish to possibly contribute to the official kernel. Due to this, the patch came under immediate scrutiny, including from the developers of Grsecurity, a project that provides its own set of security-hardening patches for the Linux kernel. In a blog post published on the same day, the Grsecurity team said that it discovered that the HKSP patch was introducing a "trivially exploitable" vulnerability in the kernel code -- if the patch was to be approved.
This discussion has been archived. No new comments can be posted.

Huawei Denies Involvement in Buggy Linux Kernel Patch Proposal

Comments Filter:
  • I want to see CCP press release on this first.
    • Re: (Score:2, Interesting)

      by waspleg ( 316038 )

      Well, I went to check China Daily which is a CCP mouthpiece and couldn't find anything yet. Fingers crossed? Why are they even allowing patches from known state actors?

      • by AmiMoJo ( 196126 )

        The majority of patches are from untrustworthy sources. State actors, companies, random people we know little about. The system is designed to vet all code before it gets merged, as happened here.

      • There won't be anything about any of this in Chinese official state press. They're not idiots. They know the best way to deal with something like this unless it's already being repeated everywhere is to simply ignore it.

        • by NFN_NLN ( 633283 )

          > They know the best way to deal with something like this unless it's already being repeated everywhere is to simply ignore it.

          It worked for the virus... at least until February/March.

          • As I said, "unless it's already being repeated everywhere." Once it got too big to ignore, the state press had to deal with it.

  • If there was truly nefarious reasons behind the code submit, it probably wasn't the first, nor would it be under a name easily traceable to Huawei. It has been done, and will be done, just don't expect it from a group named "Chinese Hackers #23".
    • What about "Chinese Hackers #1337"?

    • ...nor would it be under a name easily traceable to Huawei

      Western interests, sure; the Chinese haven't quite discovered subtlety yet but when they do, rest assured they'll begin tryIng to figure out how to implement it.

      The CCP definitely needs to re-read Sun Tzu.

      • The CCP definitely needs to re-read Sun Tzu.

        Indeed, a compendium of ancient conventional military wisdom is always timely.

        Without an understanding of the teachings republished by Sun Tzu, modern military commanders might make the horrible mistake of attempting an enveloping maneuver! Of course, if they read Sun Tzu they'll be spared the indignity of this victory, as they will understand that the enemy, once surrounded, will not surrender but will become super-soldiers who fight really hard!

        • Meanwhile, the rest of us can read Master Foo's Rootless Root: http://www.catb.org/esr/writin... [catb.org]

        • Indeed, a compendium of ancient conventional military wisdom is always timely.

          Sheesh. Sun Tzu's _Art of War_ is a treatise of leadership, organizational, diplomatic, and espionage principles disguised as a military training stories. Don't you kids get taught *anything* in school these days?

          • I think he knows that.
            He's also not right that a good amount of the what-appears-to-be-insight within it is only insightful if you have little knowledge of history, and therefor know how wrong it is.
            • Sigh.
              Let's try that again.
              He's also not wrong that a good amount of what-appears-to-be-insightful within it is only insightful if you have little knowledge of history, and therefor don't know how wrong it is.
      • Look at China's growing involvement and influence in Africa. They know about subtlety and use it where needed. They just don't make any effort when it's not needed, when they know the rest of the world doesb't have the balls to do anything.

  • by ugen ( 93902 ) on Wednesday May 13, 2020 @09:51AM (#60055976)

    This is from the alleged developer:
    "NOTICE:
      This project have done my research in spare timethe name of hksp was given by myself
    it's not related to huawei companythere is no huawei product use these code.
      This patch code is raised by me,as one person do not have enough energy to cover every thing
    so there is lack of quality assurance like review and test.
      THis patch is just a demo code.
    " :) Yes, in no way, shape or form is this at all related to Huawei, nor the government of China. Nothing to see here, move along.

    • by ugen ( 93902 ) on Wednesday May 13, 2020 @09:53AM (#60055978)

      As a follow up, the article says this guy is "one of its top security engineers". I wonder what the other security engineers at Huawei can do, then.

      • As a follow up, the article says this guy is "one of its top security engineers". I wonder what the other security engineers at Huawei can do, then.

        They can do what they are told to do. Huawei is Chinese Communist Party (CCP) controlled. The company claims to be employee owned but that is CCP-speak for trade union association owned and the trade union association is naturally control by the CCP.

      • by AmiMoJo ( 196126 )

        I don't think he even works for Huawei. We don't even know his name, he doesn't have a Huawei email address.

        • When working with Chinese engineers, do they customarily have an email address at the company's domain, or do they instead have a personal email that they also use at work?

          Even when it is the CEO of a Chinese engineering firm, and you send an email to their work address, the reply is likely to come from a personal email connected to their phone.

          Obedience in China is based on authority, nor formalism, they don't worry about formalisms like which domain the email address had, they would expect you to simply v

      • Maybe security engineer has the opposite meaning in China?

        Also, is it certain that this guy works for Huawei? Usually when you work for a company you do not add their name to stuff you do on your spare time. I would certainly not give credit to someone else for my own work.

      • "I wonder what the other security engineers at Huawei can do": Disguise their mischievousness better?

      • As a follow up, the article says this guy is "one of its top security engineers". I wonder what the other security engineers at Huawei can do, then.

        It's hilarious. He's one of their top engineers, and it has nothing to do with his work, but he used the company name in its title.

        No, that is not a reasonable thing to claim.

        Lying across cultures is so hard! Who knows which details will stand out. So much easier when you know which questions are allowed to be asked, and which aren't.

    • by AmiMoJo ( 196126 )

      Note also that he is using a gmail address to submit the patch and attached to his GitHub account, not a Huawei one.

      • It's notable that that's actually one of Huawei's "top security engineers," per the article. At that point it doesn't really matter if he's "officially" representing Huawei, since he's a high enough level within the company that everything he does is an official representation of the company. Also, things aren't even remotely that cut-and-dry: if I use my personal email to send something, that's still me saying it, the same as if I used a business email - that relationship doesn't just stop existing becau
        • Re: (Score:2, Troll)

          by cusco ( 717999 )

          everything he does is an official representation of the company

          Horsepuckey. I'm one of the top physical security professionals at Amazon, if I personally declare "Olives are the worst food ever inflicted on mankind" that is most certainly **NOT** an official representation from Amazon Corporate. There are channels for official communications, correspondence outside those channels are not official and if I represent them as the company policy then I will be fired (/. frequently carries stories about morons who got fired for doing exactly that).

          On the other hand, if I

        • by AmiMoJo ( 196126 )

          They make that claim but don't present any information to back it up. They don't even know his name.

          The patch was submitted under the name "wzt wzt", his web site is www.cloud-sec.org but currently down, and his GitHub page doesn't have his name on it either. His other GitHub repos don't seem to have anything to do with Huawei either.

          I can't see any evidence that he works for them at all.

        • by Kjella ( 173770 )

          Maybe he's a "top security engineer" by skill but that doesn't mean he's got any executive power or representation capacity. The US already have an unhealthy attitude to employee opinions and hobbies, I realize the C-level can't stay entirely disconnected but if a "top [company] coder" can't submit a shoddy open source patch because his code quality reflects poorly on the company's code quality then all sanity has left. Next thing you'll tell the McD employee that as a "top burger flipper" he can't do any c

    • This, unfortunately is the kind of code Huawei is quite famous for.

      So actually, I do not believe the developer's statement that it was on his own time. When they work on their own time, it is quite good. But what they do on company time...

    • He may have been acting as an individual. Image what successful implantation of a Linux exploit would do for one's Social Credit System score, the government's national reputation system.
    • Please ignore the fact that I submitted it as a kernel patch, for inclusion on every system. And the exploit is just demo code that isn't exploitable by anyone except authorized CCP comrades and anyone that finds it.

      Nothing to see, you racist assholes. Move along.

  • by CajunArson ( 465943 ) on Wednesday May 13, 2020 @09:53AM (#60055980) Journal

    Look you anti-CCP racists, there's absolutely no evidence at all that this patch was man-made in Wuhan Lab on October 28th 2019.

    NO. EVIDENCE. AT. ALL.

    As such, Huewei and the CCP are innocent and this is clearly Trump's fault!

    In other news, Lee Harvey Oswald obviously had nothing to do with the Kennedy assassination because he wasn't even alive in 1968 when Bobby Kennedy was assassinated!! IT'S SCIENCE YOU CAN'T DENY IT!

    • If this evil communist patch ever reached the Linux kernel, Americans would be protected anyway, because Trump himself would disinfect the bug away with bleach and UV-light. They kill computer viruses in minutes, he discovered it.
  • It was only a matter of time until the Chinese belief in magical remedies enters into the Linux kernel.

    • by AmiMoJo ( 196126 )

      Looking at his code it does seem to be a genuine attempt to harden the Linux kernel. As he states not production ready patches, but ideas for discussion along with demonstration code.

      Given the language barrier code seems like an ideal way to express those concepts.

      Misguided perhaps and nothing to do with Huawei (he is using a Gmail address) but not malicious.

      • but not malicious.

        You don't know that, you'd have to have a huuuuuuuuge body of knowledge about the situation that isn't publicly available, and won't be in the short term.

        You have no idea of it was malicious or not, same as everybody else.

        Magical thinking indeed.

        • but not malicious.

          You don't know that, you'd have to have a huuuuuuuuge body of knowledge about the situation that isn't publicly available, and won't be in the short term.

          You have no idea of it was malicious or not, same as everybody else.

          Magical thinking indeed.

          No. You only don't know it, and by claiming he wouldn't are you not only concluding from your own lack of experience but are acting malicious in fact, because you're deliberately making a claim you know you cannot do. Of course we forgive you, because we wouldn't find any rest of we continuously accused dumb people of acting maliciously out of ignorance.

          But yes, some of us can tell what is and isn't malicious. The Chinese dev did in fact not show any signs of malice. So did he use his company's name and he

  • by lazarus ( 2879 ) on Wednesday May 13, 2020 @10:06AM (#60056030) Journal

    This is open source working as designed, and why you're crazy to put your trust in closed-sourced systems if you are at all interested in security.

    • This is open source working as designed, and why you're crazy to put your trust in closed-sourced systems if you are at all interested in security.

      Coincidentally working as designed because a security group happened to get interested due to the novelty of a Huawei patch. The thousand eyes notion has been known to routinely fail as open source code does not necessary actually get all those eyes.

      "Working as designed" can also be interpreted as the ability to insert exploits as anyone may contribute, at least from CCP and similar perspectives.

      • It was referring to review and catching flaws.

        • by drnb ( 2434720 )

          It was referring to review and catching flaws.

          As I noted, and pointed out the coincidental nature of the catch this time

          • Such patches are all routinely reviewed through Links and his team. You did realise this?

            • Oops Linus not links, how embarrassing.

            • by drnb ( 2434720 )

              Such patches are all routinely reviewed through Linus and his team. You did realise this?

              And you realize Linus was not credited with the discovery, rather a specialized security group that happened to look at this one.

              • Still doesn't make anything coincidental?

              • Such patches are all routinely reviewed through Linus and his team. You did realise this?

                And you realize Linus was not credited with the discovery, rather a specialized security group that happened to look at this one.

                Can you comprehend that Linus is in communication with the people who check on things, and he knows if somebody has checked it or not, and if they're competent to review it? Like, he literally reads the same mailing list that they found out about it on, and were talking about it on, so if they hadn't checked, he would know nobody had checked yet?

                Did you know that Linus is a rather clever fellow, and not even that far below average? /s

                • by drnb ( 2434720 )
                  Again, Linus and other do not necessarily do the sort of review that these security expert had done in this particular case.
          • It was referring to review and catching flaws.

            As I noted, and pointed out the coincidental nature of the catch this time

            There was no bug caught. There was a proposal rejected.

            • by drnb ( 2434720 )

              It was referring to review and catching flaws.

              As I noted, and pointed out the coincidental nature of the catch this time

              There was no bug caught. There was a proposal rejected.

              Because it was coincidentally caught in time, this time.

      • This is open source working as designed, and why you're crazy to put your trust in closed-sourced systems if you are at all interested in security.

        Coincidentally working as designed because a security group happened to get interested due to the novelty of a Huawei patch.

        It didn't just "happen" to get reviewed, there is a large body of kernel hackers who know what stuff is important, and significant changes to important systems don't happen without a lot of review.

        The system isn't accidental, they've been doing it for decades.

        The thousand eyes notion has been known to routinely fail as open source code does not necessary actually get all those eyes.

        You're intentionally misrepresenting this concept. Fuck you and your FUD. That's talking about fixing known bugs that are difficult for individual programmers to figure out how to solve. Amazingly, there was a time in the past where some bugs would tak

        • It didn't just "happen" to get reviewed, there is a large body of kernel hackers who know what stuff is important, and significant changes to important systems don't happen without a lot of review.

          And they did not find the exploit. It was found because a security group had a unique interest this particular time. From the summary: "On Sunday, the HKSP submission sparked interest in the Linux community as could signal Huawei's wish to possibly contribute to the official kernel. Due to this, the patch came under immediate scrutiny, including from the developers of Grsecurity, a project that provides its own set of security-hardening patches for the Linux kernel."

          The system isn't accidental, they've been doing it for decades.

          And yet exploits occasionally go unnotice

          • It didn't just "happen" to get reviewed, there is a large body of kernel hackers who know what stuff is important, and significant changes to important systems don't happen without a lot of review.

            And they did not find the exploit.

            I'm not sure why you want there to be some narrative that ends up making it true that they didn't find it, when actually they did.

            Your argument seems to be that it was found by a unicorn, so it doesn't count? Is that correct?

            • by drnb ( 2434720 )

              It didn't just "happen" to get reviewed, there is a large body of kernel hackers who know what stuff is important, and significant changes to important systems don't happen without a lot of review.

              And they did not find the exploit.

              I'm not sure why you want there to be some narrative that ends up making it true that they didn't find it, when actually they did.

              Linus and the regular kernel devs did not find this problem. That is the "they" being referred to here. My point from the first post is that this bug was found by a special security group that had a unique interest in this particular patch.

              • It didn't just "happen" to get reviewed, there is a large body of kernel hackers who know what stuff is important, and significant changes to important systems don't happen without a lot of review.

                And they did not find the exploit.

                I'm not sure why you want there to be some narrative that ends up making it true that they didn't find it, when actually they did.

                Linus and the regular kernel devs did not find this problem. .

                False. You simply don't understand what happened, but you have a narrative anyways.

                • by drnb ( 2434720 )

                  It didn't just "happen" to get reviewed, there is a large body of kernel hackers who know what stuff is important, and significant changes to important systems don't happen without a lot of review.

                  And they did not find the exploit.

                  I'm not sure why you want there to be some narrative that ends up making it true that they didn't find it, when actually they did.

                  Linus and the regular kernel devs did not find this problem. .

                  False. You simply don't understand what happened, but you have a narrative anyways.

                  LOL. What a case of projection you have. Now go re-read the summary. "On Sunday, the HKSP submission sparked interest in the Linux community as could signal Huawei's wish to possibly contribute to the official kernel. Due to this, the patch came under immediate scrutiny, including from the developers of Grsecurity, a project that provides its own set of security-hardening patches for the Linux kernel. In a blog post published on the same day, the Grsecurity team said that it discovered that the HKSP patch w

                  • It didn't just "happen" to get reviewed, there is a large body of kernel hackers who know what stuff is important, and significant changes to important systems don't happen without a lot of review.

                    And they did not find the exploit.

                    I'm not sure why you want there to be some narrative that ends up making it true that they didn't find it, when actually they did.

                    Linus and the regular kernel devs did not find this problem. .

                    False. You simply don't understand what happened, but you have a narrative anyways.

                    LOL. What a case of projection you have. Now go re-read the summary. "On Sunday, the HKSP submission sparked interest in the Linux community as could signal Huawei's wish to possibly contribute to the official kernel. Due to this, the patch came under immediate scrutiny, including from the developers of Grsecurity, a project that provides its own set of security-hardening patches for the Linux kernel. In a blog post published on the same day, the Grsecurity team said that it discovered that the HKSP patch was introducing a "trivially exploitable" vulnerability in the kernel code -- if the patch was to be approved."

                    What you don't comprehend is that these are regular kernel contributors. You've got your head stuck so far up your ass you can only imagine one label for them.

    • You can use all the vetted open source operating system and programs you want, it's all insecure if your hardware isn't also open for review.

      Do you control the minix micro-kernel inside your intel CPU? Answer: no you don't.

  • by AnonCowardSince1997 ( 6258904 ) on Wednesday May 13, 2020 @10:22AM (#60056096)

    Said it came from either the USA or Italy!

  • by jeromef ( 2726837 ) on Wednesday May 13, 2020 @10:23AM (#60056100)
    > On Sunday, the HKSP submission sparked interest in the Linux community as could signal Huawei's wish to possibly contribute to the official kernel

    Huawei is a long time contributor to the kernel. See 2017 data compiled by Greg KH at https://www.linuxfoundation.or... [linuxfoundation.org].

    - #15 in the list "Top companies contributing to the Linux kernel, 4.8– 4.13"
    - #3 (after Intel and Google) in the list of companies bringing in the most new developers

    I would be surprised if things had changed significantly in the last 2-3 years.
  • Was this just poor code, or an attempt to slip an exploit into the kernel?

    Is it possible to discern the difference?

    If it is, and it was not just inept or naive programming, is there anything to be done? Can anything be done?

    • It seems more likely just a probe of how good they are at detecting it. It was found easily, so they won't waste whatever nasty code they're sitting on.

  • not the first time (Score:5, Interesting)

    by shentino ( 1139071 ) <shentino@gmail.com> on Wednesday May 13, 2020 @10:28AM (#60056128)
  • but... "On Sunday, the HKSP submission sparked interest in the Linux community as could signal Huawei's wish to possibly contribute to the official kernel. Due to this, the patch came under immediate scrutiny, including from the developers of Grsecurity, a project that provides its own set of security-hardening patches for the Linux kernel."

    Really? Shouldn't this level of scrutiny apply to ANY security change. I mean all sources should be considered as potentialy having an ulterior motive.

    • Comment removed based on user account deletion
    • This should be taught to all programmers, engineers, etc who work with computers: always assume everything external to your system is trying to crash or hack it.

    • Yes, such scrutiny is already applied to all security patches to kernel, but that doesn't make for sensationalist article does it?

    • but... "On Sunday, the HKSP submission sparked interest in the Linux community as could signal Huawei's wish to possibly contribute to the official kernel. Due to this, the patch came under immediate scrutiny, including from the developers of Grsecurity, a project that provides its own set of security-hardening patches for the Linux kernel."

      Really? Shouldn't this level of scrutiny apply to ANY security change. I mean all sources should be considered as potentialy having an ulterior motive.

      Right, but new sources are obviously even more suspect than the average source.

      You vastly underestimate the routine paranoia of kernel developers. It is was why we don't "blue screen!" Nothing is trusted. Even when you trust the developer, you still don't trust their code.

  • It would have been a great success!

    (Snowden leaks & SELinux) -> cognitive dissonance

    • by HiThere ( 15173 )

      Not really. You're assuming that there's a uniformity of purpose behind things, and that's not what the evidence suggests.

      That said, I don't use SELinux, because I want to be able to read my disk from multiple different installed kernels. And if you want to be secure, don't put your computer on the net. Use a separate computer for that purpose. There is other hardening that you can do, but a lot of it interferes with updating the system...and the principle thing to do is break external communication lin

  • by ClarkMills ( 515300 ) on Wednesday May 13, 2020 @12:22PM (#60056662)

    Do we all really expect people to be uber-kernel-codes from zero-day? [;)]
    Is this yet another beat-up article? Similar to the "Chinese hackers attacking Covid-19 research" article.

    Beware of propaganda from all factions.

  • From Huawei themselves:

    However, in a statement published on Monday, Huawei said that the company has no official involvement in the HKSP project, despite the project using the Huawei name in its title and the project having been developed by one of its top security engineers.

    The company said the project was created and submitted to the Linux kernel project by the engineer, without its formal backing, and the HKSP code was never actually used in any of the official Huawei products.

    So they will deny anything and everything. But if this proposed does slip through and made it to the kernel, the engineer who submitted the change "without formal backing" will suddenly become a new star in his corporate standing. Maybe get a nice promotion plus a hefty raise. And if, God forbids, this goes on without being detected for years, ALL US corporate environments will be under their thumbs.

  • Looks like there just needs to be a little clarity of source As the developer was doing it on their own it should have been submitted by them directly, rather than via their workplace ans HKSP.
    I'm sure the developer in question isn't the only one who has been lazy in that regard
  • ... if it *were* to be approved.
  • They seem to be getting the pointy end of the stick no matter what they do these days. Maybe they should incorporate in Delaware or Ireland, change their name to Amasoftle, and make a big fat campaign contribution to Trump International Hotels, Spacecraft, and Circus Performers.
    • "Everyone born on this planet gets a free ticket to the circus, and if you're an American you get a front-row seat." -- George Carlin [Corollary: If you're Canadian, you get the middle of first balcony, too high up for the tear gas to reach.]
  • Well colour me surprised.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...