Finite State has released a security report that used binary analysis to reveal a litany of flaws in Huawei firmware. Huawei has refuted some points of the report, with Finite State standing by their analysis. The analysis covered 9,936 firmware images across 558 devices over a period of 18 months with similar analysis of market competitors to act as a control.
The reported issues included practices such as replacing memcpy_s with a wrapper around the basic memcpy, which removes the buffer overflow protection. By contrast, Microsoft banned usage of memcpy in its 2009 push for secure computing. Finite State's report validates Huawei's removal of the correct function through the application binary: "VOS_memcpy_s appears to be a custom implementation for memcpy_s. However it calls memcpy without any parameter validation." Within the firmware, other defenses against memory issues were often missing. Many developers utilize Address Space Layout Randomization (ASLR) to complicate memory attacks by making memory targets unpredictable. Analysis revealed that only approximately one third of Huawei firmware utilized this security control. Other types of issues were memory corruption flaws, default credentials, hardcoded public encryption keys for control, and use of insecure outdated components. Encryption keys included entries in the SSH authorized_keys file, a feature that facilitates remote access.
The engine used for analysis was a binary analyzer that includes over 45 integrated tools to unpack and analyze device firmware. Common public tools used in the Finite State analysis include NSA Ghidra, Binary Ninja, and Radare2. InfoQ discussed the type of analysis with Dennis Andriesse, author of Practical Binary Analysis, whose work appears inside Binary Ninja.
There's been a lot of research on binary analysis techniques ranging from automatic detection of buffer overflows and format string vulnerabilities, to automatic exploit generation for suspected vulnerabilities. Many techniques have matured a lot and are seeing increasingly wide use both in industry and in the hacking community. For example, many companies now use fuzzing to catch bugs before they release their software.
The report includes side-by-side security analysis of similar products: Huawei CE12800, Juniper EX4650, and Arista 7820R. InfoQ spoke with Mandy Sadowski, VP of marketing at Finite State, to establish why the other devices were selected. "We considered the use case for the Huawei CE12800, Arista 7280R, and Juniper EX4650 to overlap and based our case study on these three similar products." Firmware images were current at time of analysis. Huawei firmware was the only device with hardcoded credentials and cryptography keys, and had the highest number of memory corruption issues. In the hardcoded credentials, the password hashes were the same between users: root, huawei, and python.
The United Kingdom has a similar security report for the National Security Advisor, from its own Huawei Cyber Security Evaluation Center (HCSEC). Following five annual HCSEC public reports, Finite State performed an analysis of Huawei firmware over a period of two years to evaluate improvements. Contrary to the security practice of updating, Finite State’s analysis revealed that "security became quantifiably worse for users who patched their devices to the updated versions of the firmware." The primary risk increase rose from encryption keys and memory corruption issues, with a slight uptick in CVEs.
Huawei published a statement refuting some findings from the Finite State report but did not address the findings from HCSEC. The rebuttal includes a technical response from their Product Security Incident Response Team (PSIRT). The rebuttal cites issues such as not including major market competitor Cisco in the comparable list and that some of the firmware analyzed by Finite State was outdated. It also indicates that the hardcoded SSH encryption keys are commonly removed following installation. Huawei also indicated that the binary analysis tool used by Finite State "would not identify significant vulnerabilities in Huawei's gear."
Finite State published their own response-to-the-response to stand by their original report. In the followup, they indicate that the most effective defense to hardcoded cryptographic access keys is simply not having them in the first place. They also address the role of binary analysis when compared against the source code review performed by HCSEC, where source code review cannot determine that it actually has the right code. "After eight years of work through this evaluation center, they have been able to achieve binary equivalence for only one device. In other words, they cannot guarantee that the source code tested exactly matched what was used to build the software inside Huawei’s devices."
Huawei discussed aspects of their recent $2 billion security commitment. "Finite State's report implicitly supports Huawei’s longstanding call for independent, third-party testing of products from all equipment vendors, using internationally recognized standards." Common national and international standards in this case include NIST 800-53, the ITU Study Group 17, the ISO 27000 series, and others. Software could also be analyzed by other independent organizations such as Cyber ITL, who compare software security for common classes like operating systems and browsers.