University of Minnesota intentionally worked to introduce vulnerabilities into the mainline Linux kernel.

[Barbados99]

I just read this in the news today and found it interesting. I thought maybe it would be worth posting and discussing here.

Here is the link to the article:
https://www.phoronix.com/scan.php?page= ... -Linux-Dev

University Banned From Contributing To Linux Kernel For Intentionally Inserting Bugs
Greg Kroah-Hartman has banned a US university from trying to mainline Linux kernel patches over intentionally submitting questionable code with security implications and other "experiments" in the name of research.

Stemming from this research paper where researchers from the University of Minnesota intentionally worked to stealthy introduce vulnerabilities into the mainline Linux kernel. They intentionally introduced use-after-free bugs into the kernel covertly for their research paper.

[Barbados99]

Here is the link to the research paper itself that is authored by the people who attempted to introduce the code into the Linux kernel.

https://github.com/QiushiWu/QiushiWu.gi ... curity.pdf

This is a small excerpt from the paper:

A prominent example of OSS is the Linux kernel, which is one of the largest open-source projects—more than 28 million lines of code used by billions of devices. The Linux kernel involves more than 22K contributors. Any person or company can contribute to its development, e.g., submitting a patch through git commits. To make a change of the Linux kernel,one can email the patch file (containing git diffinformation )to the Linux community. Each module is assigned with a few maintainers (the list can be obtained through the scriptget_maintainer.pl)...

... In this paper, we instead investigate the insecurity of OSS from a critical perspective—the feasibility of a malicious committer stealthily introducing vulnerabilities such as use-after-free (UAF) in OSS through hypocrite commits (seemingly beneficial minor commits that actually introduce other critical issues). Such introduced vulnerabilities can be critical, as they can exist in the OSS for a long period and be exploited by the malicious committer to impact a massive number of devices and users.

[Hoser Rob]

Seems pretty clear they were banned out of embarassment. The idea was to show how easily it could be done, and they succeeded.

[rene]

Seems pretty clear they were banned out of embarassment.

No. If you read the linked Phoronix article (or gregkh directly on lkml) then it's clear that it's a second round of strange/useless patches that now gets them banned. I.e., it's not exactly a secret that review bandwidth for patches to Linux is greatly limited --- there's just not many competent and willing engineers to do them --- and if a group that through that published paper has earlier admitted to purposely corrupting the development process now continues to either again attempt so or at best submit useless patches you can not allow this valuable resource of review bandwidth to any longer be squandered by said group. I.e., off with them. As Greg says, "This is not ok, it is wasting our time"; https://lore.kernel.org/linux-nfs/YH5%2 ... kroah.com/

[JoeFootball]

While it does appear to be limited to a small group of U of MN individuals, it appears the University was advised of their activity, and it continued.

[JoeFootball]

Clarifications on the “hypocrite commit” work (FAQ)

https://www-users.cs.umn.edu/~kjlu/pape ... ons-hc.pdf

[Jon Spoonamore]

I just read this in the news today and found it interesting. I thought maybe it would be worth posting and discussing here.

Here is the link to the article:
https://www.phoronix.com/scan.php?page= ... -Linux-Dev

University Banned From Contributing To Linux Kernel For Intentionally Inserting Bugs
Greg Kroah-Hartman has banned a US university from trying to mainline Linux kernel patches over intentionally submitting questionable code with security implications and other "experiments" in the name of research.

Stemming from this research paper where researchers from the University of Minnesota intentionally worked to stealthy introduce vulnerabilities into the mainline Linux kernel. They intentionally introduced use-after-free bugs into the kernel covertly for their research paper.

I was reading this early this morning. At 1st, I was SUPER PISSED!!! This has to be illegal!?!?! Then I thought... OK. These douche-bags did get some bad code into the Kernel. But.... They were caught, punished, banned and the Kernel(s) repaired! I'd say this is a WIN for Linux and the Kernel Maintainers. Now consider how these events would have played-out in Windows-Land. It's not a pretty thought!!!

[rene]

While it does appear to be limited to a small group of U of MN individuals, it appears the University was advised of their activity, and it continued.

Yes, which just triggered Theodore T'so into writing https://lore.kernel.org/linux-nfs/YIBJX ... mit.edu/#t

To give the devil his due, Prof. Kangjie Lu has reported legitimate security issues in the past (CVE-2016-4482, an information leak from the kernel stack in the core USB layer, and CVE-2016-4485, an information leak in the 802.2 networking code), and if one looks at his CV, he has a quite a few papers in the security area to his name.

The problem is that Prof. Lu and his team seem to be unrepentant, and has some very... skewed... ideas over what is considered ethical, and acceptable behavior vis-a-vis the Kernel development community. The fact that the UMN IRB team believes that what Prof. Lu is doing isn't considered in scope for human experimentation means that there isn't any kind of institutional controls at UMN for this sort of behavior --- which is why a University-wide Ban may be the only right answer, unfortunately.

Here's by the way Greg's original ban-mail in that same thread: https://lore.kernel.org/linux-nfs/YH%2F ... kroah.com/

I'll admit, finally a bit of Linux upheaval/gossip that's actually fun.

[JoeFootball]

I'll admit, finally a bit of Linux upheaval/gossip that's actually fun.

Not quite so for me. I live 20 minutes away from the University of Minnesota, and while I did not attend the institution, I'm embarrassed.

[rene]

We expect a photo of you tomorrow picketing the university holding a sign that says "stop annoying gregkh".

[JoeFootball]

We expect a photo of you tomorrow picketing the university holding a sign that says "stop annoying gregkh".

[WriteF]

Now consider how these events would have played-out in Windows-Land. It's not a pretty thought!!!

We may or may not have heard of it many years later if it was on Windows. I recall something like having shown that to be the case recently

We expect a photo of you tomorrow picketing the university holding a sign that says "stop annoying gregkh".

I second this motion

[JoeFootball]

U of MN: Statement from CS&E on Linux Kernel research - April 21, 2021

https://cse.umn.edu/cs/statement-cse-li ... il-21-2021

[rene]

Thank you. Very interesting

[Jon Spoonamore]

U of MN: Statement from CS&E on Linux Kernel research - April 21, 2021

https://cse.umn.edu/cs/statement-cse-li ... il-21-2021

Glad the University is taking this situation very seriously!

[Barbados99]

We take this situation extremely seriously. We have immediately suspended this line of research. We will investigate the research method and the process by which this research method was approved, determine appropriate remedial action, and safeguard against future issues, if needed.

After reading the various reports, statements and counter-statements today about the incident, it sounds like these people just made an incredibly stupid decision to go forward with this "research" by trying to introduce vulnerabilities into the Linux kernel. What the heck were they thinking? I get it, that they figured "the ends would justify the means" here. But not cool. Not cool at all.

[JoeFootball]

Not cool at all.

Indeed. I was just discussing this with one of my colleagues. No one stopped to say, what are the bad things that could happen with this, and what can we do to mitigate them. It's the classic Jurassic Park scenario of people so preoccupied with whether or not they could, they didn't stop to think if they should.

[Moonstone Man]

No one stopped to say, what are the bad things that could happen with this, and what can we do to mitigate them. It's the classic Jurassic Park scenario of people so preoccupied with whether or not they could, they didn't stop to think if they should.

I might be drawing back on a very long bow here, but it seems to me that the situation is not unlike a group of academics thinking it possible to sneak an armed nuclear device past airport security and set it off in a major city, and the group collectively says, "Yeah! Let's try it!"

Many academics are academics because they lack an everyday view of the world that is common to most of us, one that involves practicality, so their inability to have foresight into their actions should be no surprise to anyone.

[JoeFootball]

... should be no surprise to anyone.

I see your point, but speaking for myself, I remain surprised, amongst other emotions.

Not only did it not occur to them that this may not be a good idea, but when advised of the consequences of their actions, they attempted to continue nonetheless.

Serenity now, serenity now ...

[Moonstone Man]

... when advised of the consequences of their actions, they attempted to continue nonetheless.

Well, that new piece of information puts a different spin on the problem, and it makes the statement from the university far more stern in its meaning and intent. To be honest, the level of stupidity is unbelievable and I hope there are real world consequences for those fools. The truly sad part though is that none of this would ever have happened if stupidity were painful.

On the plus side, I'm claiming drilling rights on their heads. If stupidity ever gets to 0.000000000001 cent per barrel, I'll be a billionaire.