Researchers Secretly Tried To Add Vulnerabilities to Linux Kernel, Ended Up Getting Banned

Authored by fosspost.org and submitted by mhsabbagh

The Linux kernel is one of the largest software projects in the modern history; with a gigantic 28 millions lines of code.

Contributors from all over the world and from different fields submit a large number of patches each day to the Linux kernel maintainers, so that they get reviewed before being officially merged to the official Linux kernel tree.

These patches could help fix a bug or a minor issue in the kernel, or introduce a new feature.

However, some contributors have been caught today trying to submit patches stealthily containing security vulnerabilities to the Linux kernel, and they were caught by the Linux kernel maintainers.

Researchers from the US University of Minnesota were doing a research paper about the ability to submit patches to open source projects that contain hidden security vulnerabilities in order to scientifically measure the probability of such patches being accepted and merged. Which could make the open source projects vulnerable to various attacks.

They used the Linux kernel as one of their main experiments, due to its well-known reputation and adaptation around the world.

These researchers submitted patches which didn’t seem to completely fix the related issues in the kernel, but also didn’t right away seem to introduce a security vulnerability. A number of these patches they submitted to the kernel were indeed successfully merged to the Linux kernel tree.

However, today, they were caught by Linux kernel maintainers, and were publicly humiliated. In an email by Greg Kroah-Hartman, one of the major Linux kernel maintainers, their approach was disclosed and their so-called “newbie patches” were thrown under the bus:

You, and your group, have publicly admitted to sending known-buggy patches to see how the kernel community would react to them, and published a paper based on that work. Now you submit a new series of obviously-incorrect patches again, so what am I supposed to think of such a thing? Browse FOSS Post ad-free when you subscribe to Patreon Buy Some Coffee

Apparently, Greg and a number of other maintainers were not happy about this, as these experiments consume their time and efforts and make people engage by bad faith in the Linux kernel development:

Our community does not appreciate being experimented on, and being “tested” by submitting known patches that are either do nothing on purpose, or introduce bugs on purpose. If you wish to do work like this, I suggest you find a different community to run your experiments on, you are not welcome here.

Finally, Greg announced that the Linux kernel will ban all contributions from the University of Minnesota, and that all the patches they previously submitted are going to be removed from the kernel, and no new patches will be accepted from them in the future:

Because of this, I will now have to ban all future contributions from your University and rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems.

The research paper they worked on was published back in February, 2021; around two months ago. In the paper, they disclose their approach and methods that they used to get the vulnerabilities inserted to the Linux kernel and other open source projects.

They also claim that the majority of the vulnerabilities they secretly tried to introduce to various open source projects, were successful in being inserted by around an average of %60:

It is still unclear at this moment what other open source projects they tried to hijack, and what is the actual number of vulnerabilities they succeeded in inserting to various open source projects.

Greg has sent another email in which he reverts most patches from the University of Minnesota from the Linux kernel, and puts some of them on hold.

Discussion: What do you think about this approach? Do you think that the researcher’s attitudes were justified in favor of science and security? Or do you think that the Linux kernel maintainers were right in banning them from the kernel, and that this approach should not be encouraged?

tazebot on April 21st, 2021 at 18:02 UTC »

Are the researchers saying that inspite of notifying the maintainers that the submitted patches are bad, those patches ended up in the code anyway?

Their clarifications

We carefully designed the experiment to ensure safety and to minimize the effort of maintainers.

(1). We employ a static-analysis tool to identify three “immature vulnerabilities” in Linux, and correspondingly detect three real minor bugs that are supposed to be fixed. The“immature vulnerabilities” are not real vulnerabilities because one condition (such as a use of a freed object) is still missing. The “immature vulnerabilities” and the three minor bugs are independent but can be related by patches to the bugs.

(2). We construct three incorrect or incomplete minor patches to fix the three bugs. These minor patches however introduce the missing conditions of the “immature vulnerabilities”, so at the same time, we prepare three other patches that correct or complete the minor patches.

(3). We send the incorrect minor patches to the Linux community through email to seek their feedback.

(4). Once any maintainer of the community responds to the email, indicating “looks good”, we immediately point out the introduced bug and request them to not go ahead to apply the patch. At the same time, we point out the correct fixing of the bug and provide our proper patch. In all the three cases, maintainers explicitly acknowledged and confirmed to not move forward with the incorrect patches. This way, we ensure that the incorrect patches will not be adopted or committed into the Git tree of Linux.

FTA:

A number of these patches they submitted to the kernel were indeed successfully merged to the Linux kernel tree.

So did the researchers not notify? It really seems as if they didn't. Also, since they're primarily trying to see if people are not catching vulnerabilities, the assertion "This is not considered human research." seems to ring hollow here.

Color_of_Violence on April 21st, 2021 at 13:28 UTC »

Greg announced that the Linux kernel will ban all contributions from the University of Minnesota.

Wow.

tripledjr on April 21st, 2021 at 13:20 UTC »

Got the University banned. Nice.