The University of Minnesota has been banned from Linux development for deliberately introducing vulnerabilities
Curious about what has happened this week in the world of Linux development. The University of Minnesota has been banned from Linux development for deliberately introducing vulnerabilities. The reason is a research work being carried out by Qiushi Wu (Ph.D. student) and Kangjie Lu (Assistant Professor) on the feasibility of sneaking vulnerabilities into open-source software. The paper can be found on GitHub.
These researchers tried to put a Use-After-Free vulnerability in the Linux kernel, among other commits. That has caused Greg Kroah-Hartman, one of the most important kernel developers and responsible for maintaining the stable branch, has decided to completely ban the University of Minnesota from Linux development, something that the university itself has confirmed.
“Linux kernel developers don’t like being experimented on”
That’s how blunt Greg Kroah-Hartman, aka Greg K-H, has been on his Twitter profile. In the email linked to the tweet, Greg KH explains that “commits to the addresses of @ umn.edu [University of Minnesota email address] have been found to have been sent in ‘bad faith in an attempt to test the kernel community’s ability to review “known malicious” changes.
“Because of this, all posts in this group must be rolled back from the kernel tree and will have to be reviewed again to determine if they really are a valid solution,” continues Greg KH, explaining that although “this set of patches has rollbacks ‘easy’, there are 68 remainings that need to be reviewed manually. He concludes the developer by saying that:
“I’ll carry this through my tree, so no maintainer need be concerned, but they should be aware that future submissions from anyone with an umn.edu address should be rejected by default unless otherwise determined. which really is a valid solution (ie they provide the proof and it can be verified, but really why waste time doing that extra work?) “.
In this other link to the Linux Kernel Mailing List, we can see the exchange of emails that Greg, responding to a user of the group that was sending commits with vulnerabilities, assures that “you, and your group, have publicly admitted the sending of patches with known bugs to see how the kernel community would react to them, and posted an article based on that work. “
“A few minutes with anyone with the semblance of knowledge of C can see that your posts do nothing at all, so to think that a tool created them, and then that you thought they were a valid” fix “is totally negligent for your part, not ours. It’s your fault, it’s not our job to be the test subjects of a tool that you create. “
Finally, the developer says the community doesn’t appreciate being experimented on and being tested by submitting known patches that either do nothing or purposefully introduce bugs. “Because of this, I will now have to ban all future contributions from your university and delete your previous contributions, as they were obviously submitted in bad faith with the intention of causing trouble.” In this link, we can see one of those shipments with errors.
Although researchers from the University of Minnesota say in their paper that none of their patches made it to the Linux code repositories and that they only appeared in emails, Leon Romanovsky, another kernel developer, says in this thread that he had to check four accepted patches from Aditya Pakki (from UMN) of which three added several serious security holes.
As regards the University of Minnesota itself, the entity itself has confirmed in a statement that, indeed, they are prohibited from contributing to the Linux kernel and that “we take this situation very seriously.” They claim to have suspended this line of investigation and say they will investigate the method followed and the process by which it was approved to determine “the appropriate corrective measures.”
