Updated Computer scientists at the University of Minnesota theorized they could sneak vulnerabilities into open-source software – but when they tried subverting the Linux kernel, it backfired spectacularly.
And now their entire school – or at least anyone using a umn.edu email address – has been banned from offering future Linux kernel contributions.
Qiushi Wu, a doctoral student in computer science and engineering at the American college, and Kangjie Lu, assistant professor at the school, penned a paper titled, “On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits” [PDF], which is slated to be presented at the Proceedings of the 42nd IEEE Symposium on Security and Privacy next month.
The paper describes how the authors submitted what’s described as subtly subversive code contributions that would introduce error conditions into the operating system software, and it claims the researchers contacted Linux maintainers to prevent any bad code officially making it into the kernel.
It further states that the experiment was vetted by the university’s Institutional Review Board (IRB), which determined that the project did not constitute human research and thus granted an ethical review waiver.
OpenSSL shuts down two high-severity bugs: Flaws enable cert shenanigans, denial-of-service attacks
Nonetheless, the Linux kernel community has taken the research personally.
“Our community does not appreciate being experimented on, and being ‘tested’ by submitting known patches that either do nothing on purpose, or introduce bugs on purpose,” wrote Greg Kroah-Hartman, leading Linux kernel maintainer, in a post to a Linux kernel mailing list on Tuesday. “If you wish to do work like this, I suggest you find a different community to run your experiments on, you are not welcome here.”
Kroah-Hartman then declared a ban on all future contributions from anyone at the University of Minnesota and his intention to revert all the poisoned commits that project participants tried to sneak into the Linux kernel. His bulk reversion plan affects 204 files, with 306 insertions and 826 deletions.
Not cool, but…
Other Linux contributors and maintainers participating in the discussion were quick to condemn the deception.
Abhi Shelat, an associate professor of computer science at Northeastern University, wrote, “Academic research should NOT waste the time of a community,” and urged Linux community members to question the University of Minnesota’s IRB to determine whether the experiment had received adequate review.
Some developers outside the Linux kernel community, however, believe the security of Linux kernel code deserves more attention than the antics of the researchers. In a Twitter post, Filipo Valsorda, a cryptography and software engineer at Google, pointed to Kroah-Hartman’s remarks about rejecting future contributions from University of Minnesota email addresses and argued that making trust decisions on the basis of email domains rather than confirmed code correctness is a more noteworthy problem.
“Possibly unpopular opinion, but I feel like ‘only merge things after verifying they are valid’ should maybe be the default policy of the most used piece of software in the world,” he wrote.
Katie Moussouris, CEO of Luta Security, voiced a similar option, calling the response an “emotional overreaction” and arguing that the findings have value from a national security perspective.
The Register asked Lu and a doctoral student at the university involved in the submission of a dubious patch for comment but we’ve not heard back.
We would like to sincerely apologize to the maintainers involved in the corresponding patch review process; this work indeed wasted their precious time
Lu, however, did respond to criticism in an explanatory note [PDF] posted to his university web page.
Insisting that the research did not lead to any vulnerabilities in public Linux code, Lu defended the project’s security-enhancing goal and apologized for wasting the Linux maintainers’ time. “We respect [open-source software] volunteers and honor their efforts,” he wrote. “We have never intended to hurt any OSS or OSS users. We did not introduce or intend to introduce any bug or vulnerability in OSS.”
The buggy patches, he explained, were sent via email and did not ever become a Git commit in any Linux branch because maintainers were informed after the fact so they would not move forward with the bad code.
“We would like to sincerely apologize to the maintainers involved in the corresponding patch review process; this work indeed wasted their precious time,” he acknowledged. “We had carefully considered this issue, but could not figure out a better solution in this study.” ®
Updated to add
In a statement released on Wednesday afternoon, the University of Minnesota Department of Computer Science & Engineering said it has suspended the research project and plans to look into the approval process to determine whether remedial action and future safeguards are needed.