Researchers Secretly Tried To Add Vulnerabilities to Linux Kernel, Ended Up Getting Banned

Written by

in

April 21, 2021

The Linux kernel is one of the largest software projects in the modern history; with a gigantic 28 millions lines of code.

Contributors from all over the world and from different fields submit a large number of patches each day to the Linux kernel maintainers, so that they get reviewed before being officially merged to the official Linux kernel tree.

These patches could help fix a bug or a minor issue in the kernel, or introduce a new feature.

However, some contributors have been caught today trying to submit patches stealthily containing security vulnerabilities to the Linux kernel, and they were caught by the Linux kernel maintainers.

Researchers from the US University of Minnesota were doing a research paper about the ability to submit patches to open source projects that contain hidden security vulnerabilities in order to scientifically measure the probability of such patches being accepted and merged. Which could make the open source projects vulnerable to various attacks.

They used the Linux kernel as one of their main experiments, due to its well-known reputation and adaptation around the world.

These researchers submitted patches which didn’t seem to completely fix the related issues in the kernel, but also didn’t right away seem to introduce a security vulnerability.

However, today, they were caught by Linux kernel maintainers, and were publicly humiliated. In an email by Greg Kroah-Hartman, one of the major Linux kernel maintainers, their approach was disclosed and their so-called “newbie patches” were thrown under the bus:

You, and your group, have publicly admitted to sending known-buggy patches to see how the kernel community would react to them, and published a paper based on that work.

Now you submit a new series of obviously-incorrect patches again, so what am I supposed to think of such a thing?

Apparently, Greg and a number of other maintainers were not happy about this, as these experiments consume their time and efforts and make people engage by bad faith in the Linux kernel development:

Our community does not appreciate being experimented on, and being “tested” by submitting known patches that are either do nothing on purpose, or introduce bugs on purpose. If you wish to do work like this, I suggest you find a different community to run your experiments on, you are not welcome here.

Finally, Greg announced that the Linux kernel will ban all contributions from the University of Minnesota, and that all the patches they previously submitted are going to be removed from the kernel, and no new patches will be accepted from them in the future:

Because of this, I will now have to ban all future contributions from your University and rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems.

The research paper they worked on was published back in February, 2021; around two months ago. In the paper, they disclose their approach and methods that they used to get the vulnerabilities inserted to the Linux kernel.

The main issue in their approach is that they didn’t connect beforehand with Greg and other kernel maintainers before doing their research. Normally, in such projects, agreement of the software owner is retrieved before stealthy trying to push such code, so that maintainer time is not wasted in reviewing these commits, nor there is a probability for them to be merged by mistake in the main kernel line.

Greg has sent another email in which he reverts most patches from the University of Minnesota from the Linux kernel, and puts some of them on hold.

Discussion: What do you think about this approach? Do you think that the researcher’s attitudes were justified in favor of science and security? Or do you think that the Linux kernel maintainers were right in banning them from the kernel, and that this approach should not be encouraged?

Update: The article was updated to reflect more accurate detailed on the matter. The ban is now lifted on the University of Minnesota, and the following TAB report was issued: https://lwn.net/ml/linux-kernel/202105051005.49BFABCE@keescook/

Newsletter

Subscribe to our newsletter to get the latest news and finest articles about open source matters and developments. We don’t spam, and we rarely email you per month.

Comments

27 responses

  1. Hank Chuds Avatar
    Hank Chuds

    Hell yeah!! We don’t need this shit! We already have a Solar Winds issue, then the exploit tools of Fire Eye were stolen. These people are insane. Concerted effort to make everything vulnerable???

  2. thepokestarfan Avatar
    thepokestarfan

    Did they plan on fixing their mistakes after their paper? They should have immediately reverted the patches they sent out. This is all very fishy.

  3. Eion MacDonald Avatar
    Eion MacDonald

    I consider Greg’s response to be exceedingly magnanimous. As it could upset many servers of commercial institutions they could face unlimited damages for this exploit if a suitable server owner took legal action for ‘deliberate destruction’ of know public software.

  4. juancn Avatar
    juancn

    The deserve worse. The university has an ethics committee that signed off on this! This is so unethical, I also suspect that this is illegal under the computer fraud and abuse act. They should be imprisoned.

  5. Craig Avatar
    Craig

    They removed the flaws before the code was committed.

  6. ryan Avatar
    ryan

    Black balled is the right approach here. And yeah, the system worked. Their bad-faith actions were caught…but punitive steps may make others think twice in the future. bravo.

  7. Jackson F. Avatar
    Jackson F.

    Yeah… this doesn’t sound legal at all.

  8. Kevin Granade Avatar
    Kevin Granade

    This is what jumped out at me as well, not only is the approach unethical, but they way they executed it seems to have been seriously flawed as well.

  9. danielwk Avatar
    danielwk

    I’ve secretly poisoned several city water supply plants with a 2 part poison to test whether or not the cities test for unknown chemicals.

    When Caught I can just say I was doing scientific research! What nonsense. Who approved this! And what other open source projects were affected!

    Imagine trying to break into a building and when caught say you were just testing their security.

    1. Ryan Stew Avatar
      Ryan Stew

      This is worst than that. In this case, it would be comparable to a known chemical imbalance in a water supply.

      In order to show that this imbalance exists they purposely alter the levels, it is ludicrous!

  10. IW Avatar
    IW

    Honestly, after this, I wouldn’t be surprised if the journal the paper was published in forces the authors to retract it. It never looks good for a journal when your authors are using unethical methods.

  11. Michael Macha Avatar
    Michael Macha

    That university just lost all credibility for its CS department, and likely several adjacent departments; and what’s worse, this is baby stuff that their ethics review board should have caught.

    The whole board needs to go, the students should be expelled, and any faculty who were privy to this need to be reviewed. Following that, they need to track down Greg, get on their hands and knees, and beg him to make a deal with them to remedy this.

    And Greg Kroah-Hartman? He probably shouldn’t talk to them at all after this embarrassment.

  12. Ryan Stew Avatar
    Ryan Stew

    It’s very shocking to me that the UM ethics board would approve this. Additionally, the paper being published at an IEEE Symposium of all places, troubling.

    The researcher duo already received substantial pushback in December. Now with publications writing on this I can only wonder as to how the University (whose members are now barred from contribution) and the IEEE will react.

    The duo showed that a known issue was occurring by being bad faith actors, contributing both inept and injurious “fixes”, I can envision no worst method of data collection.

    If anything this work is a cautionary tale.

  13. Jeff Adams Avatar
    Jeff Adams

    I hope the University of Minnesota brings wrath to the “researchers”. A formal public apology from them would be a good start, along with a promise never to allow this to happen again. Firing a few “researchers” would also help.

  14. big c Avatar
    big c

    big chungus

  15. Thomas M Wahl Avatar
    Thomas M Wahl

    I think a lawsuit against the University of Minnesota for damages is in order. There need to be consequences for bad behavior.

  16. Rivka Avatar
    Rivka

    I think U. of M. should be the subject of a class-action lawsuit by all users of all open-source platforms they intentionally made less secure. They should be fiscally liable for any breaches that used their intentional vulnerabilities. They should be banned from ALL open-source platforms unless and until they publicly make restitution, fire the researchers involved, and commit to a pre-submission review process.
    And whoever approved the grant for this BS should be fired and never allowed to sit on a grant committee or funding board ever again.

  17. DRajko Avatar
    DRajko

    I hope they fire all members of the ethics board who thought this was alright. Students can screw up but not these people. They should be banned from all activities. And Linux project is bigger than their little university, people run entire companies on linux kernels. if there was any damage done they should be fined for it.

  18. Steve Sobol Avatar
    Steve Sobol

    Reviewed? Terminated. This was an intentional act that could have caused a huge amount of harm. I don’t give a rat’s ass if they had tenure; you just DO NOT DO what they did.

  19. Jef Adams Avatar
    Jef Adams

    Agree, heads need to roll. I’m sure the CS department will try to minimize all of this, they can be shown the door also…

  20. Daan Berg Avatar
    Daan Berg

    Terrible decision by the professors and ethics commission to green light this. It’s wrong on so many levels.

    However, for a minute, let’s play the devil’s advocate here.
    A popular argument for open-source software is the idea that many eyes can check the code, so there’s more chance of a (security) flaw being caught before it goes out to the world. How do you test if that concept works in real life?
    I suppose you could make an in-house fork of the kernel with university maintainers and test this on them, but I think they would make different decisions because the people submitting fixes/bugs are people they know. Also, you’d have to tell them a pretty good story about how it’s logical that you’re maintaining your own kernel within the university because of… reasons?

    What I’m trying to say is: it’s shocking that +/- 60% of submitted vulnerabilities were included in the affected open-source projects, and I don’t think we would’ve learned that if the researchers didn’t test this in the real world.
    Was it unethical? Heck yes. Do kernel maintainers have a valid reason to be pissed off? Absolutely. But do I think there was another way to reach this conclusion? I don’t know. I’m not a researcher.

  21. Phil Hill Avatar
    Phil Hill

    Absolutely disgusting behaviour by these so called researchers to start with, plus the University of Minnesota itself should be doing everything they can to ensure that any parties that have been given corrupt code by the Uni are made aware immediately to reduce any chance of potential consequences and legal proceedings. As for the legalities, as I am not a resident of the USA I do not know where things stand there but I am assuming there could very well be serious ramifications for these people. Greg has done the right thing in banning the University from submitting any future code.

  22. OdysseusL Avatar
    OdysseusL

    I absolutely agree with the behaviour of the researchers. They handle their tests in a real life environment. I’m sure, that everyone here would be happy, if this happended to Microsoft or some other closed source software, only to show how “bad” they are. The research results of this experiment are worth to discuss. Instead we discuss, if the researchers did it the right way. No one may show an alternate way to get these kind of research results.

  23. OdysseusL Avatar
    OdysseusL

    I absolutely agree with the behaviour of the researchers. They handle their tests in a real life environment. I’m sure, that everyone here would be happy, if this happended to Microsoft or some other closed source software, only to show how “bad” they are. The research results of this experiment are worth to discuss. Instead we discuss, if the researchers did it the right way. No one may show an alternate way to get these kind of research results.

  24. matt heart Avatar
    matt heart

    It was the worst day and the best day for Linux security. Linux should proactively test its own security with anonymous hacks that only later reveal published results. Linux has been revealed as blatantly negligent since they complain when its done rather than thanking them for publishing results, warning Linux about their weakness so Linux can beef up its butt hurt coding practices ego – the self deluded ego that unconsciously revealed their own security hole to the public. Linux revealed Them self! Linux FanBoys need to slap themself in the security face and Stop projecting blame on rightfully curious students! I find it negligent when all Linux FanBoys complain about is being caught with their pants down. How about the suit from business for lack of security that allows college students to find Linux keys on the windows sill like an apple pie waiting to be stolen by hungry hacker bums walking along the road? This is proof that more exploits have been inserted by more nefarious maligning entities that did not ethically publish. I figured this in the 2000s since Linux Fanboys deny Linux code is vulnerable – the coders most vulnerable are always the coders who refuse to admit their code system could ever be vulnerable. always the one who are oo sensitive to be criticized and proven wrong. Stop patting yourself on the back for proving a well designed security test was unethical. They saved your sloppy lazy asses from being responsible to the world for not doing it yourself!

  25. John K Avatar
    John K

    I just read the paper. The research is as ethical as it gets. It’s pretty much like the mystery shopping techniques marketers use all the time (with some differences of course).

    I think Linux community should focus on whether the outcomes are valid or not and reflect on the weaknesses.

    Millions of people and crucial infrastructure depend on Linux kernel. Put your egos aside and focus on what is important.

    I pay online from my Android phone every day and store valuable data…I can’t afford Greg’s going bonkers for the wrong things. I prefer his expertise and intelligence to be directed to making Linux better.

Leave a Reply

Your email address will not be published. Required fields are marked *