Curious what has happened this week in the world of Linux development. The University of Minnesota has been banned from Linux development by introduce vulnerabilities on purpose. The reason is a research work being carried out by Qiushi Wu (PhD student) and Kangjie Lu (Assistant Professor) on the feasibility of sneaking vulnerabilities into open source software. The paper can be found on GitHub.
These researchers tried to put a Use-After-Free vulnerability in the Linux kernel, among other commits. That has caused Greg Kroah-Hartman, one of the most important kernel developers and responsible for maintaining the stable branch, decided to ban the University of Minnesota completely Linux development, something that the university itself has confirmed.
“Linux kernel developers don’t like being experimented on”
Linux kernel developers do not like being experimented on, we have enough real work to do: https://t.co/vWvtxjt7A5
– Greg KH (@gregkh) April 21, 2021
That’s how blunt Greg Kroah-Hartman, also known as Greg KH, has been on his Twitter profile. In the email linked to the tweet, Greg KH explains that “it has been discovered that commits from @ umn.edu [dirección de correo de la Universidad de Minnesota] have been sent in ‘bad faith’ to try and test the kernel community’s ability to review “known malicious” changes.
“Because of this, all posts from this group must be rolled back from the kernel tree and will have to be reviewed again to determine if they really are a valid solution,” continues Greg KH, explaining that although “this set of patches has rollbacks ‘easy’, there are 68 remaining that need to be checked manually“The developer concludes by saying that:
“I will carry this through my tree, so no maintainer need be concerned, but they must be aware that future submissions from anyone with an umn.edu address should by default be rejected Unless it is determined that it really is a valid solution (that is, they provide the proof and it can be verified, but really, why waste time doing that extra work?). “
In this other link to the Linux Kernel Mailing List we can see the exchange of emails that Greg, responding to a user of the group that was sending commits with vulnerabilities, assures that “you, and your group, you have publicly admitted sending patches with known bugs to see how the kernel community would react to them, and posted an article based on that work. ”
“A few minutes with anyone with the semblance of knowledge of C can see that your posts do nothing at all, so to think that a tool created them, and then that you thought they were a valid” fix “is totally negligent for your part, not ours. It’s your fault, it’s not our job to be the test subjects of a tool that you create. “
Finally, the developer says the community doesn’t appreciate being experimented on and being tested by submitting known patches that either do nothing or purposefully introduce bugs. “Because of this, now I will have to ban all future contributions from your university and delete your previous contributions, since they were obviously submitted in bad faith with the intention of causing problems. “In this link we can see one of those submissions with errors.
Although the University of Minnesota researchers say in their paper that none of their patches made it to the Linux code repositories, and that they only appeared in emails, Leon Romanovsky, another kernel developer, says in this thread that he had to check four accepted patches from Aditya Pakki (from UMN) of which three added several serious security holes.
Leadership in the University of Minnesota Department of Computer Science & Engineering learned today about the details of research being conducted by one of its faculty members and graduate students into the security of the Linux Kernel. pic.twitter.com/QE9rrAyyMX
— UMNComputerScience (@UMNComputerSci) April 21, 2021
As regards the University of Minnesota itself, the entity itself has confirmed in a statement that, indeed, are prohibited from contributing to the Linux kernel and that “we take this situation very seriously.” They claim to have suspended this line of investigation and say they will investigate the method followed and the process by which it was approved to determine “the appropriate corrective measures.”