oss-sec mailing list archives
Re: Malicious commits to Linux kernel as part of university study
From: "David A. Wheeler" <dwheeler () dwheeler com>
Date: Thu, 22 Apr 2021 11:02:11 -0400
Peter Bex:
The university of Minnesota has been banned from making any commits to the Linux kernel after it was found out they'd been submitting bogus patches to the LKML to knowingly introduce security issues: https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX () kroah com/
I support research, but I personally think this work goes way beyond any ethical boundaries. While I don’t know if it’s *illegal* (I’m not a lawyer!), it seems clear to me that these U of MN researchers were conducting experiments on people without their prior consent. In the US, experiments on people without their consent is generally forbidden. These researchers did their experiment *before* even consulting their Institutional Review Board (IRB), a *huge* no-no, and then their IRB approved the non-consensual experiment anyway (!!!). GregKH’s response to this attack from the U of MN here: https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX () kroah com/ which reads in part:
Our community welcomes developers who wish to help and enhance Linux. That is NOT what you are attempting to do here... Our community does not appreciate being experimented on...
More discussion: https://news.ycombinator.com/item?id=26887670 Peter Bex:
I don't know the scope of this research, but it could involve other OSS projects, now or in the future, as well. Hence this e-mail. If you feel it's spam or needless drama, feel free to ignore.
Since the researchers failed to get prior consent from the people being experimented on, I don’t think we can presume ethical behavior. I have no faith that these researchers limited their attacks. I hope they did, but I think we can take more proactive measures. I used the following shell command to search for potentially-concerning commits in git: git shortlog --summary --numbered --email | grep -E '(wu000273|kjlu|@umn.edu)' I recommend other OSS projects do something similar, just in case, unless we can have better verification that no other OSS projects were attacked. I welcome improved methods to find concerning proposals or patches; this is just a quick attempt to detect potential damage. On Thu, Apr 22, 2021 at 11:44:49AM +0200, Albert Veli wrote:
Supply chain attacks are a real threat to open source projects.
I completely agree. My work title is “Director of Open Source Supply Chain Security”, so I guess I’d have to say that :-), but I agree anyway :-). *ALL* OSS projects should review proposed changes for potential security issues, and harden their software & supply chain against attacks. I also welcome research to make that better! But we don’t need researchers who perform attacks on production systems without authorization, or perform attacks on developers without their consent. --- David A. Wheeler
Current thread:
- Malicious commits to Linux kernel as part of university study Peter Bex (Apr 22)
- Re: Malicious commits to Linux kernel as part of university study Albert Veli (Apr 22)
- Re: Malicious commits to Linux kernel as part of university study Peter Bex (Apr 22)
- Re: Malicious commits to Linux kernel as part of university study David A. Wheeler (Apr 22)
- Re: Malicious commits to Linux kernel as part of university study Santiago Torres (Apr 22)
- Re: Malicious commits to Linux kernel as part of university study Ariadne Conill (Apr 22)
- Re: Malicious commits to Linux kernel as part of university study r00t4dm (Apr 22)
- Re: Malicious commits to Linux kernel as part of university study Mark Steward (Apr 22)
- Re: Malicious commits to Linux kernel as part of university study Michael Orlitzky (Apr 22)
- Re: Malicious commits to Linux kernel as part of university study Francis Booth (Apr 22)
- Re: Malicious commits to Linux kernel as part of university study Eric Biggers (Apr 22)
- Re: Malicious commits to Linux kernel as part of university study Peter Bex (Apr 22)
- Re: Malicious commits to Linux kernel as part of university study Jan Engelhardt (Apr 23)
- Re: Malicious commits to Linux kernel as part of university study Kurt H Maier (Apr 23)
- Re: Malicious commits to Linux kernel as part of university study James Feister (Apr 23)
- Re: Malicious commits to Linux kernel as part of university study Albert Veli (Apr 22)