oss-sec mailing list archives
Re: Malicious commits to Linux kernel as part of university study
From: Ariadne Conill <ariadne () dereferenced org>
Date: Thu, 22 Apr 2021 10:47:06 -0600 (MDT)
Hello, On Thu, 22 Apr 2021, Peter Bex wrote:
Hi all, Probably a lot of you know this already but I consider it serious enough to point out to the OSS security community at large. The university of Minnesota has been banned from making any commits to the Linux kernel after it was found out they'd been submitting bogus patches to the LKML to knowingly introduce security issues: https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX () kroah com/
While it's disappointing that they chose to go about this experiment in a way that violated research ethics, it does raise a point that has been discussed in the community but frequently shrugged off: the possibility that a bad actor might submit legitimate patches until such time that they can sneak insecure code through review.
Hopefully a positive of this research is that people will be more likely to think about the possibilities of insecure code being walked through the front door.
With that said, I think UMN should fire Kangjie Lu. The approach they used in their experiment is literally a textbook example of how *not* to do this kind of research. At least, that's not what *I* remember from university. I suspect they will likely fire Kangjie Lu as a result of their investigation.
They also published a paper: https://raw.githubusercontent.com/QiushiWu/qiushiwu.github.io/main/papers/OpenSourceInsecurity.pdf I don't know the scope of this research, but it could involve other OSS projects, now or in the future, as well. Hence this e-mail. If you feel it's spam or needless drama, feel free to ignore.
It seems likely. However, we may not ever know for sure, because the paper says they submitted the patches using a random Gmail account instead of their UMN email accounts. I assume any other attempts they made to troll other FOSS projects would have come from random Gmail throwaway accounts as well.
Ariadne
Current thread:
- Re: Malicious commits to Linux kernel as part of university study, (continued)
- Re: Malicious commits to Linux kernel as part of university study Eric Biggers (Apr 22)
- Re: Malicious commits to Linux kernel as part of university study Jan Engelhardt (Apr 23)
- Re: Malicious commits to Linux kernel as part of university study Kurt H Maier (Apr 23)
- Re: Malicious commits to Linux kernel as part of university study James Feister (Apr 23)
- Re: Malicious commits to Linux kernel as part of university study Greg KH (Apr 23)
- Re: Malicious commits to Linux kernel as part of university study Marcus Meissner (Apr 22)
- Re: Malicious commits to Linux kernel as part of university study Marcus Meissner (Apr 22)
- Re: Malicious commits to Linux kernel as part of university study Silas (Apr 24)
- Re: Malicious commits to Linux kernel as part of university study Thomas Ward (Apr 24)