[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Malicious commits to Linux kernel as part of university study
From: Ariadne Conill <ariadne () dereferenced ! org>
Date: 2021-04-22 16:47:06
Message-ID: ae30ef63-77c-cc1b-ef7b-5ed387f7fc95 () dereferenced ! org
[Download RAW message or body]
Hello,
On Thu, 22 Apr 2021, Peter Bex wrote:
> Hi all,
>
> Probably a lot of you know this already but I consider it serious enough
> to point out to the OSS security community at large.
>
> The university of Minnesota has been banned from making any commits to
> the Linux kernel after it was found out they'd been submitting bogus
> patches to the LKML to knowingly introduce security issues:
> https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/
While it's disappointing that they chose to go about this experiment in a
way that violated research ethics, it does raise a point that has been
discussed in the community but frequently shrugged off: the possibility
that a bad actor might submit legitimate patches until such time that
they can sneak insecure code through review.
Hopefully a positive of this research is that people will be more likely
to think about the possibilities of insecure code being walked through the
front door.
With that said, I think UMN should fire Kangjie Lu. The approach they
used in their experiment is literally a textbook example of how *not* to
do this kind of research. At least, that's not what *I* remember from
university. I suspect they will likely fire Kangjie Lu as a result of
their investigation.
>
> They also published a paper:
> https://raw.githubusercontent.com/QiushiWu/qiushiwu.github.io/main/papers/OpenSourceInsecurity.pdf
>
> I don't know the scope of this research, but it could involve other OSS
> projects, now or in the future, as well. Hence this e-mail. If you feel
> it's spam or needless drama, feel free to ignore.
It seems likely. However, we may not ever know for sure, because the
paper says they submitted the patches using a random Gmail account instead
of their UMN email accounts. I assume any other attempts they made to
troll other FOSS projects would have come from random Gmail throwaway
accounts as well.
Ariadne
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic