[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Malicious commits to Linux kernel as part of university study
From:       Ariadne Conill <ariadne () dereferenced ! org>
Date:       2021-04-22 16:47:06
Message-ID: ae30ef63-77c-cc1b-ef7b-5ed387f7fc95 () dereferenced ! org
[Download RAW message or body]

Hello,

On Thu, 22 Apr 2021, Peter Bex wrote:

> Hi all,
>
> Probably a lot of you know this already but I consider it serious enough
> to point out to the OSS security community at large.
>
> The university of Minnesota has been banned from making any commits to
> the Linux kernel after it was found out they'd been submitting bogus
> patches to the LKML to knowingly introduce security issues:
> https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/

While it's disappointing that they chose to go about this experiment in a 
way that violated research ethics, it does raise a point that has been 
discussed in the community but frequently shrugged off: the possibility 
that a bad actor might submit legitimate patches until such time that 
they can sneak insecure code through review.

Hopefully a positive of this research is that people will be more likely 
to think about the possibilities of insecure code being walked through the 
front door.

With that said, I think UMN should fire Kangjie Lu.  The approach they 
used in their experiment is literally a textbook example of how *not* to 
do this kind of research.  At least, that's not what *I* remember from 
university.  I suspect they will likely fire Kangjie Lu as a result of 
their investigation.

>
> They also published a paper:
> https://raw.githubusercontent.com/QiushiWu/qiushiwu.github.io/main/papers/OpenSourceInsecurity.pdf
>
> I don't know the scope of this research, but it could involve other OSS
> projects, now or in the future, as well.  Hence this e-mail.  If you feel
> it's spam or needless drama, feel free to ignore.

It seems likely.  However, we may not ever know for sure, because the 
paper says they submitted the patches using a random Gmail account instead 
of their UMN email accounts.  I assume any other attempts they made to 
troll other FOSS projects would have come from random Gmail throwaway 
accounts as well.

Ariadne
[prev in list] [next in list] [prev in thread] [next in thread]