[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Malicious commits to Linux kernel as part of university study
From:       r00t4dm <r00t4dm () gmail ! com>
Date:       2021-04-22 17:46:15
Message-ID: CANfkquBFg9cU6YncwaEhFW_OcgV=NNJwpxf2WGq3r=Ax27kG4g () mail ! gmail ! com
[Download RAW message or body]


Hello,

This case demonstrates that the possibility of a supply chain attack is
very high.
If the supply chain attack is sophisticated enough, this case may succeed.
e.g:

One day I committed some code, This code is a normal function.
After Five days, I committed some code, This code also is a normal function.

...

After three month, I committed it dozens of times,  But These committed
code together to form a vulnerability.
I don't know how to better guard against this kind of attack method,  Just
only rely on Human code review?

r00t4dm

Cloud-Penetrating Arrow Lab of Meituan Corp Information Security Department


Ariadne Conill <ariadne@dereferenced.org> 于2021年4月23日周五 上午1:23写道：

> Hello,
>
> On Thu, 22 Apr 2021, David A. Wheeler wrote:
>
> > Peter Bex:
> >> The university of Minnesota has been banned from making any commits to
> >> the Linux kernel after it was found out they'd been submitting bogus
> >> patches to the LKML to knowingly introduce security issues:
> >> https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/
> >
> > I support research, but I personally think this work goes way beyond any
> ethical boundaries.
> > While I don't know if it's *illegal* (I'm not a lawyer!), it seems clear
> to me that these
> > U of MN researchers were conducting experiments on people without their
> prior consent.
> > In the US, experiments on people without their consent is generally
> forbidden.
> > These researchers did their experiment *before* even consulting their
> Institutional Review Board (IRB),
> > a *huge* no-no, and then their IRB approved the non-consensual
> experiment anyway (!!!).
> >
> > GregKH's response to this attack from the U of MN here:
> > https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/
> > which reads in part:
> >> Our community welcomes developers who wish to help and enhance Linux.
> >> That is NOT what you are attempting to do here...
> >> Our community does not appreciate being experimented on...
> >
> > More discussion: https://news.ycombinator.com/item?id=26887670
> >
> > Peter Bex:
> >> I don't know the scope of this research, but it could involve other OSS
> >> projects, now or in the future, as well.  Hence this e-mail.  If you
> feel
> >> it's spam or needless drama, feel free to ignore.
> >
> > Since the researchers failed to get prior consent from the people
> > being experimented on, I don't think we can presume ethical behavior.
> > I have no faith that these researchers limited their attacks.
> > I hope they did, but I think we can take more proactive measures.
> >
> > I used the following shell command to search for potentially-concerning
> commits in git:
> >
> > git shortlog --summary --numbered --email | grep -E '(wu000273|kjlu|@
> umn.edu)'
> >
> > I recommend other OSS projects do something similar, just in case, unless
> > we can have better verification that no other OSS projects were attacked.
> > I welcome improved methods to find concerning proposals or patches;
> > this is just a quick attempt to detect potential damage.
>
> The paper says that they used throwaway Gmail accounts to submit the
> patches.  Frustratingly, they have not identified which patches they
> succeeded in landing in that paper.
>
> However, the paper also claims that they generated these "hypocrite"
> commits using an LLVM-based static analysis tool.
>
> Which means the work introduced by Aditya is likely directly related to
> this experiment, since it has the same "feel" to it.
>
> By mining the LKML archive, it may be possible to find the original set of
> patch submissions by searching for similar keywords as the messages from
> Aditya.  If somebody can do that, then we would be able to determine at
> least some of the emails likely to have originated the patches.
>
> Ariadne


[prev in list] [next in list] [prev in thread] [next in thread]