Computer scientists who submitted supposed security patches that actually added security vulnerabilities to the Linux kernel have been placed under investigation by their university.
Qiushi Wu and Kangjie Lu ran the experiment with so-called ‘hypocrite commits’ to establish that they could act a vector for stealthily introducing vulnerabilities in open source software.
More specifically, the University of Minnesota duo successfully offered use-after-free vulnerabilities that were accepted as seemingly beneficial commits to the Linux kernel.
The researchers argued the exercise offered evidence that the Linux patch-review process is flawed.
Kernel developers ain’t no lab rats
The research attracted criticism back in December while the work was still ongoing, although the drama only escalated over recent days with the publication of the research (PDF).
According to the researchers, all of the “bug-introducing patches stayed only in the email exchanges, without being adopted or merged into any Linux branch”, so no harm to users resulted from the exercise.
On the contrary, the researchers were able to develop tools for patch testing and verifications, as well as a revised code of conduct as a result of the exercise, they said (PDF).
Open source developers, however, have cried foul over the exercise, which they complain was both a nuisance and a waste of time.
“Linux kernel developers do not like being experimented on, we have enough real work to do,” Linux kernel maintainer Greg Kroah-Hartman of the Linux Foundation responded on Twitter.
‘Bad faith’
Kroah-Hartman followed up in a post on a mailing list on Wednesday by denouncing the research as an attempt to try to test the kernel community’s ability to review “known malicious” changes, adding that the exercise was carried out in “bad faith”.
Future contributions from the University of Minnesota to the Linux kernel have been banned as a result of the incident, a sanction criticized as an overreaction on social media by some observers.
The university itself has launched an investigation into the incident, as confirmed in an official statement:
We take this situation extremely seriously. We have immediately suspended this line of research.
We will investigate the research method & the process by which this research method was approved, determine appropriate remedial action, & safeguard against future issues, if needed.
We will report our findings back to the community as soon as practical.
The Daily Swig invited both researchers to comment on the unfolding controversy. No word back as yet, but we’ll update this story as and when more information comes to hand.
Kroah-Hartman of the Linux Foundation told The Daily Swig that since he hadn’t as yet heard from the university, he had nothing at present to add beyond his comments on the mailing list.
A paper on the research, ‘Open Source Insecurity: Stealthily Introducing Vulnerabilities via Hypocrite Commits’, was published at the 42nd IEEE Symposium on Security and Privacy.
Source: https://portswigger.net/daily-swig/ill-advised-research-on-linux-kernel-lands-computer-scientists-in-hot-water
