In order to write a paper, researchers at the University of Minnesota sent more than 200 vulnerable codes to the Linux kernel, which angered the Linux community and not only banned the entire university from submitting code to Linux, but also restored the code submitted by the school.
Recently, a “new thing” has appeared in foreign academic circles. Two Chinese researchers at the University of Minnesota tried to put a bad patch into the Linux kernel as a “test” when writing a paper to study the open source community. Vulnerability. But when they continued to contribute “bugged code”, they found that Linux kernel administrator Greg Kroah-Hartman put an end to their behavior and pulled the entire University of Minnesota into the Linux blacklist.
How are things going?
Previously, Qiushi Wu, a doctoral student in the Department of Computer Science and Engineering at the University of Minnesota, and his supervisor, Assistant Professor Kangjie Lu, co-authored a paper titled “On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits”, which attempted to combine UAF (Use- After-Free) vulnerability into the Linux kernel. Generally speaking, this kind of Red Team security detection is common, and the paper has been accepted by the 2021 IEEE Symposium on Security and Privacy.
But when they tried to submit the code again, they found that Linux kernel administrator Greg Kroah-Hartman had “blocked” the entire University of Minnesota.
Paper address: https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf
Greg Kroah-Hartman, one of the well-respected Linux kernel developers, replied on Twitter: “Linux kernel developers don’t like to be ‘experimented,’ we have enough to do.”
On the Linux Kernel Mailing List (LKML), Kroah-Hartman made his stance more clear when the researchers tried again to submit fake patches, “Please stop submitting patches that you know don’t work, don’t think about submitting a paper in order to finish the paper. Playing tricks during the review process is wrong and a waste of our time. We will have to inform your school about it again.”
Leon Romanovsky, senior developer of the Linux kernel, also explained: “They are deliberately introducing bugs into the kernel, which is a big no-no in any open source community. In the Linux kernel community, trust between developers is crucial in the development process. part.”
Did the two researchers do it on purpose? Will it cause harm to Linux? Professor Kangjie Lu has previously made the following statements about his research:
One, we have never incorporated bugs in the submitted code, and the paper proves the possibility of such problems;
Two, we do it like this: first find the real bug A, then submit patch A to fix bug A, which will also introduce bug B; so, we also submit patch B to fix it before merging bug B. In other words, we fix bug A in two steps.
Three, the findings were reported to the Linux administrators prior to submission;
Fourth, we will not cause any harm to any Linux users and have fixed these bugs;
Fifth, this research aims to improve the patching process by raising awareness of this type of problem, motivating the development of automated patch detection and verification tools.
Both sides hold their ground. However, the University of Minnesota Department of Computer Science and Engineering said after learning about the incident, “The research of the two researchers has aroused widespread concern in the Linux kernel community, and led to Linux blacklisting the entire university. We take the whole process very seriously. We will also follow up on the method used by the two investigators and the approval process for that method, determine appropriate remedies, and prepare for additional issues that arise in the future.”
Perhaps it was the school’s “inaction” that caused him to be blocked
Another PhD student of Prof. Kangjie Lu (Aditya Pakki) submitted a small patch that changed/added only two lines in total:
Since the patch was simple and seemed to improve the quality of the code, it was initially supported by some members, but later questioned. And on April 19, veteran kernel contributor Al Viro chastised the contributor for submitting a “patch that didn’t fix anything.”
Another patch submitted by Aditya Pakki:
Greg Kroah-Hartman, one of the Linux kernel developers, warned against wasting the kernel maintainers’ time submitting such patches. Obviously, this isn’t the only patch request that’s been controversial. There are 3 more such patches from the same researcher, who believe that these patches increase the security hole.
In the face of these public attacks, Aditya Pakki considers herself a victim, blaming the attitude of the kernel maintainers, “I respectfully ask you to stop and stop making savage accusations that border on libel.” He also claimed that “the patches were written by me as a Sent as part of the new static analyzer, which is obviously not very sensitive. I sent the patch to get feedback. We’re not experts on the Linux kernel, and it’s distasteful to make these remarks over and over again,” Pakki said. : “I won’t be posting any more patches, as this attitude is not only unpopular, but intimidating for newbies and non-experts alike.”
This angered Kroah-Hartman and replied:
[YouandyourteampubliclyacknowledgedsendingknownbugpatchestoseehowthekernelcommunityreactedtothemandpublishedapaperbasedonthisworkNowthatyou’vesubmittedaseriesofobviouslywrongpatcheshowdoIfeelaboutthiskindofthing?[这些新的补丁] Apparently not created by a wise static analysis tool, as they are all the result of completely different patterns, and all of these patches apparently didn’t fix anything at all. So what else can I think of other than you and your team continuing to experiment with the developers of the kernel community by sending such nonsense patches?
When submitting a patch created by a tool, everyone who does so submits a statement like “found by tool XXX, we are not sure if this is correct or not, please advise”. Why didn’t you do that here. You’re not asking for help, you claim these are legitimate fixes, but you know they’re wrong.
Anyone with some knowledge of C can see that the patches you submit don’t do anything at all, so it’s entirely your oversight to think a tool created them and then you think they’re a valid “fix”, not our. You are the one at fault, our job is not to be a test subject for the tools you create.
Our community welcomes developers who help and enhance Linux, but it’s not what you’re trying to do, so please don’t try to break it in this way. Our community does not welcome being tested or being tested by submitting known patches that either intentionally do nothing or introduce bugs on purpose. If you want to do this kind of work, I suggest you find a different community to do your experiments, you are not welcome here. 】
These developers are not coming back. And, because the University of Minnesota did not stop them after being warned, Kroah-Hartman said it now has to ban the University of Minnesota from any future code submissions and revert past submissions.
Most Linux kernel developers and other programmers agree with Kroah-Hartman. Ted T’so, a senior developer of the Linux kernel and a Google engineer, pointed out that although Kangjie Lu, the assistant professor in charge of the project, has done some useful security work in the past:
The problem is that Professor Lu and his team have some very biased ideas about what is ethical and what behavior is acceptable to the kernel development community. Also, the University of Minnesota Institutional Review Board (IRB) considered the research that Professor Lu did outside the scope of normal experiments, which means that no institution at the University of Minnesota controls this behavior — which is probably why Linux banned the entire university where.
Furthermore, the two researchers claim in their paper that none of their patches actually made it into any Linux repositories, they just appeared in emails rather than being Git commits for any Linux kernel fork. However, it is not.
Romanovsky, another senior Linux kernel developer, said he had looked at four accepted patches provided by Pakki, three of which added security holes of various severity. Linux kernel driver and Debian developer Sudip Mukherjee also said that many patches have reached the stable tree.
So, these researchers not only waste the Linux committers’ time, but they actually introduce bad code into the Linux kernel.
The Links: SKM111AR FM600TU-07A VNELECTRONIC