University of Minnesota Banned by Linux Development For Dispatching Malicious Code
Two Researchers Attempted to Submit Malicious Code or Patches that Deliberately Introduced Security Flaws in the Linux Codebase.
Two University of Minnesota graduate students working on a paper dubbed, “On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits” tried to place a certain flaw into the Linux kernel.
The vulnerability is called Use-After-Free (UAF) and is part of a Red Team security testing. When the researchers tried to put it again, Kroah-Hartman, the Linux kernel maintainer for the stable branch stopped them.
Kroah-Hartman, one of the most esteemed of all the Linux kernel developers, posted on Twitter:
Linux kernel developers do not like being experimented on, we have enough real work to do: https://t.co/vWvtxjt7A5
— Greg K-H (@gregkh) April 21, 2021
Following the ” test “, where the two graduate students from UMN were caught submitting malicious code, or patches that deliberately introduced security vulnerabilities in the official Linux codebase, Linux kernel project maintainers have called out and banned them from submitting code to the Linux kernel.
The maintainers have also decided to revert every malicious code commit that was ever submitted from any University of Minnesota email address until now.
Kroah-Hartman stated:
Commits from @umn.edu addresses have been found to be submitted in ‘bad faith’ to try to test the kernel community’s ability to review ‘known malicious’ changes.”
Because of this, all submissions from this group must be reverted from the kernel tree and will need to be re-reviewed again to determine if they actually are a valid fix.
Until that work is complete, [we are removing] this change to ensure that no problems are being introduced into the codebase.
As we said before, the UMN researchers published a research paper focusing on introducing known security flaws in the Linux kernel, by submitting malicious code patches on purpose.
They claim in the paper that no patches ever got into any Linux code repositories, that they only performed in an e-mail rather than becoming a Git commit to any Linux kernel branch.
According to BleepingComputer, the researchers display several examples of cases where they launched known flaws by making these “hypocrite” patch commits:
UMN researchers stated in their paper:
Introducing the nullified state is straightforward. The patch is seemingly valid because it nullifies pf->disk->queue after the pointer is released.
However, some functions such as pf_detect() and pf_exit() are called after this nullification and they would further dereference this pointer without checking its state, leading to NULL-pointer.
A shown below, there are hundreds of commits touting themselves to be “patches” that have been reverted as a part of this process:
What Do UMN Researchers Have To Say?
Researcher Aditya Pakki fought back saying:
Greg,
I respectfully ask you to cease and desist from making wild accusations that are bordering on slander.
These patches were sent as part of a new static analyzer that I wrote and its sensitivity is obviously not great. I sent patches in the hopes to get feedback. We are not experts in the Linux kernel and repeatedly making these statements is disgusting to hear.
Obviously, it is a wrong step but your preconceived biases are so strong that you make allegations without merit nor give us any benefit of the doubt. I will not be sending any more patches due to the attitude that is not only unwelcome but also intimidating to newbies and nonexperts.
Kroah-Hartman said that if this is how they work they are not welcomed here, and suggested taking into consideration finding a new community for their tests as the current one does not appreciate being experimented on in this manner.
Following the malicious code experiment, Hartman stated that he is forced to ban all future contributions from the University of Minnesota and delete all the previous contributions, as they were submitted with the intent to cause harm.
In an elaborate FAQ document, the University of Minnesota researchers said that upgrading the security of the patching process in open-source software by demonstrating the practicality of malicious code-introducing patches was their only objective.
The researchers eventually apologized to Linux maintainers for wasting their time on investigating fake patches.
We would like to sincerely apologize to the maintainers involved in the corresponding patch review process; this work indeed wasted their precious time.
Brad Spengler, President of Open Source Security Inc. declared “…this overreaction is terrible, reverting commits from long before any of that research, removing CAP_SYS_ADMIN checks that were added, etc… This is nuts.”
Leadership in the University of Minnesota Department of Computer Science & Engineering learned today about the details of research being conducted by one of its faculty members and graduate students into the security of the Linux Kernel. pic.twitter.com/QE9rrAyyMX
— UMNComputerScience (@UMNComputerSci) April 21, 2021
Neither the University of Minnesota nor researcher Kroah-Hartman offered any further information about the situation when contacted, although the University has now sent out a public declaration.